docs: add note about disabled DS016 check (#7724)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
2025-12-05 20:40:16 -08:00 · 2024-10-16 10:31:20 +06:00
parent ad914123c4
commit 83e5b83acc
3 changed files with 27 additions and 9 deletions
--- a/docs/docs/target/container_image.md
+++ b/docs/docs/target/container_image.md
@@ -154,6 +154,8 @@ See https://avd.aquasec.com/misconfig/ds026
 !!! tip
    You can see how each layer is created with `docker history`.

+The [AVD-DS-0016](https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0016/) check is disabled for this scan type, see [issue](https://github.com/aquasecurity/trivy/issues/7368) for details.
+
 ### Secrets
 Trivy detects secrets on the configuration of container images.
 The image config is converted into JSON and Trivy scans the file for secrets.
--- a/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go
+++ b/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go
@@ -16,8 +16,11 @@ import (
 	"github.com/aquasecurity/trivy/pkg/misconf"
 )

-var disabledChecks = []string{
-	"DS016", // See https://github.com/aquasecurity/trivy/issues/7368
+var disabledChecks = []misconf.DisabledCheck{
+	{
+		ID: "DS016", Scanner: string(analyzer.TypeHistoryDockerfile),
+		Reason: "See https://github.com/aquasecurity/trivy/issues/7368",
+	},
 }

 const analyzerVersion = 1
@@ -31,7 +34,7 @@ type historyAnalyzer struct {
 }

 func newHistoryAnalyzer(opts analyzer.ConfigAnalyzerOptions) (analyzer.ConfigAnalyzer, error) {
-	opts.MisconfScannerOption.DisabledCheckIDs = append(opts.MisconfScannerOption.DisabledCheckIDs, disabledChecks...)
+	opts.MisconfScannerOption.DisabledChecks = append(opts.MisconfScannerOption.DisabledChecks, disabledChecks...)
 	s, err := misconf.NewScanner(detection.FileTypeDockerfile, opts.MisconfScannerOption)
 	if err != nil {
 		return nil, xerrors.Errorf("misconfiguration scanner error: %w", err)
--- a/pkg/misconf/scanner.go
+++ b/pkg/misconf/scanner.go
@@ -50,6 +50,12 @@ var enablediacTypes = map[detection.FileType]types.ConfigType{
 	detection.FileTypeYAML:                  types.YAML,
 }

+type DisabledCheck struct {
+	ID      string
+	Scanner string // For logging
+	Reason  string // For logging
+}
+
 type ScannerOption struct {
 	Trace                    bool
 	RegoOnly                 bool
@@ -74,9 +80,9 @@ type ScannerOption struct {
 	FilePatterns      []string
 	ConfigFileSchemas []*ConfigFileSchema

-	DisabledCheckIDs []string
-	SkipFiles        []string
-	SkipDirs         []string
+	DisabledChecks []DisabledCheck
+	SkipFiles      []string
+	SkipDirs       []string
 }

 func (o *ScannerOption) Sort() {
@@ -133,6 +139,7 @@ func NewScanner(t detection.FileType, opt ScannerOption) (*Scanner, error) {
 }

 func (s *Scanner) Scan(ctx context.Context, fsys fs.FS) ([]types.Misconfiguration, error) {
+	ctx = log.WithContextPrefix(ctx, log.PrefixMisconfiguration)
 	newfs, err := s.filterFS(fsys)
 	if err != nil {
 		return nil, xerrors.Errorf("fs filter error: %w", err)
@@ -141,12 +148,12 @@ func (s *Scanner) Scan(ctx context.Context, fsys fs.FS) ([]types.Misconfiguratio
 		return nil, nil
 	}

-	log.Debug("Scanning files for misconfigurations...", log.String("scanner", s.scanner.Name()))
+	log.DebugContext(ctx, "Scanning files for misconfigurations...", log.String("scanner", s.scanner.Name()))
 	results, err := s.scanner.ScanFS(ctx, newfs, ".")
 	if err != nil {
 		var invalidContentError *cfparser.InvalidContentError
 		if errors.As(err, &invalidContentError) {
-			log.Error("scan was broken with InvalidContentError", s.scanner.Name(), log.Err(err))
+			log.ErrorContext(ctx, "scan was broken with InvalidContentError", s.scanner.Name(), log.Err(err))
 			return nil, nil
 		}
 		return nil, xerrors.Errorf("scan config error: %w", err)
@@ -211,11 +218,17 @@ func (s *Scanner) filterFS(fsys fs.FS) (fs.FS, error) {
 }

 func scannerOptions(t detection.FileType, opt ScannerOption) ([]options.ScannerOption, error) {
+	disabledCheckIDs := lo.Map(opt.DisabledChecks, func(check DisabledCheck, _ int) string {
+		log.Info("Check disabled", log.Prefix(log.PrefixMisconfiguration), log.String("ID", check.ID),
+			log.String("scanner", check.Scanner), log.String("reason", check.Reason))
+		return check.ID
+	})
+
 	opts := []options.ScannerOption{
 		rego.WithEmbeddedPolicies(!opt.DisableEmbeddedPolicies),
 		rego.WithEmbeddedLibraries(!opt.DisableEmbeddedLibraries),
 		options.ScannerWithIncludeDeprecatedChecks(opt.IncludeDeprecatedChecks),
-		rego.WithDisabledCheckIDs(opt.DisabledCheckIDs...),
+		rego.WithDisabledCheckIDs(disabledCheckIDs...),
 	}

 	policyFS, policyPaths, err := CreatePolicyFS(opt.PolicyPaths)