From 9999365d01f062d4232c3f36fe26214ea2149888 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 24 Apr 2024 13:10:11 +0600 Subject: [PATCH 1/5] fix(flags): use `scan.include-dev-deps"` --- pkg/flag/scan_flags.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/flag/scan_flags.go b/pkg/flag/scan_flags.go index e2128816e849..102e16e2fdd4 100644 --- a/pkg/flag/scan_flags.go +++ b/pkg/flag/scan_flags.go @@ -98,7 +98,7 @@ var ( } IncludeDevDepsFlag = Flag[bool]{ Name: "include-dev-deps", - ConfigName: "include-dev-deps", + ConfigName: "scan.include-dev-deps", Usage: "include development dependencies in the report (supported: npm, yarn)", } ) From 6fc9a5574ae62648cbdac86aaa01d25de93914d2 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 24 Apr 2024 13:10:57 +0600 Subject: [PATCH 2/5] docs: update config file page --- .../references/configuration/config-file.md | 229 +++++++++++++++++- 1 file changed, 218 insertions(+), 11 deletions(-) diff --git a/docs/docs/references/configuration/config-file.md b/docs/docs/references/configuration/config-file.md index f649d2a213b6..467b0d163051 100644 --- a/docs/docs/references/configuration/config-file.md +++ b/docs/docs/references/configuration/config-file.md @@ -81,6 +81,15 @@ severity: - MEDIUM - HIGH - CRITICAL + +scan: + # Same as '--compliance' + # Default is empty + compliance: + + # Same as '--show-suppressed' + # Default is false + show-suppressed: false ``` ## Scan Options @@ -106,7 +115,7 @@ scan: # Same as '--offline-scan' # Default is false - offline-scan: false + offline: false # Same as '--scanners' # Default depends on subcommand @@ -115,6 +124,24 @@ scan: - misconfig - secret - license + - + # Same as '--parallel' + # Default is 5 + parallel: 1 + + # Same as '--sbom-sources' + # Default is empty + sbom-sources: + - oci + - rekor + + # Same as '--rekor-url' + # Default is 'https://rekor.sigstore.dev' + rekor-url: https://rekor.sigstore.dev + + # Same as '--include-dev-deps' + # Default is false + include-dev-deps: false ``` ## Cache Options @@ -131,6 +158,9 @@ cache: # Redis options redis: + # Same as '--redis-tls' + # Default is false + tls: # Same as '--redis-ca' # Default is empty ca: @@ -148,21 +178,25 @@ cache: ```yaml db: - # Same as '--skip-db-update' - # Default is false - skip-update: false - # Same as '--no-progress' # Default is false no-progress: false + + # Same as '--skip-db-update' + # Default is false + skip-update: false # Same as '--db-repository' - # Default is 'ghcr.io/aquasecurity/trivy-db' - repository: ghcr.io/aquasecurity/trivy-db + # Default is 'ghcr.io/aquasecurity/trivy-db:2' + repository: ghcr.io/aquasecurity/trivy-db:2 + + # Same as '--skip-java-db-update' + # Default is false + java-skip-update: false # Same as '--java-db-repository' - # Default is 'ghcr.io/aquasecurity/trivy-java-db' - java-repository: ghcr.io/aquasecurity/trivy-java-db + # Default is 'ghcr.io/aquasecurity/trivy-java-db:1' + java-repository: ghcr.io/aquasecurity/trivy-java-db:1 ``` ## Registry Options @@ -197,7 +231,19 @@ image: # Same as '--platform' # Default is empty - platform: + platform: + + # Same as '--image-src' + # Default is 'docker,containerd,podman,remote' + source: + - podman + - docker + + # Same as '--image-config-scanners' + # Default is empty + image-config-scanners: + - misconfig + - secret docker: # Same as '--docker-host' @@ -224,6 +270,67 @@ vulnerability: # Same as '--ignore-unfixed' # Default is false ignore-unfixed: false + + # Same as '--ignore-unfixed' + # Default is empty + ignore-status: + - end_of_life +``` + +## License Options +Available with license scanning + +```yaml +license: + # Same as '--license-full' + # Default is false + full: false + + # Same as '--ignored-licenses' + # Default is empty + ignored: + - MPL-2.0 + - MIT + + # Same as '--license-confidence-level' + # Default is 0.9 + confidenceLevel: 0.9 + + # Set list of forbidden licenses + # Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L171 + forbidden: + - AGPL-1.0 + - AGPL-3.0 + + # Set list of restricted licenses + # Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L199 + restricted: + - AGPL-1.0 + - AGPL-3.0 + + # Set list of reciprocal licenses + # Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L238 + reciprocal: + - AGPL-1.0 + - AGPL-3.0 + + # Set list of notice licenses + # Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L260 + notice: + - AGPL-1.0 + - AGPL-3.0 + + # Set list of permissive licenses + # Default is empty + permissive: + - AGPL-1.0 + - AGPL-3.0 + + # Set list of unencumbered licenses + # Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L334 + unencumbered: + - AGPL-1.0 + - AGPL-3.0 ``` ## Secret Options @@ -239,11 +346,15 @@ secret: ## Rego Options ```yaml -rego +rego: # Same as '--trace' # Default is false trace: false + # Same as '--skip-policy-update' + # Default is false + skip-policy-update: false + # Same as '--config-policy' # Default is empty policy: @@ -271,6 +382,10 @@ misconfiguration: # Same as '--include-non-failures' # Default is false include-non-failures: false + + # Same as '--policy-bundle-repository' + # Default is 'ghcr.io/aquasecurity/trivy-policies:0' + policy-bundle-repository: ghcr.io/aquasecurity/trivy-policies:0 # Same as '--miconfig-scanners' # Default is all scanners @@ -313,6 +428,12 @@ misconfiguration: # Same as '--tf-exclude-downloaded-modules' # Default is false exclude-downloaded-modules: false + + # Same as '--cf-params' + # Default is false + cloudformation: + params: + - params.json ``` ## Kubernetes Options @@ -327,6 +448,63 @@ kubernetes: # Same as '--namespace' # Default is empty namespace: + + # Same as '--kubeconfig' + # Default is empty + kubeconfig: ~/.kube/config2 + + # Same as '--components' + # Default is 'workload,infra' + components: + - workload + - infra + + # Same as '--tolerations' + # Default is empty + tolerations: + - key1=value1:NoExecute + - key2=value2:NoSchedule + + # Same as '--qps' + # Default is 5.0 + qps: 5.0 + + # Same as '--burst' + # Default is 10 + burst: 10 + + exclude: + # Same as '--exclude-owned' + # Default is false + owned: true + + # Same as '--exclude-nodes' + # Default is empty + nodes: + - kubernetes.io/arch:arm64 + - team:dev + + # Same as '--all-namespaces' + # Default is false + all: + namespaces: false + + # Same as '--k8s-version' + # Default is empty + k8s: + version: 1.21.0 + + # Same as '--node-collector-imageref' + # Default is 'ghcr.io/aquasecurity/node-collector:0.0.9' + node: + collector: + imageref: ghcr.io/aquasecurity/node-collector:0.0.9 + +# Same as '--node-collector-namespace' +# Default is 'trivy-temp' +node: + collector: + namespace: ~/.kube/config2 ``` ## Repository Options @@ -397,6 +575,35 @@ cloud: # the aws account to use (this will be determined from your environment when not set) account: 123456789012 + + # the aws specific services + service: + - s3 + - ec2 + + # the aws specific arn + arn: arn:aws:s3:::example-bucket + + # skip the aws specific services + skip-service: + - s3 + - ec2 +``` + +## Module Options +Available for modules + +```yaml +module: + # Same as '--module-dir' + # Default is '$HOME/.trivy/modules' + dir: $HOME/.trivy/modules + + # Same as '--enable-modules' + # Default is empty + enable-modules: + - trivy-module-spring4shell + - trivy-module-wordpress ``` [example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml From 80d3a4f80309f72d41c6e306b927b792a04b9d68 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 24 Apr 2024 13:11:10 +0600 Subject: [PATCH 3/5] refactor: fix typo for `max-cache-age` flag --- docs/docs/references/configuration/cli/trivy_aws.md | 2 +- pkg/flag/cloud_flags.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/docs/references/configuration/cli/trivy_aws.md b/docs/docs/references/configuration/cli/trivy_aws.md index b87bfce2bc30..0997f062b55e 100644 --- a/docs/docs/references/configuration/cli/trivy_aws.md +++ b/docs/docs/references/configuration/cli/trivy_aws.md @@ -87,7 +87,7 @@ trivy aws [flags] --ignorefile string specify .trivyignore file (default ".trivyignore") --include-non-failures include successes and exceptions, available with '--scanners misconfig' --list-all-pkgs enabling the option will output all packages regardless of vulnerability - --max-cache-age duration The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s) + --max-cache-age duration The maximum age of the cloud cache. Cached data will be required from the cloud provider if it is older than this. (default 24h0m0s) --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) -o, --output string output file name --output-plugin-arg string [EXPERIMENTAL] output plugin arguments diff --git a/pkg/flag/cloud_flags.go b/pkg/flag/cloud_flags.go index dfff5a997f7a..fd96c206d496 100644 --- a/pkg/flag/cloud_flags.go +++ b/pkg/flag/cloud_flags.go @@ -12,7 +12,7 @@ var ( Name: "max-cache-age", ConfigName: "cloud.max-cache-age", Default: time.Hour * 24, - Usage: "The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this.", + Usage: "The maximum age of the cloud cache. Cached data will be required from the cloud provider if it is older than this.", } ) From 15e6fcaa7e130b660b9d6d35b1270654df00d726 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 24 Apr 2024 14:23:59 +0600 Subject: [PATCH 4/5] refactor ConfigName's of k8s flags --- .../references/configuration/config-file.md | 47 +++++++++---------- pkg/flag/kubernetes_flags.go | 18 +++---- 2 files changed, 30 insertions(+), 35 deletions(-) diff --git a/docs/docs/references/configuration/config-file.md b/docs/docs/references/configuration/config-file.md index 467b0d163051..7996c34596c7 100644 --- a/docs/docs/references/configuration/config-file.md +++ b/docs/docs/references/configuration/config-file.md @@ -459,19 +459,28 @@ kubernetes: - workload - infra + # Same as '--k8s-version' + # Default is empty + k8s-version: 1.21.0 + # Same as '--tolerations' # Default is empty tolerations: - key1=value1:NoExecute - key2=value2:NoSchedule - # Same as '--qps' - # Default is 5.0 - qps: 5.0 + # Same as '--all-namespaces' + # Default is false + all-namespaces: false - # Same as '--burst' - # Default is 10 - burst: 10 + node-collector: + # Same as '--node-collector-namespace' + # Default is 'trivy-temp' + namespace: ~/.kube/config2 + + # Same as '--node-collector-imageref' + # Default is 'ghcr.io/aquasecurity/node-collector:0.0.9' + imageref: ghcr.io/aquasecurity/node-collector:0.0.9 exclude: # Same as '--exclude-owned' @@ -484,27 +493,13 @@ kubernetes: - kubernetes.io/arch:arm64 - team:dev - # Same as '--all-namespaces' - # Default is false - all: - namespaces: false + # Same as '--qps' + # Default is 5.0 + qps: 5.0 - # Same as '--k8s-version' - # Default is empty - k8s: - version: 1.21.0 - - # Same as '--node-collector-imageref' - # Default is 'ghcr.io/aquasecurity/node-collector:0.0.9' - node: - collector: - imageref: ghcr.io/aquasecurity/node-collector:0.0.9 - -# Same as '--node-collector-namespace' -# Default is 'trivy-temp' -node: - collector: - namespace: ~/.kube/config2 + # Same as '--burst' + # Default is 10 + burst: 10 ``` ## Repository Options diff --git a/pkg/flag/kubernetes_flags.go b/pkg/flag/kubernetes_flags.go index 7a87040ba698..a2f47ace08d9 100644 --- a/pkg/flag/kubernetes_flags.go +++ b/pkg/flag/kubernetes_flags.go @@ -44,7 +44,7 @@ var ( } K8sVersionFlag = Flag[string]{ Name: "k8s-version", - ConfigName: "kubernetes.k8s.version", + ConfigName: "kubernetes.k8s-version", Usage: "specify k8s version to validate outdated api by it (example: 1.21.0)", } TolerationsFlag = Flag[[]string]{ @@ -54,16 +54,22 @@ var ( } AllNamespaces = Flag[bool]{ Name: "all-namespaces", - ConfigName: "kubernetes.all.namespaces", + ConfigName: "kubernetes.all-namespaces", Shorthand: "A", Usage: "fetch resources from all cluster namespaces", } NodeCollectorNamespace = Flag[string]{ Name: "node-collector-namespace", - ConfigName: "node.collector.namespace", + ConfigName: "kubernetes.node-collector.namespace", Default: "trivy-temp", Usage: "specify the namespace in which the node-collector job should be deployed", } + NodeCollectorImageRef = Flag[string]{ + Name: "node-collector-imageref", + ConfigName: "kubernetes.node-collector.imageref", + Default: "ghcr.io/aquasecurity/node-collector:0.0.9", + Usage: "indicate the image reference for the node-collector scan job", + } ExcludeOwned = Flag[bool]{ Name: "exclude-owned", ConfigName: "kubernetes.exclude.owned", @@ -74,12 +80,6 @@ var ( ConfigName: "kubernetes.exclude.nodes", Usage: "indicate the node labels that the node-collector job should exclude from scanning (example: kubernetes.io/arch:arm64,team:dev)", } - NodeCollectorImageRef = Flag[string]{ - Name: "node-collector-imageref", - ConfigName: "kubernetes.node.collector.imageref", - Default: "ghcr.io/aquasecurity/node-collector:0.0.9", - Usage: "indicate the image reference for the node-collector scan job", - } QPS = Flag[float64]{ Name: "qps", ConfigName: "kubernetes.qps", From 6136a99722b18c354392c283b53df05d117ae101 Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Thu, 25 Apr 2024 14:29:34 +0600 Subject: [PATCH 5/5] Update --policy-bundle-repository default repo Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com> --- docs/docs/references/configuration/config-file.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/docs/references/configuration/config-file.md b/docs/docs/references/configuration/config-file.md index 7996c34596c7..755913a0bf20 100644 --- a/docs/docs/references/configuration/config-file.md +++ b/docs/docs/references/configuration/config-file.md @@ -384,8 +384,8 @@ misconfiguration: include-non-failures: false # Same as '--policy-bundle-repository' - # Default is 'ghcr.io/aquasecurity/trivy-policies:0' - policy-bundle-repository: ghcr.io/aquasecurity/trivy-policies:0 + # Default is 'ghcr.io/aquasecurity/trivy-checks:0' + policy-bundle-repository: ghcr.io/aquasecurity/trivy-checks:0 # Same as '--miconfig-scanners' # Default is all scanners