* chore: add integration label and merge security label
* use the kind/security label for vulnerabilities
Co-authored-by: knqyf263 <knqyf263@gmail.com>
* fix: support for helm chart *.tar.gz
- add test to validate
Signed-off-by: Owen Rumney <owen.rumney@aquasec.com>
* fix: adding missing test tar
Signed-off-by: Owen Rumney <owen.rumney@aquasec.com>
* feat: adding helm support
- adding tests for helm analyzer
- add test for non helm tarball
- adding in-memory filesystem for helm
- handle multiple charts at a time
- check the size is smaller than arbitrary size of 200MB if a tarball
* fix(secrets): added '/' for file paths derived from image
* refactor(secrets): used input.Dir to find image scan
* test(secrets): added path to image-config.yaml
* fix(k8s): summary report when when only vulns exit
Signed-off-by: Jose Donizetti <jdbjunior@gmail.com>
* fix(k8s): return error for not supported report
Signed-off-by: Jose Donizetti <jdbjunior@gmail.com>
* test(k8s): add tests for report Failed()
Signed-off-by: Jose Donizetti <jdbjunior@gmail.com>
* refactor: improve error message
Signed-off-by: Jose Donizetti <jdbjunior@gmail.com>
* feat(k8s): Add report flag for summary
* chore: add headings to the severity columns
* chore: make the default output of k8s summary table
Signed-off-by: Owen Rumney <owen.rumney@aquasec.com>
This is being mitigated in defsec as well to prevent results with no
filename getting through to fanal
Signed-off-by: Owen Rumney <owen.rumney@aquasec.com>
The Label Schema Convention has been deprecated in favor of the OCI
image spec.
Update the gorelease config to use the new replacement fields.
This is not considered a breaking change, as it only touches metadata
and the Label Schema Convention is deprecated for over two years (March
2019).
Most fields only need to be renamed. `org.label-schema.schema-version`
could be removed without replacement.
`org.opencontainers.image.documentation` was added to link to the
Github page documentation in the exact version.
`org.opencontainers.image.url` was added pointing to the Aqua Security
product page of trivy.
Further labels were considered but not added (unclear purpose or value).
Find the `*.proto` files and run in a `for loop` to run `protoc`
for each file in a separated command. If fail, `|| exit` will exit
with the returned error.
The POSIX standard specifies that the return status of `find` is 0
unless an error occurred while traversing the directories;
the return status of executed commands doesn't enter into it.
To overcome this limitation, the `-exec ... +` pattern could be used
From the docs (https://man7.org/linux/man-pages/man1/find.1.html):
"If any invocation with the `+' form returns a non-zero
value as exit status, then find returns a non-zero exit
status."
But as well, "This variant of the -exec action runs the specified command
on the selected files, but the command line is built by appending each selected
file name at the end;"
Unfortunately, at the moment `protoc-gen-twirp` plugin doesn't
support multiple files from different packages when the `go_package` option
is explicitly mentioned.
https://github.com/twitchtv/twirp/blob/main/protoc-gen-twirp/generator.go#L181-L185
Signed-off-by: Yuval Goldberg <yuvigoldi@gmail.com>
- rework some of the iac tests to be more flexible to change
- update the scanner to use the moved parser
- everything is now in defsec now for CF parsing, scanning and testing
- new version of cfsec brought in with latest fanal
- fixes issue where cfsec treats files as CloudFormation when they
arent
- fixes issuee where invalid content errors are surfaced to Trivy
- Gets addition of service and provider on the IaC results - this is not
visible to others
* chore(release): add ubuntu older versions to deploy script
`ubuntu-distro-info --supported` returns only versions: `bionic`, `focal`, `hirsute`, `impish` and `jammy`.
`ubuntu-distro-info --supported-esm` returns another versions: `trusty`, `xenial`, `bionic`, `focal` and `jammy`.
for the release script we should use the union of these sets.
Fixes#1194
* change `uniq` command to `-u` parameter
* feat(iac): Adding resource and Line data
- adding line in file information to the misconfiguration result
- updating tfsec and cfsec versions to provide this additional info
* Add usage of IaC metadata
* update the fanal version
* feature(iac): Add location and resource to Results
- add the iac resource and line in file information for tfsec and cfsec
- update the version of tfsec and cfsec
The current install.sh script logs all messages to stderr via ```echoerr()``` function. Since godownloader is no longer maintained, it seems reasonable to update install.sh here.
* Add new networking API features to Ingress
This PR adds `v1` of the networking API introduced with k8s 1.19.
It also adds the new field `ingressClassName` introduced with k8s 1.18.
Fixes#1261
* Also query for the Kind in the capabilities
Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>
The io/ioutil package has been deprecated as of Go 1.16, see
https://golang.org/doc/go1.16#ioutil. This commit replaces the existing
io/ioutil functions with their new definitions in io and os packages.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
* Made below changes
1. To avoid confusion, changed the layer(blobinfo) size to uncompressed size
2. Added v1.configfile as return type of inspect method
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
* fix(oracle): handle advisories contain ksplice versions
Improve a handling of advisories contain ksplice versions:
* when one of them doesn't have ksplice, we'll also skip it
* extract kspliceX and compare it with kspliceY in advisories
* if kspliceX and kspliceY are different, we will skip the advisory.
Fixes#1205
* fix(oracle): handle advisories contain ksplice versions
simplify code and remove duplicated tests
Fixes#1205
* run go fmt
There is a closure inside a function for Action field: variable p always refers on the last plugin.
solution: redefine variable inside the for loop.
Fixes#1086
* Capture license information for apk packages
* changed order or license info in package struct
* Remove space replacement with comma for license info
SLE 15.3 is about to be released and will be maintained until
6 months after 15.4. this allows us to guess the 15 SP2 EOL date,
so updating that as well.
* Update Fanal library reference
This commit updates Fanal library version to latest which
includes support for Google artifact repository.
* chore(mod): tidy
Co-authored-by: knqyf263 <knqyf263@gmail.com>
* Added support for list all packages flag in client
This commit is to support --list-all_pkgs argument in client command
Example command: trivy -d client --list-all-pkgs --remote http://localhost:8080 ubuntu:18.04.
* Updated argument in client.md
* Fixed all format issues
* feat: Support Google artifact registry
This commit adds the capability to scan images from Google artifact
registry(GAR). GAR domains were earlier rejected by Trivy e.g.
europe-west3-docker.pkg.dev etc. With this change, we will treat domain
ending with 'docker.pkg.dev' as GAR domain and use gcloud sdk to fetch
credentials from provided file or credstore.
* refactor: rename GCR to Registry
Co-authored-by: knqyf263 <knqyf263@gmail.com>
* Add uncompressed layer size
This commit will help in getting uncompressed layer sizes. Can sum up these layer sizes to get the actual image size
* Removed unnecessary exception
* refactor
Co-authored-by: knqyf263 <knqyf263@gmail.com>
* Add gitlab codequality template
* add unit test for gitlab codequality template
* update line endings to msdos (\r\n) from unix
* update gitlab docs for codeclimate template
* fix(go): if patchedVersion is empty mark it as vulnerable
* fix(go): skip checking for vulnerable version if empty
* fix(go): refactored empty check at start of match
* fix(go): added unit test for empty patched/vulnerable version
* Add HIGH severity to Trivy command in GitLab CI example to match comment
* Change comment to accurately reflect Trivy command that fails only on CRITICAL vulnerabilities
* feat(GoBinary) support gobinary and add test
* update(modules) update go-dep-parser
* test(gobinary) update test
* fix(library): return nil with empty result
* test(library): add tests
* refactor: group imports
* chore: update .gitignore
* Update README.md
* refactor(gobinary): update an error
* chore(ci): bunp up Go to 1.16
Co-authored-by: knqyf263 <knqyf263@gmail.com>
* Update SARIF repot template
* Update test data sarif.golden
* Fix golangci-lint issue
* Add test cases
* Address review feedbacks
* Inline value in assert statement
* Fix location Uri format issue
* Update install docs to make commands consistent
Removed `$` prefixes from code blocks to make them constant across the page and make the commands copypasta-able.
* Revert change on docs which need manual changes
* Minimal WIP cross platform build with goreleaser
* Add Docker manifest, update docker image tags
* Update GH release workflow
* Comment out ECR image repo and RPM/DEB generation
* Enable and set up Docker Buildx for multi-platform builds
Also add caching of Go modules
* Add Docker Buildx support, re-enable parent repo workflows
* Add Docker Buildx support for multi-arch image builds
* Added Docker Buildx setup into `build-test` job of `test` workflow
Otherwise the `test` workflow will fail.
Also updated `setup-go` GH action to latest version, v2, per request
of @krol3
* feat(config): support HCL1 files
* feat(config): support HCL2 files
* feat(hcl): add Version()
* feat(config): support HCL files
- combine HCL2.0 and HCL1.0 parsing, checking for conformation to HCL2.0
spec first
- checks for HCL1.0 conformation if content does not comply with HCL2.0
spec
- parsing returns an error only if file content does not
comply with BOTH HCL2.0 and HCL1.0
* add Type() test
Co-authored-by: knqyf263 <knqyf263@gmail.com>
* mkdocs: add top level nav
* mkdocs: add installation nav
* mkdocs: add quick-start nav
* mkdocs: add examples nav
* mkdocs: add CI nav
* mkdocs: add vuln-detection nav
* mkdocs: add comparison nav
* mkdocs: add usage nav
* mkdocs: add migration nav
* mkdocs: add FAQ nav
* mkdocs: add mkdocs.yml
* mkdocs: add github workflow
* docs: update documents
* fix links
* chore(ci): use ORG_GITHUB_TOKEN
* chore(mkdocs): use mike
* chore(ci): support dev
* chore(ci): documentation test
Co-authored-by: knqyf263 <knqyf263@gmail.com>
* refactor(scan): rename image to artifact
* refactor(scan): trim version suffixes for debug info
* chore(mod): update fanal
* refactor: reduce complexity
* chore(mod): update fanal
* refactor(scan): early return
* feat(config): support Dockerfile
* update namings and add Type() test
* only accepts dockerfile as ext/base name
* simplify dockerfile check
* add test case
* Add sprig template function to template writer
* gofmt corrected
* includes corrected
* GoFMT corrected
* Added accidentically removed template functions
* Corrected use of template-file
* Add sprig test
* Add short example for sprig.
As suggested by the go-redis client, parse the url to get the config.
This will fix problems, when the url contains a username and/or password.
Fixes#798
Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>
* Fix errors in SARIF format
* Fix one golden file for integration tests
* Fix golden file
* Fix golden again :>
* Update sarif.tpl
* Update alpine-310.sarif.golden
* Remove global flags from subcommands
If the global flags are added to the subcommand as well as being used
globally, their value will be overwritten when the arguments for the
subcommand are parsed. This leads to the value passed to the flag at the
global position being lost.
* Update readme
You can now specify redis as caching as backend.
The default is still the filesystem.
In case redis is added as caching backend, the cache-dir is still
used for the vulnerability database.
Fixes#781
Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>
* Initial nuget advisory detector code.
Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
* Added nuget package to scan.go
Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
* Removed nuget advisory file and instead added csharp/nuget as a driver in driver.go.
Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
* Removed nuget package from driver. Added ghasnuget as a source in vulnerability.go
Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
* Updated nuget driver to use correct name and to initialize with the new generic scanner.
Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
* refactor: cut out to a separate method
* chore(mod): update trivy-db
* fix(driver): add a general driver
* test(ghsa): add nuget
* chore: update README
Co-authored-by: knqyf263 <knqyf263@gmail.com>
* feat(cache): support Redis
* chore(mod): update
* feat(main): support Redis
* test: update error messages according to different errors on GitHub Actions
* feat(redis): add prefix
* fix an error
Co-authored-by: Daniel Pacak <pacak.daniel@gmail.com>
* fix an error
Co-authored-by: Daniel Pacak <pacak.daniel@gmail.com>
* fix(main): defer close
* test(redis): fix error messages
* test(redis): count current connections
Co-authored-by: Daniel Pacak <pacak.daniel@gmail.com>
* test(redis): use structs instead of string literals
Co-authored-by: Daniel Pacak <pacak.daniel@gmail.com>
* (fix): Make the table output less wide.
Currently the table outupt can be as long as 200 characters wide in some
images like nginx:1.16
This PR merges the Title and the URL columns to shorten it.
With this change the longest column has reduced from 200 -> 162 (-19%).
Signed-off-by: Simarpreet Singh <simar@linux.com>
* (fix): Remove Debian TEMP-* links.
These links are quite wide. Removing them makes it 200 -> 143 (-28.5%) shorter for table output.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* Revert "(fix): Remove Debian TEMP-* links."
This reverts commit 228540f7c3.
without that you get this arning:
WARN This OS version is not on the EOL list: suse linux enterprise server 15.2
which is actually misleading because 15.2 is the most current release,
we just don't know when it ends. we can however assume that it runs
for at least another year.
Signed-off-by: Dirk Mueller <dirk@dmllr.de>
Signed-off-by: Dirk Mueller <dmueller@suse.com>
* Warn when a user attempts to use trivy without a detectable lockfile
* Update pkg/scanner/local/scan.go
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
* Skip downloading DB if a remote DB is not updated
* Apply suggestions from code review
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
* update github.com/aquasecurity/trivy-db version
* fix lint
* Use UTC datetime
* display DownloadedAt info in debug log
* refactor(db): merge isLatestDB into isNewDB
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
* add linter supports
* add only minor version
* use latest version
* Fix println with format issue
* Fix test
* Fix tests
* For slice with unknown length, preallocating the array
* fix code-coverage
* Removed linter rules
* Reverting linter fixes, adding TODO for later
* Ignore linter error for import
* Remove another err var.
* Ignore shadow error
* Fixes
* Fix issue
* Add back goimports local-prefixes
* Update local prefixes
* Removed extra spaces and merge the imports
* more refactoring
* Update photon.go
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
* Add contrib/ to the release chain for Docker
Add the complete contrib/ folder to the release chain
* Include all template files to the tar.gz archives
This improves the installation step in `.gitlab-ci.yml`.
- Removes unnecessary installation and use of `curl` (replaces it with `wget`)
- Removes storing the intermediate file by using a pipe to `tar`
Before this change, only a subset of templates were included in the docker image.
Now all templates which are part of the git repo will be included when the docker image will be build, a future commit for every new template is not needed anymore
Condition:- Specify an image name and tag ":" separated.
If correct image name and tag is specified ":" separated, image with given tag will be return otherwise first one will be return
* Added test and support of ASFF template
* Improve test coverage
* Fixed/Improved tests
* Removed extra space
* Added NVD score/vectors, Added logic to trim description due to file size restriction
* Included quotations around AccountID
* fix: Due read after write consistency in S3 missingLayers called the actual object that created cache 403 response
This change creating index file for each object so missingLayers will not hit object that not exist.
* fix comments error description
Co-authored-by: oranmoshai <oran.moshai@aquasec.com>
* test(integration): move to the test directory
* chore: update fixtures path
* test: put common test images under the test directory
* chore(Makefile): rename
* feat: support local filesystem and remote git repository [PART 1] (fanal#109)
* feat(walker): add tar/fs walker
* fs_test: Add test names
Signed-off-by: Simarpreet Singh <simar@linux.com>
* walk_test: Add Test_isIgnored
Signed-off-by: Simarpreet Singh <simar@linux.com>
* feat: support local filesystem and remote git repository [PART 2] (fanal#110)
* refactor(analyzer): merge OSAnalyzer, PkgAnalyze, LibAnalyzer into
Analyzer
* test: comment out temporarily
* fix(amazon): check the length
* fix(analyzer): make AnalysisResult a reference
* library/analyzer: Refactor library analyzer code.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* feat: support local filesystem and remote git repository [PART 3] (fanal#111)
* refactor(image): move directory
* feat(applier): add applier
* fix(apk): replace extractor with applier
* test: comment out temporarily
* feat: support local filesystem and remote git repository [PART 4] (fanal#112)
* feat(artifact): add image, local and remote artifact
* image_test: Rename test field to use new convention
Signed-off-by: Simarpreet Singh <simar@linux.com>
* image_test: Add a test for put artifact failure
Signed-off-by: Simarpreet Singh <simar@linux.com>
* refactor(remote): remove unnecessary files for unit test
* feat: support local filesystem and remote git repository [PART 5] (fanal#113)
* test(integration): fix tests
* feat: support local filesystem and remote git repository [PART 6] (fanal#114)
* feat(main): add sub commands
* refactor(types): remove unused type
* chore(mod): update
* test(artifact): add mock
* fix(analyzer): redhat must be replaced with oracle
* fix(analyzer): debian must be replaced with ubuntu
* fix(fs): display dir when hostname is empty
Co-authored-by: Simarpreet Singh <simar@linux.com>
Co-authored-by: Simarpreet Singh <simar@linux.com>
* fix: make AnalysisResult a reference
Co-authored-by: Simarpreet Singh <simar@linux.com>
* refactor(walker): fix comment
Co-authored-by: Simarpreet Singh <simar@linux.com>
Co-authored-by: Simarpreet Singh <simar@linux.com>
Co-authored-by: Simarpreet Singh <simar@linux.com>
* Add S3 support for layer caching this will allow to save image results on managed persistent object store
* Working on PR comments
Co-authored-by: oranmoshai <oran.moshai@aquasec.com>
* analyzer: Send back package and apps info for unknown OS if found.
We should send back package and apps info if found even
in the case of an unknown OS. Example Dockerfile:
```
$ cat Dockerfile
FROM hello-world
ADD https://raw.githubusercontent.com/aquasecurity/trivy-ci-test/master/Cargo.lock .
```
Should say ErrUnknownOS but still scan the Cargo vulns.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* fix(analyzer): send back package and apps info even if there is no package found
* fix(main): handle specific errors
Co-authored-by: knqyf263 <knqyf263@gmail.com>
* feat(image): support OCI Image Format
* refactor: rename NewDockerArchiveImage to NewArchiveImage
* test: rename TestNewDockerArchiveImage to TestNewArchiveImage
* fix: introduce go-multierror
* image: add more sad paths for tryOCI func
Signed-off-by: Simarpreet Singh <simar@linux.com>
* test(image): add more test case
Co-authored-by: Simarpreet Singh <simar@linux.com>
* feat(extractor): switch to layer ID of origin layer
* integration: update golden file for vuln-image
This file was updated during a COVID-19 crisis.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* test(docker): sort applications
* test(docker): fix order
Co-authored-by: Simarpreet Singh <simar@linux.com>
* analyzer: Include layerID as part of LayerInfo
Signed-off-by: Simarpreet Singh <simar@linux.com>
* Add LayerID to Package struct
Signed-off-by: Simarpreet Singh <simar@linux.com>
* analyzer: Remove ID from returned layerInfo
Signed-off-by: Simarpreet Singh <simar@linux.com>
* analyzer: Handle missing layer.ID from cached layer
Signed-off-by: Simarpreet Singh <simar@linux.com>
* extractor/docker: Cleanup logic to avoid extra slice usage
Signed-off-by: Simarpreet Singh <simar@linux.com>
* integration: Fix golden files to include LayerID
Signed-off-by: Simarpreet Singh <simar@linux.com>
* analyzer: Remove condition for adding layer.ID
Signed-off-by: Simarpreet Singh <simar@linux.com>
* types: Introduce types.LibraryInfo
Signed-off-by: Simarpreet Singh <simar@linux.com>
* docker: Add LayerID to each LibraryInfo
Signed-off-by: Simarpreet Singh <simar@linux.com>
* .github/bench: Bump up docker version
Signed-off-by: Simarpreet Singh <simar@linux.com>
* intergration/perf: Remove other OSes for the timebeing.
Looks like Github CI is running out of space while running
other tests. Until we find a better solution we need to comment
out bigger OSes.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* fix(image): call Close() via cleanup funcion
* refactor(type): add omitempty
* analyzer: Change to types.LibraryInfo in analzyer.go
Signed-off-by: Simarpreet Singh <simar@linux.com>
* wip: add CleanupDockerExtractorFn for cleanup
Signed-off-by: Simarpreet Singh <simar@linux.com>
* refactor(analyzer): remove un-needed function
* test(cache): comment in
* Revert "wip: add CleanupDockerExtractorFn for cleanup"
This reverts commit dabfae104bf6d63492823c6c3eb94175d26eabad.
* Revert ".github/bench: Bump up docker version"
This reverts commit b982c46861e1cc0851d53621c0e68ac40918d755.
* refactor(analyzer): sort imports
* test(cache): remove debug code
* test(cache): format
* chore(image): remove debug code
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
* integration: Add a test to use fanal as a library
Signed-off-by: Simarpreet Singh <simar@linux.com>
* integration: Table driven library_tests
Signed-off-by: Simarpreet Singh <simar@linux.com>
* integration: Add even more OSes to the docker mode test
Signed-off-by: Simarpreet Singh <simar@linux.com>
* library_test: run tests in parallel
Signed-off-by: Simarpreet Singh <simar@linux.com>
* .git: Update gitignore with trivy images dir
Signed-off-by: Simarpreet Singh <simar@linux.com>
* library_test: add golden files for packages
Signed-off-by: Simarpreet Singh <simar@linux.com>
* library_test: Run all tests in parallel
Signed-off-by: Simarpreet Singh <simar@linux.com>
* library_test: Refactor check logic to run twice.
Once for no cache, once with cache.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* library_test: Fix cache invocation
Signed-off-by: Simarpreet Singh <simar@linux.com>
* integration: Add a more comprehensive image for library_test
Signed-off-by: Simarpreet Singh <simar@linux.com>
* library_test: Introduce anon struct type
Signed-off-by: Simarpreet Singh <simar@linux.com>
* travis: add make test-integration
Signed-off-by: Simarpreet Singh <simar@linux.com>
* travis: Upgrade docker version
Signed-off-by: Simarpreet Singh <simar@linux.com>
* change mod genuinetools/reg to vanilla
Instead of using tomoyamachi's fork we can now use the vanilla upstream
package genuinetools/reg. This package gets better maintenance.
Also introducing new checksums for reg's children/dependecies.
Signed-off-by: Jakub Bielecki <jakub.bielecki@codilime.com>
* go mod tidy
Workaround for a deficient Ping implementation of reg package.
Ping fails on docker registries that return http 401
Authentication Required when requesting general /v2 url, but
happily allow unauthenticated pull of a specific image.
Closesaquasecurity/trivyfanal#229
Signed-off-by: Jakub Bielecki <jakub.bielecki@codilime.com>
* extract all files in target require filedirs
* use separator to string
* change dpkg file match algorithm
* use filepath.Clean
* add test for target dir files
- Adds a new analyzer error for "no packages detected"
- Package analyzers now return the common "no packages detected" error
- Returned errors from the package analyzers are checked against the
common "no packages detected" errors and filters those out. Other
errors will now be passed back to the user for debugging.
* fix genuinetools/reg module version
* merge ubuntu analyzer into debianbase analyzer
* add os analyzer tests
* add redhat base test
* add redhatbase test file
* use AnalyzeOsError
* add gitignore empty folder
* change variable name in test codes
* skip coverage check on forked project
Thank you for taking interest in contributing to Trivy !
## Issues
- Feel free to open issues for any reason. When you open a new issue, you'll have to select an issue kind: bug/feature/support and fill the required information based on the selected template.
- Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
- Remember users might be searching for your issue in the future, so please give it a meaningful title to help others.
- The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
## Pull Requests
1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
1. Your PR is more likely to be accepted if it focuses on just one change.
1. Describe what the PR does. There's no convention enforced, but please try to be concise and descriptive. Treat the PR description as a commit message. Titles that starts with "fix"/"add"/"improve"/"remove" are good examples.
1. Please add the associated Issue in the PR description.
1. There's no need to add or tag reviewers.
1. If a reviewer commented on your code or asked for changes, please remember to mark the discussion as resolved after you address it. PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
1. Please include a comment with the results before and after your change.
1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
1. If your PR affects the user experience in some way, please update the Readme and the CLI help accordingly.
## Understand where your pull request belongs
Trivy is composed of several different repositories that work together:
- [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. This of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo**
- [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
- [fanal](https://github.com/aquasecurity/fanal) is a library for extracting system information containers. It is being used by Trivy to find testable subjects in the container image.
See [Issues](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/) and [Pull Requests](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/)
You have to know where to put the DB file. The following command shows the default cache directory.
```
$ ssh user@host
$ trivy -h | grep cache
--cache-dir value cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
```
Put the DB file in the cache directory + `/db`.
```
$ mkdir -p /home/myuser/.cache/trivy/db
$ cd /home/myuser/.cache/trivy/db
$ mv /path/to/trivy-offline.db.tgz .
```
Then, decompress it.
`trivy-offline.db.tgz` file includes two files, `trivy.db` and `metadata.json`.
```
$ tar xvf trivy-offline.db.tgz
x trivy.db
x metadata.json
$ rm trivy-offline.db.tgz
```
In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities.
## Run Trivy with --skip-update option
In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
Thank you for taking interest in contributing to Trivy!
- Feel free to open issues for any reason. When you open a new issue, you'll have to select an issue kind: bug/feature/support and fill the required information based on the selected template.
- Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
- Remember that users might search for your issue in the future, so please give it a meaningful title to help others.
- The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
## Wrong detection
Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/detection/data-source/).
Sometime these databases contain mistakes.
If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:
1. Run Trivy with `-f json` that shows data sources.
2. According to the shown data source, make sure that the security advisory in the data source is correct.
If the data source is correct and Trivy shows wrong results, please raise an issue on Trivy.
### GitHub Advisory Database
Visit [here](https://github.com/advisories) and search CVE-ID.
If you find a problem, it'll be nice to fix it: [How to contribute to a GitHub security advisory](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)
### GitLab Advisory Database
Visit [here](https://advisories.gitlab.com/) and search CVE-ID.
If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/new)
### Red Hat CVE Database
Visit [here](https://access.redhat.com/security/security-updates/?cwe=476#/cve) and search CVE-ID.
Thank you for taking interest in contributing to Trivy!
1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
1. Please add the associated Issue link in the PR description.
1. Your PR is more likely to be accepted if it focuses on just one change.
1. There's no need to add or tag reviewers.
1. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
1. Please include a comment with the results before and after your change.
1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
1. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
### Title
It is not that strict, but we use the title conventions in this repository.
Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
#### Format of the title
```
<type>(<scope>): <subject>
```
The `type` and `scope` should always be lowercase as shown below.
**Allowed `<type>` values:**
- **feat** for a new feature for the user, not a new feature for build script. Such commit will trigger a release bumping a MINOR version.
- **fix** for a bug fix for the user, not a fix to a build script. Such commit will trigger a release bumping a PATCH version.
- **perf** for performance improvements. Such commit will trigger a release bumping a PATCH version.
- **docs** for changes to the documentation.
- **style** for formatting changes, missing semicolons, etc.
- **refactor** for refactoring production code, e.g. renaming a variable.
- **test** for adding missing tests, refactoring tests; no production code change.
- **build** for updating build configuration, development tools or other changes irrelevant to the user.
- **chore** for updates that do not apply to the above, such as dependency updates.
- **ci** for changes to CI configuration files and scripts
- **revert** for revert to a previous commit
**Allowed `<scope>` values:**
checks:
- vuln
- misconf
- secret
- license
mode:
- image
- fs
- repo
- sbom
- server
os:
- alpine
- redhat
- alma
- rocky
- mariner
- oracle
- debian
- ubuntu
- amazon
- suse
- photon
- distroless
language:
- ruby
- php
- python
- nodejs
- rust
- dotnet
- java
- go
vuln:
- os
- lang
config:
- kubernetes
- dockerfile
- terraform
- cloudformation
container
- docker
- podman
- containerd
- oci
cli:
- cli
- flag
others:
- helm
- report
- db
- deps
The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
#### Example titles
```
feat(alma): add support for AlmaLinux
```
```
fix(oracle): handle advisories with ksplice versions
```
```
docs(misconf): add comparison with Conftest and TFsec
```
```
chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0
```
**NOTE**: please do not use `chore(deps): update fanal` and something like that if you add new features or fix bugs in Trivy-related projects.
The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
### Unit tests
Your PR must pass all the unit tests. You can test it as below.
```
$ make test
```
### Integration tests
Your PR must pass all the integration tests. You can test it as below.
```
$ make test-integration
```
### Documentation
You can build the documents as below and view it at http://localhost:8000.
```
$ make mkdocs-serve
```
## Understand where your pull request belongs
Trivy is composed of several repositories that work together:
- [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo**
- [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
- [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
- [go-dep-parser](https://github.com/aquasecurity/go-dep-parser) is a library for parsing lock files such as package-lock.json and Gemfile.lock.
Triage is an important part of maintaining the health of the trivy repo.
A well organized repo allows maintainers to prioritize feature requests, fix bugs, and respond to users facing difficulty with the tool as quickly as possible.
Triage includes:
- Labeling issues
- Responding to issues
- Closing issues
@@ -185,11 +188,11 @@ We use two labels [help wanted](https://github.com/aquasecurity/trivy/issues?q=i
and [good first issue](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
to identify issues that have been specially groomed for new contributors.
We have specific [guidelines](/docs/help-wanted.md)
We have specific [guidelines](/docs/community/maintainer/help-wanted.md)
for how to use these labels. If you see an issue that satisfies these
guidelines, you can add the `help wanted` label and the `good first issue` label.
Please note that adding the `good first issue` label must also
add the `help wanted` label.
If an issue has these labels but does not satisfy the guidelines, please
ask for more details to be added to the issue or remove the labels.
ask for more details to be added to the issue or remove the labels.
The open source community has been hard at work developing new tools for Trivy. You can check out some of them here.
Have you created a tool that’s not listed? Add the name and description of your integration and open a pull request in the GitHub repository to get your change merged.
| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. |
| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links. |
You have to know where to put the DB file. The following command shows the default cache directory.
```
$ ssh user@host
$ trivy -h | grep cache
--cache-dir value cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
```
Put the DB file in the cache directory + `/db`.
```
$ mkdir -p /home/myuser/.cache/trivy/db
$ cd /home/myuser/.cache/trivy/db
$ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
x trivy.db
x metadata.json
$ rm /path/to/db.tar.gz
```
In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities.
### Run Trivy with --skip-update and --offline-scan option
In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
In addition, if you want to scan Java dependencies such as JAR and pom.xml, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
The `plugin.yaml` field should contain the following information:
- name: The name of the plugin. This also determines how the plugin will be made available in the Trivy CLI. For example, if the plugin is named kubectl, you can call the plugin with `trivy kubectl`. (required)
- version: The version of the plugin. (required)
- usage: A short usage description. (required)
- description: A long description of the plugin. This is where you could provide a helpful documentation of your plugin. (required)
- platforms: (required)
- selector: The OS/Architecture specific variations of a execution file. (optional)
- os: OS information based on GOOS (linux, darwin, etc.) (optional)
- arch: The architecture information based on GOARCH (amd64, arm64, etc.) (optional)
- uri: Where the executable file is. Relative path from the root directory of the plugin or remote URL such as HTTP and S3. (required)
- bin: Which file to call when the plugin is executed. Relative path from the root directory of the plugin. (required)
The following rules will apply in deciding which platform to select:
- If both `os` and `arch` under `selector` match the current platform, search will stop and the platform will be used.
- If `selector` is not present, the platform will be used.
- If `os` matches and there is no more specific `arch` match, the platform will be used.
- If no `platform` match is found, Trivy will exit with an error.
After determining platform, Trivy will download the execution file from `uri` and store it in the plugin cache.
When the plugin is called via Trivy CLI, `bin` command will be executed.
The plugin is responsible for handling flags and arguments. Any arguments are passed to the plugin from the `trivy` command.
[Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify SBOM attestation.
!!! note
In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the `cosign` command.
## Sign with a local key pair
Cosign can generate key pairs and use them for signing and verification. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
In the following example, Trivy generates an SBOM in the spdx format, and then Cosign attaches an attestation of the SBOM to a container image with a local key pair.
It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
See [Integrations][integrations] for details.
## Features
- Comprehensive vulnerability detection
- [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- A wide variety of [built-in policies][builtin] are provided **out of the box**:
- Kubernetes
- Docker
- Terraform
- more coming soon
- Support custom policies
- Simple
- Specify only an image name, a directory containing IaC configs, or an artifact name
- See [Quick Start][quickstart]
- Fast
- The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
- Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
- Easy installation
-`apt-get install`, `yum install` and `brew install` is possible (See [Installation][installation])
- **No pre-requisites** such as installation of DB, libraries, etc.
- High accuracy
- **Especially Alpine Linux and RHEL/CentOS**
- Other OSes are also high
- DevSecOps
- **Suitable for CI** such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
- See [CI Example][integrations]
- Support multiple formats
- container image
- A local image in Docker Engine which is running as a daemon
- A local image in [Podman][podman] (>=2.0) which is exposing a socket
- A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
- A tar archive stored in the `docker save` / `podman save` formatted file
- An image directory compliant with [OCI Image Format][oci]
- local filesystem and rootfs
- remote git repository
- [SBOM][sbom] (Software Bill of Materials) support
- CycloneDX
- SPDX
- GitHub Dependency Snapshots
Please see [LICENSE][license] for Trivy licensing information.
In the following example using the template `asff.tpl`, [ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) file can be generated.
GitLab 15.0 includes [free](https://gitlab.com/groups/gitlab-org/-/epics/2233) integration with Trivy.
To [configure container scanning with Trivy in GitLab](https://docs.gitlab.com/ee/user/application_security/container_scanning/#configuration), simply include the CI template in your `.gitlab-ci.yml` file:
If you're a GitLab 14.x Ultimate customer, you can use the same configuration above.
Alternatively, you can always use the example configurations below. Note that the examples use [`contrib/gitlab.tpl`](https://github.com/aquasecurity/trivy/blob/main/contrib/gitlab.tpl), which does not work with GitLab 15.0 and above (for details, see [issue 1598](https://github.com/aquasecurity/trivy/issues/1598)).
```yaml
stages:
- test
trivy:
stage:test
image:docker:stable
services:
- name:docker:dind
entrypoint:["env","-u","DOCKER_HOST"]
command:["dockerd-entrypoint.sh"]
variables:
DOCKER_HOST:tcp://docker:2375/
DOCKER_DRIVER:overlay2
# See https://github.com/docker-library/docker/pull/166
# Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
- time trivy image --exit-code 0 "$FULL_IMAGE_NAME"
# Fail on critical vulnerabilities
- time trivy image --exit-code 1 --severity CRITICAL "$FULL_IMAGE_NAME"
cache:
paths:
- .trivycache/
# Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
# Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
artifacts:
paths:
- gl-codeclimate.json
reports:
codequality:gl-codeclimate.json
```
Currently gitlab only supports a single code quality report. There is an
open [feature request](https://gitlab.com/gitlab-org/gitlab/-/issues/9014)
to support multiple reports. Until this has been implemented, if you
already have a code quality report in your pipeline, you can use
`jq` to combine reports. Depending on how you name your artifacts, it may
be necessary to rename the artifact if you want to reuse the name. To then
combine the previous artifact with the output of trivy, the following `jq`
command can be used, `jq -s 'add' prev-codeclimate.json trivy-codeclimate.json > gl-codeclimate.json`.
### GitLab CI alternative template example report
You'll be able to see a full report in the GitLab pipeline code quality UI, where filesystem vulnerabilities and misconfigurations include links to the flagged files and image vulnerabilities report the image/os or runtime/library that the vulnerability originates from instead.
Scan your image automatically as part of your CI workflow, failing the workflow if a vulnerability is found. When you don't want to fail the test, specify `--exit-code 0`.
This feature might change without preserving backwards compatibility.
The Trivy K8s CLI allows you to scan your Kubernetes cluster for Vulnerabilities, Secrets and Misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. The difference to the Trivy CLI is that the Trivy K8s CLI allows you to scan running workloads directly within your cluster.
If you are looking for continuous cluster audit scanning, have a look at the [Trivy K8s operator.](../operator/getting-started.md)
Trivy uses your local kubectl configuration to access the API server to list artifacts.
## CLI Commands
Scan a full cluster and generate a simple summary report:
If you want to pass in flags before scanning specific workloads, you will have to do it before the resource name.
For example, scanning a deployment in the app namespace of your Kubernetes cluster for critical vulnerabilities would be done through the following command:
"Title":"coreutils: Non-privileged session can escape to the parent session in chroot",
"Description":"chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.",
"Description":"A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.",
"Message":"Container 'app' of Deployment 'app' should set 'securityContext.allowPrivilegeEscalation' to false",
"Namespace":"builtin.kubernetes.KSV001",
"Query":"data.builtin.kubernetes.KSV001.deny",
"Resolution":"Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.",
Trivy has a native [Kubernetes Operator][operator] which continuously scans your Kubernetes cluster for security issues, and generates security reports as Kubernetes [Custom Resources][crd]. It does it by watching Kubernetes for state changes and automatically triggering scans in response to changes, for example initiating a vulnerability scan when a new Pod is created.
Trivy scans any container image for license files and offers an opinionated view on the risk associated with the license.
License are classified using the [Google License Classification][google-license-classification] -
- Forbidden
- Restricted
- Reciprocal
- Notice
- Permissive
- Unencumbered
- Unknown
!!! tip
Licenses that Trivy fails to recognize are classified as UNKNOWN.
As those licenses may be in violation, it is recommended to check those unknown licenses as well.
By default, Trivy scans licenses for packages installed by `apk`, `apt-get`, `dnf`, `npm`, `pip`, `gem`, etc.
To enable extended license scanning, you can use `--license-full`.
In addition to package licenses, Trivy scans source code files, Markdown documents, text files and `LICENSE` documents to identify license usage within the image or filesystem.
!!! note
The full license scanning is expensive. It takes a while.
Currently, the standard license scanning doesn't support filesystem and repository scanning.
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
| Dockerfile | `Dockerfile`, `Dockerfile.*`, and `*.Dockerfile` |
| Containerfile | `Containerfile`, `Containerfile.*`, and `*.Containerfile` |
| Terraform | `*.tf` and `*.tf.json` |
### Configuration languages
In the above general file formats, Trivy automatically identifies the following types of configuration files:
- CloudFormation (JSON/YAML)
- Kubernetes (JSON/YAML)
- Helm (YAML)
- Terraform Plan (JSON)
This is useful for filtering inputs, as described below.
## Rego format
A single package must contain only one policy.
!!!example
``` rego
package user.kubernetes.ID001
import lib.result
__rego_metadata__ := {
"id": "ID001",
"title": "Deployment not allowed",
"severity": "LOW",
"description": "Deployments are not allowed because of some reasons.",
}
__rego_input__ := {
"selector": [
{"type": "kubernetes"},
],
}
deny[res] {
input.kind == "Deployment"
msg := sprintf("Found deployment '%s' but deployments are not allowed", [input.metadata.name])
res := result.new(msg, input)
}
```
In this example, ID001 "Deployment not allowed" is defined under `user.kubernetes.ID001`.
If you add a new custom policy, it must be defined under a new package like `user.kubernetes.ID002`.
### Policy structure
`package` (required)
: - MUST follow the Rego's [specification][package]
- MUST be unique per policy
- SHOULD include policy id for uniqueness
- MAY include the group name such as `kubernetes` for clarity
- Group name has no effect on policy evaluation
`import data.lib.result` (optional)
: - MAY be defined if you would like to embellish your result(s) with line numbers and code highlighting
`__rego_metadata__` (optional)
: - SHOULD be defined for clarity since these values will be displayed in the scan results
`__rego_input__` (optional)
: - MAY be defined when you want to specify input format
`deny` (required)
: - SHOULD be `deny` or start with `deny_`
- Although `warn`, `warn_*`, `violation`, `violation_` also work for compatibility, `deny` is recommended as severity can be defined in `__rego_metadata__`.
- SHOULD return ONE OF:
- The result of a call to `result.new(msg, cause)`. The `msg` is a `string` describing the issue occurrence, and the `cause` is the property/object where the issue occurred. Providing this allows Trivy to ascertain line numbers and highlight code in the output.
- A `string` denoting the detected issue
- Although `object` with `msg` field is accepted, other fields are dropped and `string` is recommended if `result.new()` is not utilised.
- e.g. `{"msg": "deny message", "details": "something"}`
### Package
A package name must be unique per policy.
!!!example
``` rego
package user.kubernetes.ID001
```
By default, only `builtin.*` packages will be evaluated.
If you define custom packages, you have to specify the package prefix via `--namespaces` option.
``` bash
trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir
```
In this case, `user.*` will be evaluated.
Any package prefixes such as `main` and `user` are allowed.
### Metadata
Metadata helps enrich Trivy's scan results with useful information.
!!!example
``` rego
__rego_metadata__ := {
"id": "ID001",
"title": "Deployment not allowed",
"severity": "LOW",
"description": "Deployments are not allowed because of some reasons.",
It is highly recommended to write tests for your custom policies.
## Rego testing
To help you verify the correctness of your custom policies, OPA gives you a framework that you can use to write tests for your policies.
By writing tests for your custom policies you can speed up the development process of new rules and reduce the amount of time it takes to modify rules as requirements evolve.
For more details, see [Policy Testing][opa-testing].
!!! example
```
package user.dockerfile.ID002
test_add_denied {
r := deny with input as {"stages": {"alpine:3.13": [
r[_] == "Consider using 'COPY /target/app.jar app.jar' command instead of 'ADD /target/app.jar app.jar'"
}
```
To write tests for custom policies, you can refer to existing tests under [defsec][defsec].
## Go testing
[Fanal][fanal] which is a core library of Trivy can be imported as a Go library.
You can scan config files in Go and test your custom policies using Go's testing methods, such as [table-driven tests][table].
This allows you to use the actual configuration file as input, making it easy to prepare test data and ensure that your custom policies work in practice.
In particular, Dockerfile and HCL need to be converted to structural data as input, which may be different from the expected input format.
!!! tip
We recommend writing OPA and Go tests both since they have different roles, like unit tests and integration tests.
The following example stores allowed and denied configuration files in a directory.
`Successes` contains the result of successes, and `Failures` contains the result of failures.
``` go
{
name: "disallowed ports",
input: "configs/",
fields: fields{
policyPaths: []string{"policy"},
dataPaths: []string{"data"},
namespaces: []string{"user"},
},
want: []types.Misconfiguration{
{
FileType: types.Dockerfile,
FilePath: "Dockerfile.allowed",
Successes: types.MisconfResults{
{
Namespace: "user.dockerfile.ID002",
PolicyMetadata: types.PolicyMetadata{
ID: "ID002",
Type: "Docker Custom Check",
Title: "Disallowed ports exposed",
Severity: "HIGH",
},
},
},
},
{
FileType: types.Dockerfile,
FilePath: "Dockerfile.denied",
Failures: types.MisconfResults{
{
Namespace: "user.dockerfile.ID002",
Message: "Port 23 should not be exposed",
PolicyMetadata: types.PolicyMetadata{
ID: "ID002",
Type: "Docker Custom Check",
Title: "Disallowed ports exposed",
Severity: "HIGH",
},
},
},
},
},
},
```
`Dockerfile.allowed` has one successful result in `Successes`, while `Dockerfile.denied` has one failure result in `Failures`.
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
Exceptions let you specify cases where you allow policy violations.
Trivy supports two types of exceptions.
!!! info
Exceptions can be applied to built-in policies as well as custom policies.
## Namespace-based exceptions
There are some cases where you need to disable built-in policies partially or fully.
Namespace-based exceptions lets you rough choose which individual packages to exempt.
To use namespace-based exceptions, create a Rego rule with the name `exception` that returns the package names to exempt.
The `exception` rule must be defined under `namespace.exceptions`.
`data.namespaces` includes all package names.
!!! example
``` rego
package namespace.exceptions
import data.namespaces
exception[ns] {
ns := data.namespaces[_]
startswith(ns, "builtin.kubernetes")
}
```
This example exempts all built-in policies for Kubernetes.
For more details, see [an example][ns-example].
## Rule-based exceptions
There are some cases where you need more flexibility and granularity in defining which cases to exempt.
Rule-based exceptions lets you granularly choose which individual rules to exempt, while also declaring under which conditions to exempt them.
To use rule-based exceptions, create a Rego rule with the name `exception` that returns the rule name suffixes to exempt, prefixed by `deny_` (for example, returning `foo` will exempt `deny_foo`).
The rule can make any other assertion, for example, on the input or data documents.
This is useful to specify the exemption for a specific case.
Note that if you specify the empty string, the exception will match all rules named `deny`.
```
exception[rules] {
# Logic
rules = ["foo","bar"]
}
```
The above would provide an exception from `deny_foo` and `deny_bar`.
!!! example
```
package user.kubernetes.ID100
__rego_metadata := {
"id": "ID100",
"title": "Deployment not allowed",
"severity": "HIGH",
"type": "Kubernetes Custom Check",
}
deny_deployment[msg] {
input.kind == "Deployment"
msg = sprintf("Found deployment '%s' but deployments are not allowed", [name])
}
exception[rules] {
input.kind == "Deployment"
input.metadata.name == "allow-deployment"
rules := ["deployment"]
}
```
If you want to apply rule-based exceptions to built-in policies, you have to define the exception under the same package.
!!! example
``` rego
package builtin.kubernetes.KSV012
exception[rules] {
input.metadata.name == "can-run-as-root"
rules := [""]
}
```
This exception is applied to [KSV012][ksv012] in defsec.
You can get the package names in the [defsec repository][defsec] or the JSON output from Trivy.
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed 'safe' subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
