Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(misconf): Support custom data for rego policies for cloud #4745

Merged
merged 11 commits into from
Jul 17, 2023
Merged

feat(misconf): Support custom data for rego policies for cloud #4745

merged 11 commits into from
Jul 17, 2023

Conversation

simar7
Copy link
Member

@simar7 simar7 commented Jul 1, 2023
edited
Loading

Description

This PR adds support for supplying custom data for rego policies.

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@simar7 simar7 added this to the v0.44.0 milestone Jul 1, 2023
@simar7 simar7 mentioned this pull request Jul 1, 2023
Closed
8 tasks
@knqyf263 knqyf263 removed this from the v0.44.0 milestone Jul 3, 2023
@knqyf263
Copy link
Collaborator

knqyf263 commented Jul 3, 2023

Hi Simar, I've removed this PR from the milestone as we usually have only issues in the milestone.

@simar7 simar7 force-pushed the recreate-pr-4684 branch from cfcfe8d to 654aeae Compare July 4, 2023 08:43
simar7 added 2 commits July 4, 2023 23:29
@simar7
feat(misconf): Support custom data for cloud policies
ed04503 
Signed-off-by: Simar <simar@linux.com>
@simar7
use policyfs
20a8964 
Signed-off-by: Simar <simar@linux.com>
@simar7 simar7 force-pushed the recreate-pr-4684 branch from bc33642 to 20a8964 Compare July 5, 2023 05:29
simar7 added 2 commits July 4, 2023 23:45
@simar7
refactor to reduce cyclomatic complexity
d03f011 
Signed-off-by: Simar <simar@linux.com>
@simar7
bump defsec
76f217c
@simar7 simar7 marked this pull request as ready for review July 5, 2023 21:22
@simar7 simar7 requested a review from knqyf263 as a code owner July 5, 2023 21:23
@simar7 simar7 self-assigned this Jul 5, 2023
@simar7
update docs
47cd724 
Signed-off-by: Simar <simar@linux.com>
@simar7 simar7 changed the title feat(misconf): Support custom data for rego policies feat(misconf): Support custom data for rego policies for cloud Jul 6, 2023
@simar7
update test assertion
0d62006 
Signed-off-by: Simar <simar@linux.com>
@simar7 simar7 force-pushed the recreate-pr-4684 branch from 61291d3 to 0d62006 Compare July 7, 2023 05:51
@simar7 simar7 mentioned this pull request Jul 7, 2023
Merged
AnaisUrlichs
AnaisUrlichs reviewed Jul 7, 2023
View reviewed changes
pkg/cloud/aws/commands/run_test.go
@@ -969,6 +971,7 @@ func Test_Run(t *testing.T) {
cacheContent string
regoPolicy string
allServices []string
inputData string
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will we provide an example in the docs on using this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already have that here https://aquasecurity.github.io/trivy/v0.43/docs/scanner/misconfiguration/custom/data/

This PR just extends that functionality to be used in Trivy Cloud Scanning.

simar7 and others added 2 commits July 10, 2023 15:37
@simar7
Merge branch 'main' into recreate-pr-4684
8ec081d
@simar7
update test
366991b 
Need this as OPA is currently broken on Windows

open-policy-agent/opa#4521

Signed-off-by: Simar <simar@linux.com>
knqyf263
knqyf263 reviewed Jul 13, 2023
View reviewed changes
pkg/cloud/aws/commands/run_test.go Outdated
Comment on lines 974 to 976
regoDir := filepath.Join("testdata", "Test_Run_Dir")
require.NoError(t, os.MkdirAll(regoDir, 0755))
defer os.RemoveAll(regoDir)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm curious about the benefit of this change.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

open-policy-agent/opa#4521

pkg/commands/artifact/run.go Outdated
@@ -579,7 +579,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
Trace: opts.Trace,
Namespaces: append(opts.PolicyNamespaces, defaultPolicyNamespaces...),
PolicyPaths: append(opts.PolicyPaths, downloadedPolicyPaths...),
DataPaths: opts.DataPaths,
DataPaths: append(opts.DataPaths, downloadedPolicyPaths...),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we want to pass policy paths as data paths? The policies are loaded as data by mistake, no? I may be missing something.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it was a typo, updated here 18b29d5

@knqyf263 knqyf263 added this pull request to the merge queue Jul 17, 2023
@simar7 simar7 mentioned this pull request Jul 17, 2023
Closed
Merged via the queue into main with commit 4bc8d29 Jul 17, 2023
@knqyf263 knqyf263 deleted the recreate-pr-4684 branch July 17, 2023 13:02
AnaisUrlichs pushed a commit to AnaisUrlichs/trivy that referenced this pull request Aug 10, 2023
@simar7 @knqyf263 @AnaisUrlichs
feat(misconf): Support custom data for rego policies for cloud (aquas…
513017e 
…ecurity#4745)

* feat(misconf): Support custom data for cloud policies

Signed-off-by: Simar <simar@linux.com>

* use policyfs

Signed-off-by: Simar <simar@linux.com>

* refactor to reduce cyclomatic complexity

Signed-off-by: Simar <simar@linux.com>

* bump defsec

* update docs

Signed-off-by: Simar <simar@linux.com>

* update test assertion

Signed-off-by: Simar <simar@linux.com>

* update test

Need this as OPA is currently broken on Windows

open-policy-agent/opa#4521

Signed-off-by: Simar <simar@linux.com>

* fix data path

* fix(mapfs): convert volume names into dirs

* revert creating temp dirs

---------

Signed-off-by: Simar <simar@linux.com>
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AnaisUrlichs AnaisUrlichs AnaisUrlichs approved these changes

@knqyf263 knqyf263 knqyf263 approved these changes

@itaysk itaysk Awaiting requested review from itaysk

Assignees

@simar7 simar7

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat: Support --config-data for cloud scanning
3 participants
@simar7 @knqyf263 @AnaisUrlichs