v0.48.0

[aqua-bot]

🛫 Deprecation 🌆

--scanners config flag

--scanners config was renamed to --scanners misconfig.

See #5586 for more details.

🚀 What's new? 🚀

🔌 Output plugin support 📈

⚠️ EXPERIMENTAL: This feature is still experimental. It might change without preserving backward compatibility.

Trivy has introduced a significant update with support for output plugins. This new feature allows for extended flexibility in handling Trivy's scan results. Users can now install custom output plugins and use them to format and process scan outputs in various ways.

Usage:

$ trivy <target> [--format <format>] --output plugin=<plugin_name> [--output-plugin-arg <plugin_args>] <target_name>

Example:

$ trivy plugin install github.com/aquasecurity/trivy-output-plugin-count
$ trivy image -f json -o plugin=count --output-plugin-arg "--publish-after 2023-10-01" debian:12

The above example passes the scan results to the count plugin. See here for more details.

⚙️ Packages.props support (.NET) 📦

Trivy has expanded its .NET support in the latest update, now including handling for Directory.packages.props and packages.props files. This enhancement allows for more comprehensive analysis of .NET projects, especially regarding transitive dependencies, although the documentation on this specific aspect is still under refinement.

$ trivy fs ./Directory.Packages.props 
2023-11-22T13:50:17.728+0600    INFO    Vulnerability scanning is enabled
2023-11-22T13:50:17.739+0600    INFO    Detecting packages-props vulnerabilities...

Directory.Packages.props (packages-props)
=========================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library     │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├─────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ Newtonsoft.Json │ GHSA-5crp-9r3c-p9vr │ HIGH     │ fixed  │ 9.0.1             │ 13.0.1        │ Improper Handling of Exceptional Conditions in    │
│                 │                     │          │        │                   │               │ Newtonsoft.Json                                   │
│                 │                     │          │        │                   │               │ https://github.com/advisories/GHSA-5crp-9r3c-p9vr │
└─────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

Thanks to @yuriShafet for this contribution.

📦 Enhanced DEB and RPM package analysis 🛠️

Trivy enhances its package analysis capabilities. Previously, only the apk package analyzer could include installed files in the result. This update extends the same functionality to DEB and RPM packages, aligning their analytical capabilities with apk packages.

Thanks to @lebauce for this contribution.

🕒 Add timestamp in JSON reports 📊

Trivy now includes the creation time in its JSON reports. This simple yet important addition allows users to easily identify when their reports were generated, enhancing the usability and clarity of these reports.

Thanks to @u5surf for this contribution.

🔍 JWT Token Detection Added to Trivy's Secret Scanning 🛡️

Trivy now includes JWT token detection in its secret scanning capabilities, enhancing its ability to identify potential security vulnerabilities related to JWT tokens.

Thanks to @very-doge-wow for this contribution.

🫧 Ability to selectively enable misconfiguration scanners 🌙

You can now pass in --misconfig-scanners flag with a comma separated list of scanners to only enable selected scanners.

$ trivy config --misconfig-scanners=dockerfile,helm .

Will only run scan dockerfile and helm resources.

📊 Misconfiguration scanning now supports AWS Cloud Attributes ⚜️

You can now use AWS Cloud attributes when defining custom checks.

$ cat main.tf
"code/providers.tf": `
provider "aws" {
  region  = "us-east-2"
  default_tags {
    tags = {
      Environment = "Local"
      Name        = "LocalStack"
    }
  }
}

You can now specify a rule such as

deny[res] {
  region := input.aws.meta.tfproviders[_].region
  region.value != "us-east-1"
  res := result.new("Only the 'us-east-1' region is allowed!", region)
}

❇️ Better ignore experience for misconfiguration scanning 💹

We've made it easier to know how Trivy is evaluating the resources with more useful log output. If Trivy ignores any checks, you'll be able to see that information as part of the debug log output.

$ trivy --debug config  .
<snip>
2023-11-09T18:21:57.995-0700    DEBUG   [misconf] 21:57.995528000 terraform.executor               Ignored 'google-gke-use-cluster-labels' at 'main.tf:2-5'.
</snip>

Furthermore specifying trivy:ignore directives is now easier as they are case insensitive. Both #trivy:ignore:FOO-BAR-1234 and #trivy:ignore:foo-bar-1234 will now result in ignoring the rule with ID foo-bar-1234.

📳 Add ability to pass in CloudFormation Template parameters 🆔

Trivy now supports passing CloudFormation Template parameters via the --cf-params flag. You can find more details here

⎈ Node-collector image-ref settings 🚩

Trivy now supports the option to set node-collector Image-ref to be pulled from non default registry

For example, to set node-collector Image-ref :

trivy k8s cluster --report summary --node-collector-imageref aquasecurity/node-collector:0.0.9

👷‍♂️ Notable Fixes 🛠️

• Some problems with rule AVD-GCP-0012 #5456
• bug(terraform): some resources are not detected when for-each refers to a map #5555
• bug(terraform): Trivy does not support for-each Meta-Argument in data sources #5554
• bug(misconf): false negative AVD-AWS-0057 when aws_iam_policy_document contains count Meta-Argument #5552
• fix(terraform): output variables of modules are not evaluated in resources #5013
• Inverted logic in rule AVD-AWS-0141 #5452
• bug: panic: cannot refine an unknown value of an unknown type #5471
• fix(terraform): Amazon RDS uses an AWS KMS key by default #5014
• fix: Dedupe AVD-AWS-0180 rule  #5065
• bug(terraform): Trivy does not scan remote modules #5414