mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-21 23:00:42 -08:00
feat(misconf): Add --reset-policy-bundle for policy bundle (#4167)
This commit is contained in:
simar7
@@ -88,6 +88,7 @@ trivy aws [flags]
|
||||
--policy-namespaces strings Rego namespaces
|
||||
--region string AWS Region to scan
|
||||
--report string specify a report format for the output. (all,summary) (default "all")
|
||||
--reset-policy-bundle remove policy bundle
|
||||
--service strings Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc.
|
||||
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
|
||||
--skip-policy-update skip fetching rego policy updates
|
||||
|
||||
@@ -37,6 +37,7 @@ trivy config [flags] DIR
|
||||
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
|
||||
--registry-token string registry token
|
||||
--report string specify a compliance report format for the output. (all,summary) (default "all")
|
||||
--reset-policy-bundle remove policy bundle
|
||||
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
|
||||
--skip-dirs strings specify the directories where the traversal is skipped
|
||||
--skip-files strings specify the file paths to skip traversal
|
||||
|
||||
@@ -62,6 +62,7 @@ trivy filesystem [flags] PATH
|
||||
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
|
||||
--report string specify a compliance report format for the output. (all,summary) (default "all")
|
||||
--reset remove all caches and database
|
||||
--reset-policy-bundle remove policy bundle
|
||||
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
|
||||
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
|
||||
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
|
||||
|
||||
@@ -84,6 +84,7 @@ trivy image [flags] IMAGE_NAME
|
||||
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine)
|
||||
--report string specify a format for the compliance report. (default "summary")
|
||||
--reset remove all caches and database
|
||||
--reset-policy-bundle remove policy bundle
|
||||
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
|
||||
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
|
||||
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
|
||||
|
||||
@@ -71,6 +71,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
|
||||
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
|
||||
--report string specify a report format for the output. (all,summary) (default "all")
|
||||
--reset remove all caches and database
|
||||
--reset-policy-bundle remove policy bundle
|
||||
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
|
||||
--scanners string comma-separated list of what security issues to detect (vuln,config,secret,license) (default "vuln,config,secret,rbac")
|
||||
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
|
||||
|
||||
@@ -59,6 +59,7 @@ trivy repository [flags] REPO_URL
|
||||
--registry-token string registry token
|
||||
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
|
||||
--reset remove all caches and database
|
||||
--reset-policy-bundle remove policy bundle
|
||||
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
|
||||
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
|
||||
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
|
||||
|
||||
@@ -64,6 +64,7 @@ trivy rootfs [flags] ROOTDIR
|
||||
--registry-token string registry token
|
||||
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
|
||||
--reset remove all caches and database
|
||||
--reset-policy-bundle remove policy bundle
|
||||
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
|
||||
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
|
||||
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
|
||||
|
||||
@@ -56,6 +56,7 @@ trivy vm [flags] VM_IMAGE
|
||||
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
|
||||
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
|
||||
--reset remove all caches and database
|
||||
--reset-policy-bundle remove policy bundle
|
||||
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
|
||||
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
|
||||
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
|
||||
|
||||
@@ -1160,7 +1160,7 @@ func validateArgs(cmd *cobra.Command, args []string) error {
|
||||
// '--clear-cache', '--download-db-only', '--download-java-db-only', '--reset' and '--generate-default-config' don't conduct the subsequent scanning
|
||||
if viper.GetBool(flag.ClearCacheFlag.ConfigName) || viper.GetBool(flag.DownloadDBOnlyFlag.ConfigName) ||
|
||||
viper.GetBool(flag.ResetFlag.ConfigName) || viper.GetBool(flag.GenerateDefaultConfigFlag.ConfigName) ||
|
||||
viper.GetBool(flag.DownloadJavaDBOnlyFlag.ConfigName) {
|
||||
viper.GetBool(flag.DownloadJavaDBOnlyFlag.ConfigName) || viper.GetBool(flag.ResetPolicyBundleFlag.ConfigName) {
|
||||
return nil
|
||||
}
|
||||
|
||||
|
||||
@@ -6,6 +6,8 @@ import (
|
||||
"fmt"
|
||||
"os"
|
||||
|
||||
"github.com/aquasecurity/trivy/pkg/policy"
|
||||
|
||||
"github.com/hashicorp/go-multierror"
|
||||
"github.com/spf13/viper"
|
||||
"golang.org/x/exp/slices"
|
||||
@@ -387,6 +389,18 @@ func (r *runner) initCache(opts flag.Options) error {
|
||||
}
|
||||
return SkipScan
|
||||
}
|
||||
|
||||
if opts.ResetPolicyBundle {
|
||||
c, err := policy.NewClient(fsutils.CacheDir(), true)
|
||||
if err != nil {
|
||||
return xerrors.Errorf("failed to instantiate policy client: %w", err)
|
||||
}
|
||||
if err := c.Clear(); err != nil {
|
||||
return xerrors.Errorf("failed to remove the cache: %w", err)
|
||||
}
|
||||
return SkipScan
|
||||
}
|
||||
|
||||
if opts.ClearCache {
|
||||
defer cacheClient.Close()
|
||||
if err = cacheClient.ClearArtifacts(); err != nil {
|
||||
|
||||
@@ -7,6 +7,12 @@ package flag
|
||||
// config-policy: "custom-policy/policy"
|
||||
// policy-namespaces: "user"
|
||||
var (
|
||||
ResetPolicyBundleFlag = Flag{
|
||||
Name: "reset-policy-bundle",
|
||||
ConfigName: "misconfiguration.reset-policy-bundle",
|
||||
Value: false,
|
||||
Usage: "remove policy bundle",
|
||||
}
|
||||
IncludeNonFailuresFlag = Flag{
|
||||
Name: "include-non-failures",
|
||||
ConfigName: "misconfiguration.include-non-failures",
|
||||
@@ -48,6 +54,7 @@ var (
|
||||
// MisconfFlagGroup composes common printer flag structs used for commands providing misconfinguration scanning.
|
||||
type MisconfFlagGroup struct {
|
||||
IncludeNonFailures *Flag
|
||||
ResetPolicyBundle *Flag
|
||||
|
||||
// Values Files
|
||||
HelmValues *Flag
|
||||
@@ -59,6 +66,7 @@ type MisconfFlagGroup struct {
|
||||
|
||||
type MisconfOptions struct {
|
||||
IncludeNonFailures bool
|
||||
ResetPolicyBundle bool
|
||||
|
||||
// Values Files
|
||||
HelmValues []string
|
||||
@@ -71,6 +79,7 @@ type MisconfOptions struct {
|
||||
func NewMisconfFlagGroup() *MisconfFlagGroup {
|
||||
return &MisconfFlagGroup{
|
||||
IncludeNonFailures: &IncludeNonFailuresFlag,
|
||||
ResetPolicyBundle: &ResetPolicyBundleFlag,
|
||||
HelmValues: &HelmSetFlag,
|
||||
HelmFileValues: &HelmSetFileFlag,
|
||||
HelmStringValues: &HelmSetStringFlag,
|
||||
@@ -86,6 +95,7 @@ func (f *MisconfFlagGroup) Name() string {
|
||||
func (f *MisconfFlagGroup) Flags() []*Flag {
|
||||
return []*Flag{
|
||||
f.IncludeNonFailures,
|
||||
f.ResetPolicyBundle,
|
||||
f.HelmValues,
|
||||
f.HelmValueFiles,
|
||||
f.HelmFileValues,
|
||||
@@ -97,6 +107,7 @@ func (f *MisconfFlagGroup) Flags() []*Flag {
|
||||
func (f *MisconfFlagGroup) ToOptions() (MisconfOptions, error) {
|
||||
return MisconfOptions{
|
||||
IncludeNonFailures: getBool(f.IncludeNonFailures),
|
||||
ResetPolicyBundle: getBool(f.ResetPolicyBundle),
|
||||
HelmValues: getStringSlice(f.HelmValues),
|
||||
HelmValueFiles: getStringSlice(f.HelmValueFiles),
|
||||
HelmFileValues: getStringSlice(f.HelmFileValues),
|
||||
|
||||
@@ -222,3 +222,11 @@ func (c *Client) GetMetadata() (*Metadata, error) {
|
||||
|
||||
return &meta, nil
|
||||
}
|
||||
|
||||
func (c *Client) Clear() error {
|
||||
log.Logger.Info("Removing policy bundle...")
|
||||
if err := os.RemoveAll(c.policyDir); err != nil {
|
||||
return xerrors.Errorf("failed to remove policy bundle: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -388,3 +388,13 @@ func TestClient_DownloadBuiltinPolicies(t *testing.T) {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestClient_Clear(t *testing.T) {
|
||||
cacheDir := t.TempDir()
|
||||
err := os.MkdirAll(filepath.Join(cacheDir, "policy"), 0755)
|
||||
require.NoError(t, err)
|
||||
|
||||
c, err := policy.NewClient(cacheDir, true)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, c.Clear())
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user