mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-12 15:50:15 -08:00
Deployed f10527998 to v0.44 with MkDocs 1.3.0 and mike 1.1.2
This commit is contained in:
knqyf263
@@ -3521,8 +3521,8 @@ Total: <span class="m">7</span> <span class="o">(</span>UNKNOWN: <span class="m"
|
||||
<p>Trivy supports Open Policy Agent (OPA) to filter vulnerabilities.
|
||||
You can specify a Rego file with <code>--ignore-policy</code> option.</p>
|
||||
<p>The Rego package name must be <code>trivy</code> and it must include a rule called <code>ignore</code> which determines if each individual vulnerability should be excluded (ignore=true) or not (ignore=false). In the policy, each vulnerability will be available for inspection as the <code>input</code> variable. The structure of each vulnerability input is the same as for the Trivy JSON output.<br />
|
||||
There is a built-in Rego library with helper functions that you can import into your policy using: <code>import data.lib.trivy</code>. For more info about the helper functions, look at the library <a href="https://github.com/aquasecurity/trivy/tree/v0.44.0/pkg/result/module.go">here</a></p>
|
||||
<p>To get started, see the <a href="https://github.com/aquasecurity/trivy/tree/v0.44.0/contrib/example_policy">example policy</a>.</p>
|
||||
There is a built-in Rego library with helper functions that you can import into your policy using: <code>import data.lib.trivy</code>. For more info about the helper functions, look at the library <a href="https://github.com/aquasecurity/trivy/tree/v0.44.1/pkg/result/module.go">here</a></p>
|
||||
<p>To get started, see the <a href="https://github.com/aquasecurity/trivy/tree/v0.44.1/contrib/example_policy">example policy</a>.</p>
|
||||
<div class="highlight"><pre><span></span><code>$ trivy image --ignore-policy contrib/example_policy/basic.rego centos:7
|
||||
</code></pre></div>
|
||||
<details>
|
||||
|
||||
@@ -3100,13 +3100,23 @@ You're not viewing the latest version.
|
||||
</tbody>
|
||||
</table>
|
||||
<p>By default, Trivy traverses directories and searches for all necessary files for scanning.
|
||||
You can skip files that you don't maintain using the <code>--skip-files</code> flag.</p>
|
||||
<div class="highlight"><pre><span></span><code>$ trivy image --skip-files "/Gemfile.lock" --skip-files "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0/Gemfile.lock" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
|
||||
</code></pre></div>
|
||||
You can skip files that you don't maintain using the <code>--skip-files</code> flag, or the equivalent Trivy YAML config option.</p>
|
||||
<p>Using the <code>--skip-files</code> flag:
|
||||
<div class="highlight"><pre><span></span><code>$ trivy image --skip-files <span class="s2">"/Gemfile.lock"</span> --skip-files <span class="s2">"/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0/Gemfile.lock"</span> quay.io/fluentd_elasticsearch/fluentd:v2.9.0
|
||||
</code></pre></div></p>
|
||||
<p>Using the Trivy YAML configuration:
|
||||
<div class="highlight"><pre><span></span><code><span class="nt">image</span><span class="p">:</span><span class="w"></span>
|
||||
<span class="w"> </span><span class="nt">skip-files</span><span class="p">:</span><span class="w"></span>
|
||||
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">foo</span><span class="w"></span>
|
||||
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">"testdata/*/bar"</span><span class="w"></span>
|
||||
</code></pre></div></p>
|
||||
<p>It's possible to specify globs as part of the value.</p>
|
||||
<div class="highlight"><pre><span></span><code>$ trivy image --skip-files <span class="s2">"./testdata/*/bar"</span> .
|
||||
</code></pre></div>
|
||||
<p>Will skip any file named <code>bar</code> in the subdirectories of testdata.</p>
|
||||
<p>This will skip any file named <code>bar</code> in the subdirectories of testdata.</p>
|
||||
<div class="highlight"><pre><span></span><code>$ trivy config --skip-files <span class="s2">"./foo/**/*.tf"</span> .
|
||||
</code></pre></div>
|
||||
<p>This will skip any files with the extension <code>.tf</code> in subdirectories of foo at any depth.</p>
|
||||
<h2 id="skip-directories">Skip Directories</h2>
|
||||
<table>
|
||||
<thead>
|
||||
@@ -3135,22 +3145,33 @@ You can skip files that you don't maintain using the <code>--skip-files</code> f
|
||||
</tbody>
|
||||
</table>
|
||||
<p>By default, Trivy traverses directories and searches for all necessary files for scanning.
|
||||
You can skip directories that you don't maintain using the <code>--skip-dirs</code> flag.</p>
|
||||
<div class="highlight"><pre><span></span><code>$ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
|
||||
</code></pre></div>
|
||||
You can skip directories that you don't maintain using the <code>--skip-dirs</code> flag, or the equivalent Trivy YAML config option.</p>
|
||||
<p>Using the <code>--skip-dirs</code> flag:
|
||||
<div class="highlight"><pre><span></span><code>$ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs <span class="s2">"/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0"</span> quay.io/fluentd_elasticsearch/fluentd:v2.9.0
|
||||
</code></pre></div></p>
|
||||
<p>Using the Trivy YAML configuration:
|
||||
<div class="highlight"><pre><span></span><code><span class="nt">image</span><span class="p">:</span><span class="w"></span>
|
||||
<span class="w"> </span><span class="nt">skip-dirs</span><span class="p">:</span><span class="w"></span>
|
||||
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">foo/bar/</span><span class="w"></span>
|
||||
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">"**/.terraform"</span><span class="w"></span>
|
||||
</code></pre></div></p>
|
||||
<p>It's possible to specify globs as part of the value.</p>
|
||||
<div class="highlight"><pre><span></span><code>$ trivy image --skip-dirs <span class="s2">"./testdata/*"</span> .
|
||||
</code></pre></div>
|
||||
<p>Will skip all subdirectories of the testdata directory.</p>
|
||||
<p>This will skip all subdirectories of the testdata directory.</p>
|
||||
<div class="highlight"><pre><span></span><code>$ trivy config --skip-dirs <span class="s2">"**/.terraform"</span> .
|
||||
</code></pre></div>
|
||||
<p>This will skip subdirectories at any depth named <code>.terraform/</code>. (Note: this will match <code>./foo/.terraform</code> or
|
||||
<code>./foo/bar/.terraform</code>, but not <code>./.terraform</code>.)</p>
|
||||
<div class="admonition tip">
|
||||
<p class="admonition-title">Tip</p>
|
||||
<p>Glob patterns work with any trivy subcommand (image, config, etc.) and can be specified to skip both directories (with <code>--skip-dirs</code>) and files (with <code>--skip-files</code>).</p>
|
||||
</div>
|
||||
<h3 id="advanced-globbing">Advanced globbing</h3>
|
||||
<p>Trivy also supports the <a href="https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html#Pattern-Matching">globstar</a> pattern matching. </p>
|
||||
<p>Trivy also supports bash style <a href="https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html#Pattern-Matching">extended</a> glob pattern matching.</p>
|
||||
<div class="highlight"><pre><span></span><code>$ trivy image --skip-files <span class="s2">"**/foo"</span> image:tag
|
||||
</code></pre></div>
|
||||
<p>Will skip the file <code>foo</code> that happens to be nested under any parent(s). </p>
|
||||
<p>This will skip the file <code>foo</code> that happens to be nested under any parent(s). </p>
|
||||
<h2 id="file-patterns">File patterns</h2>
|
||||
<table>
|
||||
<thead>
|
||||
@@ -3186,7 +3207,7 @@ For example, it may be useful when your file name of Dockerfile doesn't match th
|
||||
<p>A file pattern contains the analyzer it is used for, and the pattern itself, joined by a semicolon. For example:
|
||||
<div class="highlight"><pre><span></span><code>--file-patterns "dockerfile:.*.docker" --file-patterns "kubernetes:*.tpl" --file-patterns "pip:requirements-.*\.txt"
|
||||
</code></pre></div></p>
|
||||
<p>The prefixes are listed <a href="https://github.com/aquasecurity/trivy/tree/d19c7d9f292759848aa77109357b405a64716c78/pkg/fanal/analyzer/const.go">here</a></p>
|
||||
<p>The prefixes are listed <a href="https://github.com/aquasecurity/trivy/tree/f1052799894cc8a8480ff28e1c717a9d811876a2/pkg/fanal/analyzer/const.go">here</a></p>
|
||||
|
||||
|
||||
</article>
|
||||
|
||||
@@ -3106,8 +3106,8 @@ You're not viewing the latest version.
|
||||
--report string specify a compliance report format for the output (all,summary) (default "all")
|
||||
--reset-policy-bundle remove policy bundle
|
||||
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
|
||||
--skip-dirs strings specify the directories where the traversal is skipped
|
||||
--skip-files strings specify the file paths to skip traversal
|
||||
--skip-dirs strings specify the directories or glob patterns to skip
|
||||
--skip-files strings specify the files or glob patterns to skip
|
||||
--skip-policy-update skip fetching rego policy updates
|
||||
-t, --template string output template
|
||||
--tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder
|
||||
|
||||
@@ -3149,8 +3149,8 @@ You're not viewing the latest version.
|
||||
--server string server address in client mode
|
||||
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
|
||||
--skip-db-update skip updating vulnerability database
|
||||
--skip-dirs strings specify the directories where the traversal is skipped
|
||||
--skip-files strings specify the file paths to skip traversal
|
||||
--skip-dirs strings specify the directories or glob patterns to skip
|
||||
--skip-files strings specify the files or glob patterns to skip
|
||||
--skip-java-db-update skip updating Java index database
|
||||
--skip-policy-update skip fetching rego policy updates
|
||||
--slow scan over time with lower CPU and memory utilization
|
||||
|
||||
@@ -3170,8 +3170,8 @@ You're not viewing the latest version.
|
||||
--server string server address in client mode
|
||||
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
|
||||
--skip-db-update skip updating vulnerability database
|
||||
--skip-dirs strings specify the directories where the traversal is skipped
|
||||
--skip-files strings specify the file paths to skip traversal
|
||||
--skip-dirs strings specify the directories or glob patterns to skip
|
||||
--skip-files strings specify the files or glob patterns to skip
|
||||
--skip-java-db-update skip updating Java index database
|
||||
--skip-policy-update skip fetching rego policy updates
|
||||
--slow scan over time with lower CPU and memory utilization
|
||||
|
||||
@@ -3158,8 +3158,8 @@ You're not viewing the latest version.
|
||||
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
|
||||
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
|
||||
--skip-db-update skip updating vulnerability database
|
||||
--skip-dirs strings specify the directories where the traversal is skipped
|
||||
--skip-files strings specify the file paths to skip traversal
|
||||
--skip-dirs strings specify the directories or glob patterns to skip
|
||||
--skip-files strings specify the files or glob patterns to skip
|
||||
--skip-java-db-update skip updating Java index database
|
||||
--skip-policy-update skip fetching rego policy updates
|
||||
--slow scan over time with lower CPU and memory utilization
|
||||
|
||||
@@ -3146,8 +3146,8 @@ You're not viewing the latest version.
|
||||
--server string server address in client mode
|
||||
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
|
||||
--skip-db-update skip updating vulnerability database
|
||||
--skip-dirs strings specify the directories where the traversal is skipped
|
||||
--skip-files strings specify the file paths to skip traversal
|
||||
--skip-dirs strings specify the directories or glob patterns to skip
|
||||
--skip-files strings specify the files or glob patterns to skip
|
||||
--skip-java-db-update skip updating Java index database
|
||||
--skip-policy-update skip fetching rego policy updates
|
||||
--slow scan over time with lower CPU and memory utilization
|
||||
|
||||
@@ -3150,8 +3150,8 @@ You're not viewing the latest version.
|
||||
--server string server address in client mode
|
||||
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
|
||||
--skip-db-update skip updating vulnerability database
|
||||
--skip-dirs strings specify the directories where the traversal is skipped
|
||||
--skip-files strings specify the file paths to skip traversal
|
||||
--skip-dirs strings specify the directories or glob patterns to skip
|
||||
--skip-files strings specify the files or glob patterns to skip
|
||||
--skip-java-db-update skip updating Java index database
|
||||
--skip-policy-update skip fetching rego policy updates
|
||||
--slow scan over time with lower CPU and memory utilization
|
||||
|
||||
@@ -3128,8 +3128,8 @@ You're not viewing the latest version.
|
||||
--server string server address in client mode
|
||||
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
|
||||
--skip-db-update skip updating vulnerability database
|
||||
--skip-dirs strings specify the directories where the traversal is skipped
|
||||
--skip-files strings specify the file paths to skip traversal
|
||||
--skip-dirs strings specify the directories or glob patterns to skip
|
||||
--skip-files strings specify the files or glob patterns to skip
|
||||
--skip-java-db-update skip updating Java index database
|
||||
--slow scan over time with lower CPU and memory utilization
|
||||
-t, --template string output template
|
||||
|
||||
@@ -3141,8 +3141,8 @@ You're not viewing the latest version.
|
||||
--server string server address in client mode
|
||||
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
|
||||
--skip-db-update skip updating vulnerability database
|
||||
--skip-dirs strings specify the directories where the traversal is skipped
|
||||
--skip-files strings specify the file paths to skip traversal
|
||||
--skip-dirs strings specify the directories or glob patterns to skip
|
||||
--skip-files strings specify the files or glob patterns to skip
|
||||
--skip-java-db-update skip updating Java index database
|
||||
--slow scan over time with lower CPU and memory utilization
|
||||
-t, --template string output template
|
||||
|
||||
@@ -3217,7 +3217,7 @@ You're not viewing the latest version.
|
||||
<h1 id="config-file">Config file</h1>
|
||||
<p>Trivy can be customized by tweaking a <code>trivy.yaml</code> file.
|
||||
The config path can be overridden by the <code>--config</code> flag.</p>
|
||||
<p>An example is <a href="https://github.com/aquasecurity/trivy/tree/v0.44.0/examples/trivy-conf/trivy.yaml">here</a>.</p>
|
||||
<p>An example is <a href="https://github.com/aquasecurity/trivy/tree/v0.44.1/examples/trivy-conf/trivy.yaml">here</a>.</p>
|
||||
<h2 id="global-options">Global Options</h2>
|
||||
<div class="highlight"><pre><span></span><code><span class="c1"># Same as '--quiet'</span><span class="w"></span>
|
||||
<span class="c1"># Default is false</span><span class="w"></span>
|
||||
|
||||
@@ -3060,7 +3060,7 @@ exception[ns] {
|
||||
</code></pre></div>
|
||||
</div>
|
||||
<p>This example exempts all built-in policies for Kubernetes.</p>
|
||||
<p>For more details, see <a href="https://github.com/aquasecurity/trivy/tree/d19c7d9f292759848aa77109357b405a64716c78/examples/misconf/namespace-exception">an example</a>.</p>
|
||||
<p>For more details, see <a href="https://github.com/aquasecurity/trivy/tree/f1052799894cc8a8480ff28e1c717a9d811876a2/examples/misconf/namespace-exception">an example</a>.</p>
|
||||
<h2 id="rule-based-exceptions">Rule-based exceptions</h2>
|
||||
<p>There are some cases where you need more flexibility and granularity in defining which cases to exempt.
|
||||
Rule-based exceptions lets you granularly choose which individual rules to exempt, while also declaring under which conditions to exempt them.</p>
|
||||
@@ -3112,7 +3112,7 @@ exception[rules] {
|
||||
</div>
|
||||
<p>This exception is applied to <a href="https://github.com/aquasecurity/defsec/blob/master/internal/rules/kubernetes/policies/pss/restricted/3_runs_as_root.rego">KSV012</a> in defsec.
|
||||
You can get the package names in the <a href="https://github.com/aquasecurity/defsec/">defsec repository</a> or the JSON output from Trivy.</p>
|
||||
<p>For more details, see <a href="https://github.com/aquasecurity/trivy/tree/d19c7d9f292759848aa77109357b405a64716c78/examples/misconf/rule-exception">an example</a>.</p>
|
||||
<p>For more details, see <a href="https://github.com/aquasecurity/trivy/tree/f1052799894cc8a8480ff28e1c717a9d811876a2/examples/misconf/rule-exception">an example</a>.</p>
|
||||
|
||||
|
||||
</article>
|
||||
|
||||
Reference in New Issue
Block a user