feat(image): add support for Docker CIS Benchmark (#3496)

Co-authored-by: chenk <hen.keinan@gmail.com>
2025-12-22 23:26:39 -08:00 · 2023-01-31 07:31:59 +02:00
parent 6eec9ac0a4
commit cb5af0b33b
18 changed files with 253 additions and 155 deletions
--- a/pkg/cloud/aws/commands/run_test.go
+++ b/pkg/cloud/aws/commands/run_test.go
@@ -9,6 +9,7 @@ import (
 	"time"

 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/compliance/spec"
 	"github.com/aquasecurity/trivy/pkg/flag"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -646,7 +647,30 @@ deny[res] {
 				CloudOptions: flag.CloudOptions{
 					MaxCacheAge: time.Hour * 24 * 365 * 100,
 				},
-				ReportOptions: flag.ReportOptions{Compliance: "@./testdata/example-spec.yaml", Format: "table", ReportFormat: "summary"},
+				ReportOptions: flag.ReportOptions{
+					Compliance: spec.ComplianceSpec{
+						Spec: spec.Spec{
+							// TODO: refactor defsec so that the parsed spec can be passed
+							ID:          "@testdata/example-spec.yaml",
+							Title:       "my-custom-spec",
+							Description: "My fancy spec",
+							Version:     "1.2",
+							Controls: []spec.Control{
+								{
+									ID:          "1.1",
+									Name:        "Unencrypted S3 bucket",
+									Description: "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.",
+									Checks: []spec.SpecCheck{
+										{ID: "AVD-AWS-0088"},
+									},
+									Severity: "HIGH",
+								},
+							},
+						},
+					},
+					Format:       "table",
+					ReportFormat: "summary",
+				},
 			},
 			cacheContent: exampleS3Cache,
 			want: `
@@ -654,28 +678,10 @@ Summary Report for compliance: my-custom-spec
 ┌─────┬──────────┬───────────────────────┬────────┬────────┐
 │ ID  │ Severity │     Control Name      │ Status │ Issues │
 ├─────┼──────────┼───────────────────────┼────────┼────────┤
-│ 1.1 │ HIGH     │ Unencrypted S3 bucket │  FAIL  │   1    │
+│ 1.1 │   HIGH   │ Unencrypted S3 bucket │  FAIL  │   1    │
 └─────┴──────────┴───────────────────────┴────────┴────────┘
-
-
 `,
 		},
-		{
-			name:      "error loading compliance report",
-			expectErr: true,
-			options: flag.Options{
-				AWSOptions: flag.AWSOptions{
-					Region:   "us-east-1",
-					Services: []string{"s3"},
-					Account:  "12345678",
-				},
-				CloudOptions: flag.CloudOptions{
-					MaxCacheAge: time.Hour * 24 * 365 * 100,
-				},
-				ReportOptions: flag.ReportOptions{Compliance: "@./testdata/nosuchspec.yaml", Format: "table", ReportFormat: "summary"},
-			},
-			cacheContent: exampleS3Cache,
-		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {