gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-23 07:29:00 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
84dd33f7e9b22f2fa355c8a9b63f40765f819eb7
trivy/docs/misconfiguration/custom/examples.md
Teppei Fukuda 9e08bd44fb docs: add misconfiguration (#1101) 
Co-authored-by: Itay Shakury <itay@itaysk.com>
2021-07-12 03:14:17 +03:00

297 lines
9.3 KiB
Markdown
Raw Blame History

# Examples
## Custom Policy
### Kubernetes
See [here][k8s].
The custom policy is defined in `user.kubernetes.ID001` package.
You need to pass the package prefix you want to evaluate through `--namespaces` option.
In this case, the package prefix should be `user`, `user.kuberntes`, or `user.kubernetes.ID001`.
### Dockerfile
See [here][dockerfile].
The input will be a dictionary of stages.
#### Single Stage
??? example
Dockerfile
```dockerfile
FROM foo
COPY . /
RUN echo hello
```
Rego Input
```json
{
"stages": {
"foo": [
{
"Cmd": "from",
"EndLine": 1,
"Flags": [],
"JSON": false,
"Original": "FROM foo",
"Stage": 0,
"StartLine": 1,
"SubCmd": "",
"Value": [
"foo"
]
},
{
"Cmd": "copy",
"EndLine": 2,
"Flags": [],
"JSON": false,
"Original": "COPY . /",
"Stage": 0,
"StartLine": 2,
"SubCmd": "",
"Value": [
".",
"/"
]
},
{
"Cmd": "run",
"EndLine": 3,
"Flags": [],
"JSON": false,
"Original": "RUN echo hello",
"Stage": 0,
"StartLine": 3,
"SubCmd": "",
"Value": [
"echo hello"
]
}
]
}
}
```
#### Multi Stage
??? example
Dockerfile
```dockerfile
FROM golang:1.16 AS builder
WORKDIR /go/src/github.com/alexellis/href-counter/
RUN go get -d -v golang.org/x/net/html
COPY app.go .
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .
FROM alpine:latest
RUN apk --no-cache add ca-certificates \
&& apk add --no-cache bash
WORKDIR /root/
COPY --from=builder /go/src/github.com/alexellis/href-counter/app .
CMD ["./app"]
```
Rego Input
```json
{
"stages": {
"alpine:latest": [
{
"Cmd": "from",
"EndLine": 7,
"Flags": [],
"JSON": false,
"Original": "FROM alpine:latest",
"Stage": 1,
"StartLine": 7,
"SubCmd": "",
"Value": [
"alpine:latest"
]
},
{
"Cmd": "run",
"EndLine": 9,
"Flags": [],
"JSON": false,
"Original": "RUN apk --no-cache add ca-certificates \u0026\u0026 apk add --no-cache bash",
"Stage": 1,
"StartLine": 8,
"SubCmd": "",
"Value": [
"apk --no-cache add ca-certificates \u0026\u0026 apk add --no-cache bash"
]
},
{
"Cmd": "workdir",
"EndLine": 10,
"Flags": [],
"JSON": false,
"Original": "WORKDIR /root/",
"Stage": 1,
"StartLine": 10,
"SubCmd": "",
"Value": [
"/root/"
]
},
{
"Cmd": "copy",
"EndLine": 11,
"Flags": [
"--from=builder"
],
"JSON": false,
"Original": "COPY --from=builder /go/src/github.com/alexellis/href-counter/app .",
"Stage": 1,
"StartLine": 11,
"SubCmd": "",
"Value": [
"/go/src/github.com/alexellis/href-counter/app",
"."
]
},
{
"Cmd": "cmd",
"EndLine": 12,
"Flags": [],
"JSON": true,
"Original": "CMD [\"./app\"]",
"Stage": 1,
"StartLine": 12,
"SubCmd": "",
"Value": [
"./app"
]
}
],
"golang:1.16 AS builder": [
{
"Cmd": "from",
"EndLine": 1,
"Flags": [],
"JSON": false,
"Original": "FROM golang:1.16 AS builder",
"Stage": 0,
"StartLine": 1,
"SubCmd": "",
"Value": [
"golang:1.16",
"AS",
"builder"
]
},
{
"Cmd": "workdir",
"EndLine": 2,
"Flags": [],
"JSON": false,
"Original": "WORKDIR /go/src/github.com/alexellis/href-counter/",
"Stage": 0,
"StartLine": 2,
"SubCmd": "",
"Value": [
"/go/src/github.com/alexellis/href-counter/"
]
},
{
"Cmd": "run",
"EndLine": 3,
"Flags": [],
"JSON": false,
"Original": "RUN go get -d -v golang.org/x/net/html",
"Stage": 0,
"StartLine": 3,
"SubCmd": "",
"Value": [
"go get -d -v golang.org/x/net/html"
]
},
{
"Cmd": "copy",
"EndLine": 4,
"Flags": [],
"JSON": false,
"Original": "COPY app.go .",
"Stage": 0,
"StartLine": 4,
"SubCmd": "",
"Value": [
"app.go",
"."
]
},
{
"Cmd": "run",
"EndLine": 5,
"Flags": [],
"JSON": false,
"Original": "RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .",
"Stage": 0,
"StartLine": 5,
"SubCmd": "",
"Value": [
"CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app ."
]
}
]
}
}
```
### Docker Compose
See [here][compose].
Docker Compose uses YAML format for configurations. You can apply your Rego policies to `docker-compose.yml`.
### HCL
See [here][hcl].
Trivy parses HCL files and converts into structured data.
!!! warning
Terraform HCL files are not supported yet.
### Terraform Plan
See [here][tfplan].
Use the command [terraform show][terraform-show] to convert the Terraform plan into JSON so that OPA can read the plan.
```bash
$ terraform init
$ terraform plan --out tfplan.binary
$ terraform show -json tfplan.binary > tfplan.json
```
For more details, see also [OPA document][opa-terraform].
### Serverless Framework
See [here][serverless].
Server Framework uses YAML format for configurations. You can apply your Rego policies to `serverless.yaml`.
## Custom Data
See [here][data].
## Combined Input
See [here][combine].
## Go Testing
See [here][go-testing].
[k8s]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/kubernetes/
[dockerfile]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/dockerfile/
[compose]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/docker-compose/
[hcl]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/hcl/
[serverless]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/serverless/
[tfplan]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/terraform-plan/
[terraform-show]: https://www.terraform.io/docs/cli/commands/show.html
[opa-terraform]: https://www.openpolicyagent.org/docs/latest/terraform/
[custom]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy
[data]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-data
[combine]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/combine
[go-testing]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/go-testing
Reference in New Issue View Git Blame Copy Permalink