gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-22 15:16:33 -08:00
Code Issues Packages Projects Releases Wiki Activity

docs: drop AWS account scanning (#7997)

Browse Source 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
This commit is contained in:
Teppei Fukuda
2024-11-26 18:58:34 +09:00
committed by GitHub
parent aeeba70d15
commit 7e2a8cb7ad
7 changed files with 1 additions and 115 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@@ -21,7 +21,6 @@ Targets (what Trivy can scan):
- Git Repository (remote) - Git Repository (remote)
- Virtual Machine Image - Virtual Machine Image
- Kubernetes - Kubernetes
- AWS
Scanners (what Trivy can find there): Scanners (what Trivy can find there):

1
docs/docs/compliance/compliance.md
View File

@@ -10,7 +10,6 @@ Trivys compliance flag lets you curate a specific set of checks into a report
Compliance report is currently supported in the following targets (trivy sub-commands): Compliance report is currently supported in the following targets (trivy sub-commands):
- `trivy image` - `trivy image`
- `trivy aws`
- `trivy k8s` - `trivy k8s`
Add the `--compliance` flag to the command line, and set it's value to desired report. Add the `--compliance` flag to the command line, and set it's value to desired report.

2
docs/docs/configuration/reporting.md
View File

@@ -428,7 +428,7 @@ $ trivy convert --format table --severity CRITICAL result.json
``` ```
!!! note !!! note
JSON reports from "trivy aws" and "trivy k8s" are not yet supported. JSON reports from "trivy k8s" are not yet supported.
[cargo-auditable]: https://github.com/rust-secure-code/cargo-auditable/ [cargo-auditable]: https://github.com/rust-secure-code/cargo-auditable/
[action]: https://github.com/aquasecurity/trivy-action [action]: https://github.com/aquasecurity/trivy-action

1
docs/docs/plugin/user-guide.md
View File

@@ -103,7 +103,6 @@ VERSION:
dev dev
Scanning Commands Scanning Commands
aws [EXPERIMENTAL] Scan AWS account
config Scan config files for misconfigurations config Scan config files for misconfigurations
filesystem Scan local filesystem filesystem Scan local filesystem
image Scan a container image image Scan a container image

109
docs/docs/target/aws.md
View File

@@ -1,109 +0,0 @@
# Amazon Web Services
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
The Trivy AWS CLI allows you to scan your AWS account for misconfigurations.
You can either run the CLI locally or integrate it into your CI/CD pipeline.
Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too.
The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks.
Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform.
You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` policy attached.
Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - infrastructure information is cached locally per AWS account/region.
Trivy currently supports the following scanning for AWS accounts.
- Misconfigurations
## CLI Commands
Scan a full AWS account (all supported services):
```shell
trivy aws --region us-east-1
```
You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these.
![AWS Summary Report](../../imgs/trivy-aws.png)
The summary view is the default when scanning multiple services.
Scan a specific service:
```shell
trivy aws --service s3
```
Scan multiple services:
```shell
# --service s3,ec2 works too
trivy aws --service s3 --service ec2
```
Show results for a specific AWS resource:
```shell
trivy aws --service s3 --arn arn:aws:s3:::example-bucket
```
All ARNs with detected issues will be displayed when showing results for their associated service.
## Compliance
This section describes AWS specific compliance reports.
For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../compliance/compliance.md).
### Built in reports
the following reports are available out of the box:
| Compliance | Name for command | More info |
|------------------------------------|------------------|------------------------------------------------------------------------------------------------------|
| AWS CIS Foundations Benchmark v1.2 | `aws-cis-1.2` | [link](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf) |
| AWS CIS Foundations Benchmark v1.4 | `aws-cis-1.4` | [link](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls-1.4.0.html) |
### Examples
Scan a cloud account and generate a compliance summary report:
```
$ trivy aws --compliance=<compliance_id> --report=summary
```
***Note*** : The `Issues` column represent the total number of failed checks for this control.
Get all of the detailed output for checks:
```
$ trivy aws --compliance=<compliance_id> --report all
```
Report result in JSON format:
```
$ trivy aws --compliance=<compliance_id> --report all --format json
```
## Cached Results
By default, Trivy will cache a representation of each AWS service for 24 hours.
This means you can filter and view results for a service without having to wait for the entire scan to run again.
If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`.
Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.).
Regardless of whether the cache is used or not, rules will be evaluated again with each run of `trivy aws`.
## Custom Checks
You can write custom checks for Trivy to evaluate against your AWS account.
These checks are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the same language used by [Open Policy Agent](https://www.openpolicyagent.org/).
See the [Custom Checks](../scanner/misconfiguration/custom/index.md) page for more information on how to write custom checks.
Custom checks in cloud scanning also support passing in custom data. This can be useful when you want to selectively enable/disable certain aspects of your cloud checks.
See the [Custom Data](../scanner/misconfiguration/custom/data.md) page for more information on how to provide custom data to custom checks.

1
docs/tutorials/shell/shell-completion.md
View File

@@ -49,7 +49,6 @@ trivy completion zsh > "${fpath[1]}/_trivy"
```bash ```bash
$ trivy [tab] $ trivy [tab]
aws -- scan aws account
completion -- Generate the autocompletion script for the specified shell completion -- Generate the autocompletion script for the specified shell
config -- Scan config files for misconfigurations config -- Scan config files for misconfigurations
filesystem -- Scan local filesystem filesystem -- Scan local filesystem

1
mkdocs.yml
View File

@@ -49,7 +49,6 @@ nav:
- Code Repository: docs/target/repository.md - Code Repository: docs/target/repository.md
- Virtual Machine Image: docs/target/vm.md - Virtual Machine Image: docs/target/vm.md
- Kubernetes: docs/target/kubernetes.md - Kubernetes: docs/target/kubernetes.md
- AWS: docs/target/aws.md
- SBOM: docs/target/sbom.md - SBOM: docs/target/sbom.md
- Scanner: - Scanner:
- Vulnerability: docs/scanner/vulnerability.md - Vulnerability: docs/scanner/vulnerability.md