feat: Add AWS Cloud scanning (#2493)

* feat: Added AWS Cloud scanning Co-authored-by: Owen Rumney <owen.rumney@aquasec.com>
2025-12-22 07:10:41 -08:00 · 2022-08-11 14:59:32 +01:00
parent f8edda8479
commit b259b25ce4
32 changed files with 2569 additions and 50 deletions
--- a/pkg/commands/app.go
+++ b/pkg/commands/app.go
@@ -6,12 +6,17 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"strings"
+	"time"
+
+	awsScanner "github.com/aquasecurity/defsec/pkg/scanners/cloud/aws"

 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy-db/pkg/metadata"
+	awscommands "github.com/aquasecurity/trivy/pkg/cloud/aws/commands"
 	"github.com/aquasecurity/trivy/pkg/commands/artifact"
 	"github.com/aquasecurity/trivy/pkg/commands/server"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
@@ -81,6 +86,7 @@ func NewApp(version string) *cobra.Command {
 		NewKubernetesCommand(globalFlags),
 		NewSBOMCommand(globalFlags),
 		NewVersionCommand(globalFlags),
+		NewAWSCommand(globalFlags),
 	)
 	rootCmd.AddCommand(loadPluginCommands()...)

@@ -787,6 +793,66 @@ func NewKubernetesCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 	return cmd
 }

+func NewAWSCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
+
+	awsFlags := &flag.Flags{
+		AWSFlagGroup:     flag.NewAWSFlagGroup(),
+		CloudFlagGroup:   flag.NewCloudFlagGroup(),
+		MisconfFlagGroup: flag.NewMisconfFlagGroup(),
+		ReportFlagGroup:  flag.NewReportFlagGroup(),
+	}
+
+	services := awsScanner.AllSupportedServices()
+
+	cmd := &cobra.Command{
+		Use:     "aws [flags]",
+		Aliases: []string{},
+		Args:    cobra.ExactArgs(0),
+		Short:   "scan aws account",
+		Long: fmt.Sprintf(`Scan an AWS account for misconfigurations. Trivy uses the same authentication methods as the AWS CLI. See https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html
+
+The following services are supported:
+- %s
+`, strings.Join(services, "\n- ")),
+		Example: `  # basic scanning
+  $ trivy aws --region us-east-1
+
+  # limit scan to a single service:
+  $ trivy aws --region us-east-1 --service s3
+
+  # limit scan to multiple services:
+  $ trivy aws --region us-east-1 --service s3 --service ec2
+
+  # force refresh of cache for fresh results
+  $ trivy aws --region us-east-1 --update-cache
+`,
+		PreRunE: func(cmd *cobra.Command, args []string) error {
+			if err := awsFlags.Bind(cmd); err != nil {
+				return xerrors.Errorf("flag bind error: %w", err)
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts, err := awsFlags.ToOptions(cmd.Version, args, globalFlags, outputWriter)
+			if err != nil {
+				return xerrors.Errorf("flag error: %w", err)
+			}
+			if opts.Timeout < time.Hour {
+				opts.Timeout = time.Hour
+				log.Logger.Debug("Timeout is set to less than 1 hour - upgrading to 1 hour for this command.")
+			}
+			return awscommands.Run(cmd.Context(), opts)
+		},
+		SilenceErrors: true,
+		SilenceUsage:  true,
+	}
+	cmd.SetFlagErrorFunc(flagErrorFunc)
+	awsFlags.AddFlags(cmd)
+	cmd.SetUsageTemplate(fmt.Sprintf(usageTemplate, awsFlags.Usages(cmd)))
+
+	return cmd
+}
+
 func NewSBOMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 	reportFlagGroup := flag.NewReportFlagGroup()
 	reportFlagGroup.DependencyTree = nil // disable '--dependency-tree'