From 11618c9408430409a4c5bd3f12a68bfad05c63de Mon Sep 17 00:00:00 2001 From: simar7 <1254783+simar7@users.noreply.github.com> Date: Wed, 26 Jul 2023 02:45:49 -0600 Subject: [PATCH] feat(misconf): Support custom URLs for policy bundle (#4834) * feat(misconf): Support custom URLs for policy bundle This PR adds support for custom policy bundles to be specified with a flag `--policy-bundle-url` as an option to Trivy. Fixes: https://github.com/aquasecurity/trivy/issues/4672 Signed-off-by: Simar * update docs Signed-off-by: Simar * rename flag to `--policy-bundle-repository` Signed-off-by: Simar * fix field * rebase and update docs Signed-off-by: Simar * set policyBundleRepo on client Signed-off-by: Simar --------- Signed-off-by: Simar --- .../references/configuration/cli/trivy_aws.md | 67 +++++---- .../configuration/cli/trivy_config.md | 77 +++++----- .../configuration/cli/trivy_filesystem.md | 129 ++++++++-------- .../configuration/cli/trivy_image.md | 141 +++++++++--------- .../configuration/cli/trivy_kubernetes.md | 1 + .../configuration/cli/trivy_repository.md | 131 ++++++++-------- .../configuration/cli/trivy_rootfs.md | 125 ++++++++-------- .../references/configuration/cli/trivy_vm.md | 107 ++++++------- pkg/cloud/aws/scanner/scanner.go | 2 +- pkg/commands/app.go | 2 +- pkg/commands/artifact/run.go | 4 +- pkg/commands/operation/operation.go | 4 +- pkg/flag/misconf_flags.go | 46 ++++-- pkg/policy/policy.go | 26 ++-- pkg/policy/policy_test.go | 8 +- 15 files changed, 451 insertions(+), 419 deletions(-) diff --git a/docs/docs/references/configuration/cli/trivy_aws.md b/docs/docs/references/configuration/cli/trivy_aws.md index c9aad7bb6b09..455e2abf298b 100644 --- a/docs/docs/references/configuration/cli/trivy_aws.md +++ b/docs/docs/references/configuration/cli/trivy_aws.md @@ -65,39 +65,40 @@ trivy aws [flags] ### Options ``` - --account string The AWS account to scan. It's useful to specify this when reviewing cached results for multiple accounts. - --arn string The AWS ARN to show results for. Useful to filter results once a scan is cached. - --compliance string compliance report to generate (aws-cis-1.2,aws-cis-1.4) - --config-data strings specify paths from which data for the Rego policies will be recursively loaded - --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files - --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages - --endpoint string AWS Endpoint override - --exit-code int specify exit code when any security issues are found - -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") - --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) - --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-values strings specify paths to override the Helm values.yaml files - -h, --help help for aws - --ignore-policy string specify the Rego file path to evaluate each vulnerability - --ignorefile string specify .trivyignore file (default ".trivyignore") - --include-non-failures include successes and exceptions, available with '--scanners config' - --list-all-pkgs enabling the option will output all packages regardless of vulnerability - --max-cache-age duration The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s) - -o, --output string output file name - --policy-namespaces strings Rego namespaces - --region string AWS Region to scan - --report string specify a report format for the output (all,summary) (default "all") - --reset-policy-bundle remove policy bundle - --service strings Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc. - -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) - --skip-policy-update skip fetching rego policy updates - --skip-service strings Skip selected AWS Service(s) specified with this flag. Can specify multiple services using --skip-service A --skip-service B etc. - -t, --template string output template - --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder - --tf-vars strings specify paths to override the Terraform tfvars files - --trace enable more verbose trace output for custom queries - --update-cache Update the cache for the applicable cloud provider instead of using cached results. + --account string The AWS account to scan. It's useful to specify this when reviewing cached results for multiple accounts. + --arn string The AWS ARN to show results for. Useful to filter results once a scan is cached. + --compliance string compliance report to generate (aws-cis-1.2,aws-cis-1.4) + --config-data strings specify paths from which data for the Rego policies will be recursively loaded + --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files + --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages + --endpoint string AWS Endpoint override + --exit-code int specify exit code when any security issues are found + -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") + --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) + --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-values strings specify paths to override the Helm values.yaml files + -h, --help help for aws + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-non-failures include successes and exceptions, available with '--scanners config' + --list-all-pkgs enabling the option will output all packages regardless of vulnerability + --max-cache-age duration The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s) + -o, --output string output file name + --policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0") + --policy-namespaces strings Rego namespaces + --region string AWS Region to scan + --report string specify a report format for the output (all,summary) (default "all") + --reset-policy-bundle remove policy bundle + --service strings Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc. + -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) + --skip-policy-update skip fetching rego policy updates + --skip-service strings Skip selected AWS Service(s) specified with this flag. Can specify multiple services using --skip-service A --skip-service B etc. + -t, --template string output template + --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder + --tf-vars strings specify paths to override the Terraform tfvars files + --trace enable more verbose trace output for custom queries + --update-cache Update the cache for the applicable cloud provider instead of using cached results. ``` ### Options inherited from parent commands diff --git a/docs/docs/references/configuration/cli/trivy_config.md b/docs/docs/references/configuration/cli/trivy_config.md index aa391b841465..0ed13c1722c7 100644 --- a/docs/docs/references/configuration/cli/trivy_config.md +++ b/docs/docs/references/configuration/cli/trivy_config.md @@ -9,44 +9,45 @@ trivy config [flags] DIR ### Options ``` - --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") - --cache-ttl duration cache TTL when using redis as cache backend - --clear-cache clear image caches without scanning - --compliance string compliance report to generate - --config-data strings specify paths from which data for the Rego policies will be recursively loaded - --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files - --enable-modules strings [EXPERIMENTAL] module names to enable - --exit-code int specify exit code when any security issues are found - --file-patterns strings specify config file patterns - -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") - --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) - --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-values strings specify paths to override the Helm values.yaml files - -h, --help help for config - --ignorefile string specify .trivyignore file (default ".trivyignore") - --include-non-failures include successes and exceptions, available with '--scanners config' - --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0) - --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") - -o, --output string output file name - --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. - --policy-namespaces strings Rego namespaces - --redis-ca string redis ca file location, if using redis as cache backend - --redis-cert string redis certificate file location, if using redis as cache backend - --redis-key string redis key file location, if using redis as cache backend - --redis-tls enable redis TLS with public certificates, if using redis as cache backend - --registry-token string registry token - --report string specify a compliance report format for the output (all,summary) (default "all") - --reset-policy-bundle remove policy bundle - -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) - --skip-dirs strings specify the directories where the traversal is skipped - --skip-files strings specify the file paths to skip traversal - --skip-policy-update skip fetching rego policy updates - -t, --template string output template - --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder - --tf-vars strings specify paths to override the Terraform tfvars files - --trace enable more verbose trace output for custom queries - --username strings username. Comma-separated usernames allowed. + --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --clear-cache clear image caches without scanning + --compliance string compliance report to generate + --config-data strings specify paths from which data for the Rego policies will be recursively loaded + --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files + --enable-modules strings [EXPERIMENTAL] module names to enable + --exit-code int specify exit code when any security issues are found + --file-patterns strings specify config file patterns + -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") + --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) + --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-values strings specify paths to override the Helm values.yaml files + -h, --help help for config + --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-non-failures include successes and exceptions, available with '--scanners config' + --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0) + --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") + -o, --output string output file name + --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. + --policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0") + --policy-namespaces strings Rego namespaces + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + --redis-tls enable redis TLS with public certificates, if using redis as cache backend + --registry-token string registry token + --report string specify a compliance report format for the output (all,summary) (default "all") + --reset-policy-bundle remove policy bundle + -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) + --skip-dirs strings specify the directories where the traversal is skipped + --skip-files strings specify the file paths to skip traversal + --skip-policy-update skip fetching rego policy updates + -t, --template string output template + --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder + --tf-vars strings specify paths to override the Terraform tfvars files + --trace enable more verbose trace output for custom queries + --username strings username. Comma-separated usernames allowed. ``` ### Options inherited from parent commands diff --git a/docs/docs/references/configuration/cli/trivy_filesystem.md b/docs/docs/references/configuration/cli/trivy_filesystem.md index c5f53c9e429c..dd2381b32c03 100644 --- a/docs/docs/references/configuration/cli/trivy_filesystem.md +++ b/docs/docs/references/configuration/cli/trivy_filesystem.md @@ -19,70 +19,71 @@ trivy filesystem [flags] PATH ### Options ``` - --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") - --cache-ttl duration cache TTL when using redis as cache backend - --clear-cache clear image caches without scanning - --compliance string compliance report to generate - --config-data strings specify paths from which data for the Rego policies will be recursively loaded - --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files - --custom-headers strings custom headers in client mode - --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") - --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages - --download-db-only download/update vulnerability database but don't run a scan - --download-java-db-only download/update Java index database but don't run a scan - --enable-modules strings [EXPERIMENTAL] module names to enable - --exit-code int specify exit code when any security issues are found - --file-patterns strings specify config file patterns - -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") - --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) - --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-values strings specify paths to override the Helm values.yaml files - -h, --help help for filesystem - --ignore-policy string specify the Rego file path to evaluate each vulnerability - --ignore-unfixed display only fixed vulnerabilities - --ignored-licenses strings specify a list of license to ignore - --ignorefile string specify .trivyignore file (default ".trivyignore") - --include-dev-deps include development dependencies in the report (supported: npm, yarn) - --include-non-failures include successes and exceptions, available with '--scanners config' - --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") - --license-confidence-level float specify license classifier's confidence level (default 0.9) - --license-full eagerly look for licenses in source code headers and license files - --list-all-pkgs enabling the option will output all packages regardless of vulnerability - --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") - --no-progress suppress progress bar - --offline-scan do not issue API requests to identify dependencies - -o, --output string output file name - --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. - --policy-namespaces strings Rego namespaces - --redis-ca string redis ca file location, if using redis as cache backend - --redis-cert string redis certificate file location, if using redis as cache backend - --redis-key string redis key file location, if using redis as cache backend - --redis-tls enable redis TLS with public certificates, if using redis as cache backend - --registry-token string registry token - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") - --report string specify a compliance report format for the output (all,summary) (default "all") - --reset remove all caches and database - --reset-policy-bundle remove policy bundle - --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) - --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") - --server string server address in client mode - -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) - --skip-db-update skip updating vulnerability database - --skip-dirs strings specify the directories where the traversal is skipped - --skip-files strings specify the file paths to skip traversal - --skip-java-db-update skip updating Java index database - --skip-policy-update skip fetching rego policy updates - --slow scan over time with lower CPU and memory utilization - -t, --template string output template - --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder - --tf-vars strings specify paths to override the Terraform tfvars files - --token string for authentication in client/server mode - --token-header string specify a header name for token in client/server mode (default "Trivy-Token") - --trace enable more verbose trace output for custom queries - --username strings username. Comma-separated usernames allowed. - --vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library]) + --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --clear-cache clear image caches without scanning + --compliance string compliance report to generate + --config-data strings specify paths from which data for the Rego policies will be recursively loaded + --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files + --custom-headers strings custom headers in client mode + --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") + --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages + --download-db-only download/update vulnerability database but don't run a scan + --download-java-db-only download/update Java index database but don't run a scan + --enable-modules strings [EXPERIMENTAL] module names to enable + --exit-code int specify exit code when any security issues are found + --file-patterns strings specify config file patterns + -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") + --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) + --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-values strings specify paths to override the Helm values.yaml files + -h, --help help for filesystem + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignore-unfixed display only fixed vulnerabilities + --ignored-licenses strings specify a list of license to ignore + --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-dev-deps include development dependencies in the report (supported: npm, yarn) + --include-non-failures include successes and exceptions, available with '--scanners config' + --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") + --license-confidence-level float specify license classifier's confidence level (default 0.9) + --license-full eagerly look for licenses in source code headers and license files + --list-all-pkgs enabling the option will output all packages regardless of vulnerability + --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") + --no-progress suppress progress bar + --offline-scan do not issue API requests to identify dependencies + -o, --output string output file name + --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. + --policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0") + --policy-namespaces strings Rego namespaces + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + --redis-tls enable redis TLS with public certificates, if using redis as cache backend + --registry-token string registry token + --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --report string specify a compliance report format for the output (all,summary) (default "all") + --reset remove all caches and database + --reset-policy-bundle remove policy bundle + --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) + --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) + --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") + --server string server address in client mode + -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) + --skip-db-update skip updating vulnerability database + --skip-dirs strings specify the directories where the traversal is skipped + --skip-files strings specify the file paths to skip traversal + --skip-java-db-update skip updating Java index database + --skip-policy-update skip fetching rego policy updates + --slow scan over time with lower CPU and memory utilization + -t, --template string output template + --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder + --tf-vars strings specify paths to override the Terraform tfvars files + --token string for authentication in client/server mode + --token-header string specify a header name for token in client/server mode (default "Trivy-Token") + --trace enable more verbose trace output for custom queries + --username strings username. Comma-separated usernames allowed. + --vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library]) ``` ### Options inherited from parent commands diff --git a/docs/docs/references/configuration/cli/trivy_image.md b/docs/docs/references/configuration/cli/trivy_image.md index b8b745e5c566..ed7edbfd5e2b 100644 --- a/docs/docs/references/configuration/cli/trivy_image.md +++ b/docs/docs/references/configuration/cli/trivy_image.md @@ -34,76 +34,77 @@ trivy image [flags] IMAGE_NAME ### Options ``` - --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") - --cache-ttl duration cache TTL when using redis as cache backend - --clear-cache clear image caches without scanning - --compliance string compliance report to generate (docker-cis) - --config-data strings specify paths from which data for the Rego policies will be recursively loaded - --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files - --custom-headers strings custom headers in client mode - --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") - --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages - --docker-host string unix domain socket path to use for docker scanning - --download-db-only download/update vulnerability database but don't run a scan - --download-java-db-only download/update Java index database but don't run a scan - --enable-modules strings [EXPERIMENTAL] module names to enable - --exit-code int specify exit code when any security issues are found - --exit-on-eol int exit with the specified code when the OS reaches end of service/life - --file-patterns strings specify config file patterns - -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") - --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) - --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-values strings specify paths to override the Helm values.yaml files - -h, --help help for image - --ignore-policy string specify the Rego file path to evaluate each vulnerability - --ignore-unfixed display only fixed vulnerabilities - --ignored-licenses strings specify a list of license to ignore - --ignorefile string specify .trivyignore file (default ".trivyignore") - --image-config-scanners strings comma-separated list of what security issues to detect on container image configurations (config,secret) - --image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote]) - --include-non-failures include successes and exceptions, available with '--scanners config' - --input string input file path instead of image name - --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") - --license-confidence-level float specify license classifier's confidence level (default 0.9) - --license-full eagerly look for licenses in source code headers and license files - --list-all-pkgs enabling the option will output all packages regardless of vulnerability - --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") - --no-progress suppress progress bar - --offline-scan do not issue API requests to identify dependencies - -o, --output string output file name - --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. - --platform string set platform in the form os/arch if image is multi-platform capable - --policy-namespaces strings Rego namespaces - --redis-ca string redis ca file location, if using redis as cache backend - --redis-cert string redis certificate file location, if using redis as cache backend - --redis-key string redis key file location, if using redis as cache backend - --redis-tls enable redis TLS with public certificates, if using redis as cache backend - --registry-token string registry token - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") - --removed-pkgs detect vulnerabilities of removed packages (only for Alpine) - --report string specify a format for the compliance report. (all,summary) (default "summary") - --reset remove all caches and database - --reset-policy-bundle remove policy bundle - --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) - --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") - --server string server address in client mode - -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) - --skip-db-update skip updating vulnerability database - --skip-dirs strings specify the directories where the traversal is skipped - --skip-files strings specify the file paths to skip traversal - --skip-java-db-update skip updating Java index database - --skip-policy-update skip fetching rego policy updates - --slow scan over time with lower CPU and memory utilization - -t, --template string output template - --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder - --tf-vars strings specify paths to override the Terraform tfvars files - --token string for authentication in client/server mode - --token-header string specify a header name for token in client/server mode (default "Trivy-Token") - --trace enable more verbose trace output for custom queries - --username strings username. Comma-separated usernames allowed. - --vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library]) + --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --clear-cache clear image caches without scanning + --compliance string compliance report to generate (docker-cis) + --config-data strings specify paths from which data for the Rego policies will be recursively loaded + --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files + --custom-headers strings custom headers in client mode + --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") + --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages + --docker-host string unix domain socket path to use for docker scanning + --download-db-only download/update vulnerability database but don't run a scan + --download-java-db-only download/update Java index database but don't run a scan + --enable-modules strings [EXPERIMENTAL] module names to enable + --exit-code int specify exit code when any security issues are found + --exit-on-eol int exit with the specified code when the OS reaches end of service/life + --file-patterns strings specify config file patterns + -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") + --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) + --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-values strings specify paths to override the Helm values.yaml files + -h, --help help for image + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignore-unfixed display only fixed vulnerabilities + --ignored-licenses strings specify a list of license to ignore + --ignorefile string specify .trivyignore file (default ".trivyignore") + --image-config-scanners strings comma-separated list of what security issues to detect on container image configurations (config,secret) + --image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote]) + --include-non-failures include successes and exceptions, available with '--scanners config' + --input string input file path instead of image name + --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") + --license-confidence-level float specify license classifier's confidence level (default 0.9) + --license-full eagerly look for licenses in source code headers and license files + --list-all-pkgs enabling the option will output all packages regardless of vulnerability + --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") + --no-progress suppress progress bar + --offline-scan do not issue API requests to identify dependencies + -o, --output string output file name + --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. + --platform string set platform in the form os/arch if image is multi-platform capable + --policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0") + --policy-namespaces strings Rego namespaces + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + --redis-tls enable redis TLS with public certificates, if using redis as cache backend + --registry-token string registry token + --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --removed-pkgs detect vulnerabilities of removed packages (only for Alpine) + --report string specify a format for the compliance report. (all,summary) (default "summary") + --reset remove all caches and database + --reset-policy-bundle remove policy bundle + --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) + --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) + --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") + --server string server address in client mode + -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) + --skip-db-update skip updating vulnerability database + --skip-dirs strings specify the directories where the traversal is skipped + --skip-files strings specify the file paths to skip traversal + --skip-java-db-update skip updating Java index database + --skip-policy-update skip fetching rego policy updates + --slow scan over time with lower CPU and memory utilization + -t, --template string output template + --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder + --tf-vars strings specify paths to override the Terraform tfvars files + --token string for authentication in client/server mode + --token-header string specify a header name for token in client/server mode (default "Trivy-Token") + --trace enable more verbose trace output for custom queries + --username strings username. Comma-separated usernames allowed. + --vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library]) ``` ### Options inherited from parent commands diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md index 2bf05f59a617..ec726f1b5b8b 100644 --- a/docs/docs/references/configuration/cli/trivy_kubernetes.md +++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md @@ -65,6 +65,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: -o, --output string output file name --parallel int number (between 1-20) of goroutines enabled for parallel scanning (default 5) --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. + --policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0") --policy-namespaces strings Rego namespaces --redis-ca string redis ca file location, if using redis as cache backend --redis-cert string redis certificate file location, if using redis as cache backend diff --git a/docs/docs/references/configuration/cli/trivy_repository.md b/docs/docs/references/configuration/cli/trivy_repository.md index 7fbf3fd768c0..575637697369 100644 --- a/docs/docs/references/configuration/cli/trivy_repository.md +++ b/docs/docs/references/configuration/cli/trivy_repository.md @@ -16,71 +16,72 @@ trivy repository [flags] REPO_URL ### Options ``` - --branch string pass the branch name to be scanned - --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") - --cache-ttl duration cache TTL when using redis as cache backend - --clear-cache clear image caches without scanning - --commit string pass the commit hash to be scanned - --config-data strings specify paths from which data for the Rego policies will be recursively loaded - --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files - --custom-headers strings custom headers in client mode - --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") - --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages - --download-db-only download/update vulnerability database but don't run a scan - --download-java-db-only download/update Java index database but don't run a scan - --enable-modules strings [EXPERIMENTAL] module names to enable - --exit-code int specify exit code when any security issues are found - --file-patterns strings specify config file patterns - -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") - --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) - --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-values strings specify paths to override the Helm values.yaml files - -h, --help help for repository - --ignore-policy string specify the Rego file path to evaluate each vulnerability - --ignore-unfixed display only fixed vulnerabilities - --ignored-licenses strings specify a list of license to ignore - --ignorefile string specify .trivyignore file (default ".trivyignore") - --include-dev-deps include development dependencies in the report (supported: npm, yarn) - --include-non-failures include successes and exceptions, available with '--scanners config' - --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") - --license-confidence-level float specify license classifier's confidence level (default 0.9) - --license-full eagerly look for licenses in source code headers and license files - --list-all-pkgs enabling the option will output all packages regardless of vulnerability - --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") - --no-progress suppress progress bar - --offline-scan do not issue API requests to identify dependencies - -o, --output string output file name - --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. - --policy-namespaces strings Rego namespaces - --redis-ca string redis ca file location, if using redis as cache backend - --redis-cert string redis certificate file location, if using redis as cache backend - --redis-key string redis key file location, if using redis as cache backend - --redis-tls enable redis TLS with public certificates, if using redis as cache backend - --registry-token string registry token - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") - --reset remove all caches and database - --reset-policy-bundle remove policy bundle - --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) - --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") - --server string server address in client mode - -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) - --skip-db-update skip updating vulnerability database - --skip-dirs strings specify the directories where the traversal is skipped - --skip-files strings specify the file paths to skip traversal - --skip-java-db-update skip updating Java index database - --skip-policy-update skip fetching rego policy updates - --slow scan over time with lower CPU and memory utilization - --tag string pass the tag name to be scanned - -t, --template string output template - --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder - --tf-vars strings specify paths to override the Terraform tfvars files - --token string for authentication in client/server mode - --token-header string specify a header name for token in client/server mode (default "Trivy-Token") - --trace enable more verbose trace output for custom queries - --username strings username. Comma-separated usernames allowed. - --vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library]) + --branch string pass the branch name to be scanned + --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --clear-cache clear image caches without scanning + --commit string pass the commit hash to be scanned + --config-data strings specify paths from which data for the Rego policies will be recursively loaded + --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files + --custom-headers strings custom headers in client mode + --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") + --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages + --download-db-only download/update vulnerability database but don't run a scan + --download-java-db-only download/update Java index database but don't run a scan + --enable-modules strings [EXPERIMENTAL] module names to enable + --exit-code int specify exit code when any security issues are found + --file-patterns strings specify config file patterns + -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") + --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) + --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-values strings specify paths to override the Helm values.yaml files + -h, --help help for repository + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignore-unfixed display only fixed vulnerabilities + --ignored-licenses strings specify a list of license to ignore + --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-dev-deps include development dependencies in the report (supported: npm, yarn) + --include-non-failures include successes and exceptions, available with '--scanners config' + --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") + --license-confidence-level float specify license classifier's confidence level (default 0.9) + --license-full eagerly look for licenses in source code headers and license files + --list-all-pkgs enabling the option will output all packages regardless of vulnerability + --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") + --no-progress suppress progress bar + --offline-scan do not issue API requests to identify dependencies + -o, --output string output file name + --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. + --policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0") + --policy-namespaces strings Rego namespaces + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + --redis-tls enable redis TLS with public certificates, if using redis as cache backend + --registry-token string registry token + --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --reset remove all caches and database + --reset-policy-bundle remove policy bundle + --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) + --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) + --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") + --server string server address in client mode + -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) + --skip-db-update skip updating vulnerability database + --skip-dirs strings specify the directories where the traversal is skipped + --skip-files strings specify the file paths to skip traversal + --skip-java-db-update skip updating Java index database + --skip-policy-update skip fetching rego policy updates + --slow scan over time with lower CPU and memory utilization + --tag string pass the tag name to be scanned + -t, --template string output template + --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder + --tf-vars strings specify paths to override the Terraform tfvars files + --token string for authentication in client/server mode + --token-header string specify a header name for token in client/server mode (default "Trivy-Token") + --trace enable more verbose trace output for custom queries + --username strings username. Comma-separated usernames allowed. + --vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library]) ``` ### Options inherited from parent commands diff --git a/docs/docs/references/configuration/cli/trivy_rootfs.md b/docs/docs/references/configuration/cli/trivy_rootfs.md index 384dde985235..ef3708827371 100644 --- a/docs/docs/references/configuration/cli/trivy_rootfs.md +++ b/docs/docs/references/configuration/cli/trivy_rootfs.md @@ -22,68 +22,69 @@ trivy rootfs [flags] ROOTDIR ### Options ``` - --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") - --cache-ttl duration cache TTL when using redis as cache backend - --clear-cache clear image caches without scanning - --config-data strings specify paths from which data for the Rego policies will be recursively loaded - --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files - --custom-headers strings custom headers in client mode - --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") - --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages - --download-db-only download/update vulnerability database but don't run a scan - --download-java-db-only download/update Java index database but don't run a scan - --enable-modules strings [EXPERIMENTAL] module names to enable - --exit-code int specify exit code when any security issues are found - --exit-on-eol int exit with the specified code when the OS reaches end of service/life - --file-patterns strings specify config file patterns - -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") - --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) - --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-values strings specify paths to override the Helm values.yaml files - -h, --help help for rootfs - --ignore-policy string specify the Rego file path to evaluate each vulnerability - --ignore-unfixed display only fixed vulnerabilities - --ignored-licenses strings specify a list of license to ignore - --ignorefile string specify .trivyignore file (default ".trivyignore") - --include-non-failures include successes and exceptions, available with '--scanners config' - --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") - --license-confidence-level float specify license classifier's confidence level (default 0.9) - --license-full eagerly look for licenses in source code headers and license files - --list-all-pkgs enabling the option will output all packages regardless of vulnerability - --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") - --no-progress suppress progress bar - --offline-scan do not issue API requests to identify dependencies - -o, --output string output file name - --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. - --policy-namespaces strings Rego namespaces - --redis-ca string redis ca file location, if using redis as cache backend - --redis-cert string redis certificate file location, if using redis as cache backend - --redis-key string redis key file location, if using redis as cache backend - --redis-tls enable redis TLS with public certificates, if using redis as cache backend - --registry-token string registry token - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") - --reset remove all caches and database - --reset-policy-bundle remove policy bundle - --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) - --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") - --server string server address in client mode - -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) - --skip-db-update skip updating vulnerability database - --skip-dirs strings specify the directories where the traversal is skipped - --skip-files strings specify the file paths to skip traversal - --skip-java-db-update skip updating Java index database - --skip-policy-update skip fetching rego policy updates - --slow scan over time with lower CPU and memory utilization - -t, --template string output template - --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder - --tf-vars strings specify paths to override the Terraform tfvars files - --token string for authentication in client/server mode - --token-header string specify a header name for token in client/server mode (default "Trivy-Token") - --trace enable more verbose trace output for custom queries - --username strings username. Comma-separated usernames allowed. - --vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library]) + --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --clear-cache clear image caches without scanning + --config-data strings specify paths from which data for the Rego policies will be recursively loaded + --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files + --custom-headers strings custom headers in client mode + --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") + --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages + --download-db-only download/update vulnerability database but don't run a scan + --download-java-db-only download/update Java index database but don't run a scan + --enable-modules strings [EXPERIMENTAL] module names to enable + --exit-code int specify exit code when any security issues are found + --exit-on-eol int exit with the specified code when the OS reaches end of service/life + --file-patterns strings specify config file patterns + -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") + --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) + --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-values strings specify paths to override the Helm values.yaml files + -h, --help help for rootfs + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignore-unfixed display only fixed vulnerabilities + --ignored-licenses strings specify a list of license to ignore + --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-non-failures include successes and exceptions, available with '--scanners config' + --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") + --license-confidence-level float specify license classifier's confidence level (default 0.9) + --license-full eagerly look for licenses in source code headers and license files + --list-all-pkgs enabling the option will output all packages regardless of vulnerability + --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") + --no-progress suppress progress bar + --offline-scan do not issue API requests to identify dependencies + -o, --output string output file name + --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. + --policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0") + --policy-namespaces strings Rego namespaces + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + --redis-tls enable redis TLS with public certificates, if using redis as cache backend + --registry-token string registry token + --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --reset remove all caches and database + --reset-policy-bundle remove policy bundle + --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) + --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) + --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") + --server string server address in client mode + -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) + --skip-db-update skip updating vulnerability database + --skip-dirs strings specify the directories where the traversal is skipped + --skip-files strings specify the file paths to skip traversal + --skip-java-db-update skip updating Java index database + --skip-policy-update skip fetching rego policy updates + --slow scan over time with lower CPU and memory utilization + -t, --template string output template + --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder + --tf-vars strings specify paths to override the Terraform tfvars files + --token string for authentication in client/server mode + --token-header string specify a header name for token in client/server mode (default "Trivy-Token") + --trace enable more verbose trace output for custom queries + --username strings username. Comma-separated usernames allowed. + --vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library]) ``` ### Options inherited from parent commands diff --git a/docs/docs/references/configuration/cli/trivy_vm.md b/docs/docs/references/configuration/cli/trivy_vm.md index e7cdc65eaef5..37c71009a905 100644 --- a/docs/docs/references/configuration/cli/trivy_vm.md +++ b/docs/docs/references/configuration/cli/trivy_vm.md @@ -20,59 +20,60 @@ trivy vm [flags] VM_IMAGE ### Options ``` - --aws-region string AWS region to scan - --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") - --cache-ttl duration cache TTL when using redis as cache backend - --clear-cache clear image caches without scanning - --compliance string compliance report to generate - --custom-headers strings custom headers in client mode - --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") - --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages - --download-db-only download/update vulnerability database but don't run a scan - --download-java-db-only download/update Java index database but don't run a scan - --enable-modules strings [EXPERIMENTAL] module names to enable - --exit-code int specify exit code when any security issues are found - --exit-on-eol int exit with the specified code when the OS reaches end of service/life - --file-patterns strings specify config file patterns - -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") - --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) - --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-values strings specify paths to override the Helm values.yaml files - -h, --help help for vm - --ignore-policy string specify the Rego file path to evaluate each vulnerability - --ignore-unfixed display only fixed vulnerabilities - --ignorefile string specify .trivyignore file (default ".trivyignore") - --include-non-failures include successes and exceptions, available with '--scanners config' - --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") - --list-all-pkgs enabling the option will output all packages regardless of vulnerability - --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") - --no-progress suppress progress bar - --offline-scan do not issue API requests to identify dependencies - -o, --output string output file name - --redis-ca string redis ca file location, if using redis as cache backend - --redis-cert string redis certificate file location, if using redis as cache backend - --redis-key string redis key file location, if using redis as cache backend - --redis-tls enable redis TLS with public certificates, if using redis as cache backend - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") - --reset remove all caches and database - --reset-policy-bundle remove policy bundle - --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) - --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") - --server string server address in client mode - -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) - --skip-db-update skip updating vulnerability database - --skip-dirs strings specify the directories where the traversal is skipped - --skip-files strings specify the file paths to skip traversal - --skip-java-db-update skip updating Java index database - --slow scan over time with lower CPU and memory utilization - -t, --template string output template - --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder - --tf-vars strings specify paths to override the Terraform tfvars files - --token string for authentication in client/server mode - --token-header string specify a header name for token in client/server mode (default "Trivy-Token") - --vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library]) + --aws-region string AWS region to scan + --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --clear-cache clear image caches without scanning + --compliance string compliance report to generate + --custom-headers strings custom headers in client mode + --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") + --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages + --download-db-only download/update vulnerability database but don't run a scan + --download-java-db-only download/update Java index database but don't run a scan + --enable-modules strings [EXPERIMENTAL] module names to enable + --exit-code int specify exit code when any security issues are found + --exit-on-eol int exit with the specified code when the OS reaches end of service/life + --file-patterns strings specify config file patterns + -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") + --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) + --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-values strings specify paths to override the Helm values.yaml files + -h, --help help for vm + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignore-unfixed display only fixed vulnerabilities + --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-non-failures include successes and exceptions, available with '--scanners config' + --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") + --list-all-pkgs enabling the option will output all packages regardless of vulnerability + --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") + --no-progress suppress progress bar + --offline-scan do not issue API requests to identify dependencies + -o, --output string output file name + --policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0") + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + --redis-tls enable redis TLS with public certificates, if using redis as cache backend + --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --reset remove all caches and database + --reset-policy-bundle remove policy bundle + --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) + --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) + --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") + --server string server address in client mode + -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) + --skip-db-update skip updating vulnerability database + --skip-dirs strings specify the directories where the traversal is skipped + --skip-files strings specify the file paths to skip traversal + --skip-java-db-update skip updating Java index database + --slow scan over time with lower CPU and memory utilization + -t, --template string output template + --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder + --tf-vars strings specify paths to override the Terraform tfvars files + --token string for authentication in client/server mode + --token-header string specify a header name for token in client/server mode (default "Trivy-Token") + --vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library]) ``` ### Options inherited from parent commands diff --git a/pkg/cloud/aws/scanner/scanner.go b/pkg/cloud/aws/scanner/scanner.go index f76ca5dde6ff..78038dd5d4a8 100644 --- a/pkg/cloud/aws/scanner/scanner.go +++ b/pkg/cloud/aws/scanner/scanner.go @@ -68,7 +68,7 @@ func (s *AWSScanner) Scan(ctx context.Context, option flag.Options) (scan.Result var policyPaths []string var downloadedPolicyPaths []string var err error - downloadedPolicyPaths, err = operation.InitBuiltinPolicies(context.Background(), option.CacheDir, option.Quiet, option.SkipPolicyUpdate) + downloadedPolicyPaths, err = operation.InitBuiltinPolicies(context.Background(), option.CacheDir, option.Quiet, option.SkipPolicyUpdate, option.MisconfOptions.PolicyBundleRepository) if err != nil { if !option.SkipPolicyUpdate { log.Logger.Errorf("Falling back to embedded policies: %s", err) diff --git a/pkg/commands/app.go b/pkg/commands/app.go index b7717d365602..e8a5e2d44b52 100644 --- a/pkg/commands/app.go +++ b/pkg/commands/app.go @@ -1205,7 +1205,7 @@ func showVersion(cacheDir, outputFormat, version string, w io.Writer) error { } var pbMeta *policy.Metadata - pc, err := policy.NewClient(cacheDir, false) + pc, err := policy.NewClient(cacheDir, false, "") if pc != nil && err == nil { pbMeta, err = pc.GetMetadata() if err != nil { diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go index 15bd16c59e7d..5b83c006e093 100644 --- a/pkg/commands/artifact/run.go +++ b/pkg/commands/artifact/run.go @@ -372,7 +372,7 @@ func (r *runner) initCache(opts flag.Options) error { } if opts.ResetPolicyBundle { - c, err := policy.NewClient(fsutils.CacheDir(), true) + c, err := policy.NewClient(fsutils.CacheDir(), true, opts.MisconfOptions.PolicyBundleRepository) if err != nil { return xerrors.Errorf("failed to instantiate policy client: %w", err) } @@ -566,7 +566,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi var downloadedPolicyPaths []string var disableEmbedded bool - downloadedPolicyPaths, err := operation.InitBuiltinPolicies(context.Background(), opts.CacheDir, opts.Quiet, opts.SkipPolicyUpdate) + downloadedPolicyPaths, err := operation.InitBuiltinPolicies(context.Background(), opts.CacheDir, opts.Quiet, opts.SkipPolicyUpdate, opts.MisconfOptions.PolicyBundleRepository) if err != nil { if !opts.SkipPolicyUpdate { log.Logger.Errorf("Falling back to embedded policies: %s", err) diff --git a/pkg/commands/operation/operation.go b/pkg/commands/operation/operation.go index ed47d469d575..5ca8301b422d 100644 --- a/pkg/commands/operation/operation.go +++ b/pkg/commands/operation/operation.go @@ -148,11 +148,11 @@ func showDBInfo(cacheDir string) error { } // InitBuiltinPolicies downloads the built-in policies and loads them -func InitBuiltinPolicies(ctx context.Context, cacheDir string, quiet, skipUpdate bool) ([]string, error) { +func InitBuiltinPolicies(ctx context.Context, cacheDir string, quiet, skipUpdate bool, policyBundleRepository string) ([]string, error) { mu.Lock() defer mu.Unlock() - client, err := policy.NewClient(cacheDir, quiet) + client, err := policy.NewClient(cacheDir, quiet, policyBundleRepository) if err != nil { return nil, xerrors.Errorf("policy client error: %w", err) } diff --git a/pkg/flag/misconf_flags.go b/pkg/flag/misconf_flags.go index 7e858009e2f4..bf21b9aab642 100644 --- a/pkg/flag/misconf_flags.go +++ b/pkg/flag/misconf_flags.go @@ -1,5 +1,11 @@ package flag +import ( + "fmt" + + "github.com/aquasecurity/trivy/pkg/policy" +) + // e.g. config yaml: // // misconfiguration: @@ -55,12 +61,19 @@ var ( Default: false, Usage: "remove results for downloaded modules in .terraform folder", } + PolicyBundleRepositoryFlag = Flag{ + Name: "policy-bundle-repository", + ConfigName: "misconfiguration.policy-bundle-repository", + Default: fmt.Sprintf("%s:%d", policy.BundleRepository, policy.BundleVersion), + Usage: "OCI registry URL to retrieve policy bundle from", + } ) // MisconfFlagGroup composes common printer flag structs used for commands providing misconfinguration scanning. type MisconfFlagGroup struct { - IncludeNonFailures *Flag - ResetPolicyBundle *Flag + IncludeNonFailures *Flag + ResetPolicyBundle *Flag + PolicyBundleRepository *Flag // Values Files HelmValues *Flag @@ -72,8 +85,9 @@ type MisconfFlagGroup struct { } type MisconfOptions struct { - IncludeNonFailures bool - ResetPolicyBundle bool + IncludeNonFailures bool + ResetPolicyBundle bool + PolicyBundleRepository string // Values Files HelmValues []string @@ -86,8 +100,10 @@ type MisconfOptions struct { func NewMisconfFlagGroup() *MisconfFlagGroup { return &MisconfFlagGroup{ - IncludeNonFailures: &IncludeNonFailuresFlag, - ResetPolicyBundle: &ResetPolicyBundleFlag, + IncludeNonFailures: &IncludeNonFailuresFlag, + ResetPolicyBundle: &ResetPolicyBundleFlag, + PolicyBundleRepository: &PolicyBundleRepositoryFlag, + HelmValues: &HelmSetFlag, HelmFileValues: &HelmSetFileFlag, HelmStringValues: &HelmSetStringFlag, @@ -105,6 +121,7 @@ func (f *MisconfFlagGroup) Flags() []*Flag { return []*Flag{ f.IncludeNonFailures, f.ResetPolicyBundle, + f.PolicyBundleRepository, f.HelmValues, f.HelmValueFiles, f.HelmFileValues, @@ -116,13 +133,14 @@ func (f *MisconfFlagGroup) Flags() []*Flag { func (f *MisconfFlagGroup) ToOptions() (MisconfOptions, error) { return MisconfOptions{ - IncludeNonFailures: getBool(f.IncludeNonFailures), - ResetPolicyBundle: getBool(f.ResetPolicyBundle), - HelmValues: getStringSlice(f.HelmValues), - HelmValueFiles: getStringSlice(f.HelmValueFiles), - HelmFileValues: getStringSlice(f.HelmFileValues), - HelmStringValues: getStringSlice(f.HelmStringValues), - TerraformTFVars: getStringSlice(f.TerraformTFVars), - TfExcludeDownloaded: getBool(f.TerraformExcludeDownloaded), + IncludeNonFailures: getBool(f.IncludeNonFailures), + ResetPolicyBundle: getBool(f.ResetPolicyBundle), + PolicyBundleRepository: getString(f.PolicyBundleRepository), + HelmValues: getStringSlice(f.HelmValues), + HelmValueFiles: getStringSlice(f.HelmValueFiles), + HelmFileValues: getStringSlice(f.HelmFileValues), + HelmStringValues: getStringSlice(f.HelmStringValues), + TerraformTFVars: getStringSlice(f.TerraformTFVars), + TfExcludeDownloaded: getBool(f.TerraformExcludeDownloaded), }, nil } diff --git a/pkg/policy/policy.go b/pkg/policy/policy.go index d82289da3a73..ad154fc3eeb6 100644 --- a/pkg/policy/policy.go +++ b/pkg/policy/policy.go @@ -18,8 +18,8 @@ import ( ) const ( - bundleVersion = 0 // Latest released MAJOR version for defsec - bundleRepository = "ghcr.io/aquasecurity/defsec" + BundleVersion = 0 // Latest released MAJOR version for defsec + BundleRepository = "ghcr.io/aquasecurity/defsec" policyMediaType = "application/vnd.cncf.openpolicyagent.layer.v1.tar+gzip" updateInterval = 24 * time.Hour ) @@ -49,8 +49,9 @@ type Option func(*options) // Client implements policy operations type Client struct { *options - policyDir string - quiet bool + policyDir string + policyBundleRepo string + quiet bool } // Metadata holds default policy metadata @@ -60,7 +61,7 @@ type Metadata struct { } // NewClient is the factory method for policy client -func NewClient(cacheDir string, quiet bool, opts ...Option) (*Client, error) { +func NewClient(cacheDir string, quiet bool, policyBundleRepo string, opts ...Option) (*Client, error) { o := &options{ clock: clock.RealClock{}, } @@ -69,17 +70,22 @@ func NewClient(cacheDir string, quiet bool, opts ...Option) (*Client, error) { opt(o) } + if policyBundleRepo == "" { + policyBundleRepo = fmt.Sprintf("%s:%d", BundleRepository, BundleVersion) + } + return &Client{ - options: o, - policyDir: filepath.Join(cacheDir, "policy"), - quiet: quiet, + options: o, + policyDir: filepath.Join(cacheDir, "policy"), + policyBundleRepo: policyBundleRepo, + quiet: quiet, }, nil } func (c *Client) populateOCIArtifact() error { if c.artifact == nil { - repo := fmt.Sprintf("%s:%d", bundleRepository, bundleVersion) - art, err := oci.NewArtifact(repo, c.quiet, types.RegistryOptions{}) + log.Logger.Debugf("Using URL: %s to load policy bundle", c.policyBundleRepo) + art, err := oci.NewArtifact(c.policyBundleRepo, c.quiet, types.RegistryOptions{}) if err != nil { return xerrors.Errorf("OCI artifact error: %w", err) } diff --git a/pkg/policy/policy_test.go b/pkg/policy/policy_test.go index baf9501ceaf7..a72dca8ac89d 100644 --- a/pkg/policy/policy_test.go +++ b/pkg/policy/policy_test.go @@ -119,7 +119,7 @@ func TestClient_LoadBuiltinPolicies(t *testing.T) { art, err := oci.NewArtifact("repo", true, ftypes.RegistryOptions{}, oci.WithImage(img)) require.NoError(t, err) - c, err := policy.NewClient(tt.cacheDir, true, policy.WithOCIArtifact(art)) + c, err := policy.NewClient(tt.cacheDir, true, "", policy.WithOCIArtifact(art)) require.NoError(t, err) got, err := c.LoadBuiltinPolicies() @@ -260,7 +260,7 @@ func TestClient_NeedsUpdate(t *testing.T) { art, err := oci.NewArtifact("repo", true, ftypes.RegistryOptions{}, oci.WithImage(img)) require.NoError(t, err) - c, err := policy.NewClient(tmpDir, true, policy.WithOCIArtifact(art), policy.WithClock(tt.clock)) + c, err := policy.NewClient(tmpDir, true, "", policy.WithOCIArtifact(art), policy.WithClock(tt.clock)) require.NoError(t, err) // Assert results @@ -364,7 +364,7 @@ func TestClient_DownloadBuiltinPolicies(t *testing.T) { art, err := oci.NewArtifact("repo", true, ftypes.RegistryOptions{}, oci.WithImage(img)) require.NoError(t, err) - c, err := policy.NewClient(tempDir, true, policy.WithClock(tt.clock), policy.WithOCIArtifact(art)) + c, err := policy.NewClient(tempDir, true, "", policy.WithClock(tt.clock), policy.WithOCIArtifact(art)) require.NoError(t, err) err = c.DownloadBuiltinPolicies(context.Background()) @@ -394,7 +394,7 @@ func TestClient_Clear(t *testing.T) { err := os.MkdirAll(filepath.Join(cacheDir, "policy"), 0755) require.NoError(t, err) - c, err := policy.NewClient(cacheDir, true) + c, err := policy.NewClient(cacheDir, true, "") require.NoError(t, err) require.NoError(t, c.Clear()) }