chore(docs): add AWS Security Hub (#598)

* chore(docs): add AWS Security Hub * Update docs/integration/security-hub.md Co-authored-by: Simarpreet Singh <simar@linux.com> * Update README.md Co-authored-by: Liz Rice <liz@lizrice.com> Co-authored-by: Simarpreet Singh <simar@linux.com> Co-authored-by: Liz Rice <liz@lizrice.com>
2025-12-12 15:50:15 -08:00 · 2020-08-19 13:19:24 +03:00
parent 3a54e5b644
commit 80d5df0ceb
2 changed files with 36 additions and 6 deletions
--- a/README.md
+++ b/README.md
@@ -67,6 +67,7 @@ A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifa
  * [CircleCI](#circleci)
  * [GitLab CI](#gitlab-ci)
  * [AWS CodePipeline](#aws-codepipeline)
+  * [AWS Security Hub](#aws-security-hub)
  * [Authorization for Private Docker Registry](#authorization-for-private-docker-registry)
 - [Vulnerability Detection](#vulnerability-detection)
  * [OS Packages](#os-packages)
@@ -900,13 +901,9 @@ In the following example using the template `sarif.tpl` [Sarif](https://docs.git
 ```
 $ trivy image --format template --template "@contrib/sarif.tpl" -o report.sarif  golang:1.12-alpine
 ```
+This SARIF format can be uploaded to GitHub code scanning results, and there is a [Trivy GitHub Action](https://github.com/aquasecurity/trivy-action) for automating this process.

-In the following example using the template `asff.tpl` [ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) can be generated.
-```
-$ AWS_REGION=us-west AWS_ACCOUNT_ID=123456789012 trivy image --format template --template "@contrib/asff.tpl" -o report.asff  golang:1.12-alpine
-```
-ASFF template needs AWS_REGION and AWS_ACCOUNT_ID from environment variables.
-
+Trivy also supports an [ASFF template for reporting findings to AWS Security Hub](docs/integration/security-hub.md)
 ### Filter the vulnerabilities by severities

 ```
@@ -1569,6 +1566,10 @@ trivy:

 See [this blog post](https://aws.amazon.com/blogs/containers/scanning-images-with-trivy-in-an-aws-codepipeline/) for an example of using Trivy within AWS CodePipeline.

+## AWS Security Hub
+
+See [here](docs/integration/security-hub.md)
+
 ## Authorization for Private Docker Registry

 Trivy can download images from a private registry, without installing `Docker` or any other 3rd party tools.
--- a/docs/integration/security-hub.md
+++ b/docs/integration/security-hub.md
@@ -0,0 +1,29 @@
+# AWS Security Hub
+
+## Upload findings to Security Hub
+
+In the following example using the template `asff.tpl`, [ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) file can be generated.
+
+```
+$ AWS_REGION=us-west-1 AWS_ACCOUNT_ID=123456789012 trivy image --format template --template "@contrib/asff.tpl" -o report.asff golang:1.12-alpine
+```
+
+ASFF template needs AWS_REGION and AWS_ACCOUNT_ID from environment variables.
+
+Then, you can upload it with AWS CLI.
+
+```
+$ aws securityhub batch-import-findings --findings file://report.asff
+```
+
+## Customize
+You can customize [asff.tpl](../../contrib/asff.tpl).
+
+```
+$ export AWS_REGION=us-west-1
+$ export AWS_ACCOUNT_ID=123456789012
+$ trivy image --format template --template "@your-asff.tpl" -o report.asff golang:1.12-alpine
+```
+
+## Reference
+https://aws.amazon.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/