Skip to content

Commit

Permalink
docs: update info about config file (aquasecurity#6547)
Browse files Browse the repository at this point in the history
Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>
  • Loading branch information
DmitriyLewen and simar7 authored Apr 25, 2024
1 parent fae710d commit 7811ad0
Show file tree
Hide file tree
Showing 5 changed files with 225 additions and 23 deletions.
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_aws.md
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ trivy aws [flags]
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--max-cache-age duration The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s)
--max-cache-age duration The maximum age of the cloud cache. Cached data will be required from the cloud provider if it is older than this. (default 24h0m0s)
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
Expand Down
224 changes: 213 additions & 11 deletions docs/docs/references/configuration/config-file.md
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,15 @@ severity:
- MEDIUM
- HIGH
- CRITICAL

scan:
# Same as '--compliance'
# Default is empty
compliance:

# Same as '--show-suppressed'
# Default is false
show-suppressed: false
```
## Scan Options
Expand All @@ -106,7 +115,7 @@ scan:

# Same as '--offline-scan'
# Default is false
offline-scan: false
offline: false

# Same as '--scanners'
# Default depends on subcommand
Expand All @@ -115,6 +124,24 @@ scan:
- misconfig
- secret
- license
-
# Same as '--parallel'
# Default is 5
parallel: 1

# Same as '--sbom-sources'
# Default is empty
sbom-sources:
- oci
- rekor

# Same as '--rekor-url'
# Default is 'https://rekor.sigstore.dev'
rekor-url: https://rekor.sigstore.dev

# Same as '--include-dev-deps'
# Default is false
include-dev-deps: false
```
## Cache Options
Expand All @@ -131,6 +158,9 @@ cache:

# Redis options
redis:
# Same as '--redis-tls'
# Default is false
tls:
# Same as '--redis-ca'
# Default is empty
ca:
Expand All @@ -148,21 +178,25 @@ cache:
```yaml
db:
# Same as '--skip-db-update'
# Default is false
skip-update: false

# Same as '--no-progress'
# Default is false
no-progress: false

# Same as '--skip-db-update'
# Default is false
skip-update: false

# Same as '--db-repository'
# Default is 'ghcr.io/aquasecurity/trivy-db'
repository: ghcr.io/aquasecurity/trivy-db
# Default is 'ghcr.io/aquasecurity/trivy-db:2'
repository: ghcr.io/aquasecurity/trivy-db:2

# Same as '--skip-java-db-update'
# Default is false
java-skip-update: false

# Same as '--java-db-repository'
# Default is 'ghcr.io/aquasecurity/trivy-java-db'
java-repository: ghcr.io/aquasecurity/trivy-java-db
# Default is 'ghcr.io/aquasecurity/trivy-java-db:1'
java-repository: ghcr.io/aquasecurity/trivy-java-db:1
```
## Registry Options
Expand Down Expand Up @@ -197,7 +231,19 @@ image:

# Same as '--platform'
# Default is empty
platform:
platform:

# Same as '--image-src'
# Default is 'docker,containerd,podman,remote'
source:
- podman
- docker

# Same as '--image-config-scanners'
# Default is empty
image-config-scanners:
- misconfig
- secret

docker:
# Same as '--docker-host'
Expand All @@ -224,6 +270,67 @@ vulnerability:
# Same as '--ignore-unfixed'
# Default is false
ignore-unfixed: false

# Same as '--ignore-unfixed'
# Default is empty
ignore-status:
- end_of_life
```
## License Options
Available with license scanning
```yaml
license:
# Same as '--license-full'
# Default is false
full: false

# Same as '--ignored-licenses'
# Default is empty
ignored:
- MPL-2.0
- MIT

# Same as '--license-confidence-level'
# Default is 0.9
confidenceLevel: 0.9

# Set list of forbidden licenses
# Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L171
forbidden:
- AGPL-1.0
- AGPL-3.0

# Set list of restricted licenses
# Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L199
restricted:
- AGPL-1.0
- AGPL-3.0

# Set list of reciprocal licenses
# Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L238
reciprocal:
- AGPL-1.0
- AGPL-3.0

# Set list of notice licenses
# Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L260
notice:
- AGPL-1.0
- AGPL-3.0

# Set list of permissive licenses
# Default is empty
permissive:
- AGPL-1.0
- AGPL-3.0

# Set list of unencumbered licenses
# Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L334
unencumbered:
- AGPL-1.0
- AGPL-3.0
```
## Secret Options
Expand All @@ -239,11 +346,15 @@ secret:
## Rego Options
```yaml
rego
rego:
# Same as '--trace'
# Default is false
trace: false

# Same as '--skip-policy-update'
# Default is false
skip-policy-update: false

# Same as '--config-policy'
# Default is empty
policy:
Expand Down Expand Up @@ -271,6 +382,10 @@ misconfiguration:
# Same as '--include-non-failures'
# Default is false
include-non-failures: false

# Same as '--policy-bundle-repository'
# Default is 'ghcr.io/aquasecurity/trivy-checks:0'
policy-bundle-repository: ghcr.io/aquasecurity/trivy-checks:0

# Same as '--miconfig-scanners'
# Default is all scanners
Expand Down Expand Up @@ -313,6 +428,12 @@ misconfiguration:
# Same as '--tf-exclude-downloaded-modules'
# Default is false
exclude-downloaded-modules: false

# Same as '--cf-params'
# Default is false
cloudformation:
params:
- params.json
```
## Kubernetes Options
Expand All @@ -327,6 +448,58 @@ kubernetes:
# Same as '--namespace'
# Default is empty
namespace:

# Same as '--kubeconfig'
# Default is empty
kubeconfig: ~/.kube/config2

# Same as '--components'
# Default is 'workload,infra'
components:
- workload
- infra

# Same as '--k8s-version'
# Default is empty
k8s-version: 1.21.0

# Same as '--tolerations'
# Default is empty
tolerations:
- key1=value1:NoExecute
- key2=value2:NoSchedule

# Same as '--all-namespaces'
# Default is false
all-namespaces: false

node-collector:
# Same as '--node-collector-namespace'
# Default is 'trivy-temp'
namespace: ~/.kube/config2

# Same as '--node-collector-imageref'
# Default is 'ghcr.io/aquasecurity/node-collector:0.0.9'
imageref: ghcr.io/aquasecurity/node-collector:0.0.9

exclude:
# Same as '--exclude-owned'
# Default is false
owned: true

# Same as '--exclude-nodes'
# Default is empty
nodes:
- kubernetes.io/arch:arm64
- team:dev

# Same as '--qps'
# Default is 5.0
qps: 5.0

# Same as '--burst'
# Default is 10
burst: 10
```
## Repository Options
Expand Down Expand Up @@ -397,6 +570,35 @@ cloud:
# the aws account to use (this will be determined from your environment when not set)
account: 123456789012
# the aws specific services
service:
- s3
- ec2
# the aws specific arn
arn: arn:aws:s3:::example-bucket
# skip the aws specific services
skip-service:
- s3
- ec2
```

## Module Options
Available for modules

```yaml
module:
# Same as '--module-dir'
# Default is '$HOME/.trivy/modules'
dir: $HOME/.trivy/modules
# Same as '--enable-modules'
# Default is empty
enable-modules:
- trivy-module-spring4shell
- trivy-module-wordpress
```

[example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml
2 changes: 1 addition & 1 deletion pkg/flag/cloud_flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ var (
Name: "max-cache-age",
ConfigName: "cloud.max-cache-age",
Default: time.Hour * 24,
Usage: "The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this.",
Usage: "The maximum age of the cloud cache. Cached data will be required from the cloud provider if it is older than this.",
}
)

Expand Down
18 changes: 9 additions & 9 deletions pkg/flag/kubernetes_flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ var (
}
K8sVersionFlag = Flag[string]{
Name: "k8s-version",
ConfigName: "kubernetes.k8s.version",
ConfigName: "kubernetes.k8s-version",
Usage: "specify k8s version to validate outdated api by it (example: 1.21.0)",
}
TolerationsFlag = Flag[[]string]{
Expand All @@ -54,16 +54,22 @@ var (
}
AllNamespaces = Flag[bool]{
Name: "all-namespaces",
ConfigName: "kubernetes.all.namespaces",
ConfigName: "kubernetes.all-namespaces",
Shorthand: "A",
Usage: "fetch resources from all cluster namespaces",
}
NodeCollectorNamespace = Flag[string]{
Name: "node-collector-namespace",
ConfigName: "node.collector.namespace",
ConfigName: "kubernetes.node-collector.namespace",
Default: "trivy-temp",
Usage: "specify the namespace in which the node-collector job should be deployed",
}
NodeCollectorImageRef = Flag[string]{
Name: "node-collector-imageref",
ConfigName: "kubernetes.node-collector.imageref",
Default: "ghcr.io/aquasecurity/node-collector:0.0.9",
Usage: "indicate the image reference for the node-collector scan job",
}
ExcludeOwned = Flag[bool]{
Name: "exclude-owned",
ConfigName: "kubernetes.exclude.owned",
Expand All @@ -74,12 +80,6 @@ var (
ConfigName: "kubernetes.exclude.nodes",
Usage: "indicate the node labels that the node-collector job should exclude from scanning (example: kubernetes.io/arch:arm64,team:dev)",
}
NodeCollectorImageRef = Flag[string]{
Name: "node-collector-imageref",
ConfigName: "kubernetes.node.collector.imageref",
Default: "ghcr.io/aquasecurity/node-collector:0.0.9",
Usage: "indicate the image reference for the node-collector scan job",
}
QPS = Flag[float64]{
Name: "qps",
ConfigName: "kubernetes.qps",
Expand Down
2 changes: 1 addition & 1 deletion pkg/flag/scan_flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ var (
}
IncludeDevDepsFlag = Flag[bool]{
Name: "include-dev-deps",
ConfigName: "include-dev-deps",
ConfigName: "scan.include-dev-deps",
Usage: "include development dependencies in the report (supported: npm, yarn)",
}
)
Expand Down

0 comments on commit 7811ad0

Please sign in to comment.