From 88702cfd5918b093defc5b5580f7cbf16f5f2417 Mon Sep 17 00:00:00 2001 From: simar7 <1254783+simar7@users.noreply.github.com> Date: Wed, 15 May 2024 19:14:51 -0600 Subject: [PATCH] feat(misconf): Add support for deprecating a check (#6664) Signed-off-by: Simar --- docs/docs/advanced/air-gap.md | 4 +- docs/docs/configuration/cache.md | 4 +- docs/docs/configuration/filtering.md | 2 +- docs/docs/coverage/iac/helm.md | 2 +- .../references/configuration/cli/trivy_aws.md | 1 + .../configuration/cli/trivy_config.md | 1 + .../configuration/cli/trivy_filesystem.md | 1 + .../configuration/cli/trivy_image.md | 1 + .../configuration/cli/trivy_kubernetes.md | 1 + .../configuration/cli/trivy_repository.md | 1 + .../configuration/cli/trivy_rootfs.md | 1 + .../references/configuration/config-file.md | 8 +- .../misconfiguration/check/exceptions.md | 8 +- .../scanner/misconfiguration/custom/data.md | 2 +- .../scanner/misconfiguration/custom/debug.md | 4 +- .../scanner/misconfiguration/custom/index.md | 9 +- .../scanner/misconfiguration/custom/schema.md | 12 +-- .../misconfiguration/custom/testing.md | 12 +-- docs/docs/scanner/misconfiguration/index.md | 16 +-- docs/docs/target/aws.md | 12 +-- .../additional-resources/community.md | 2 +- docs/tutorials/misconfiguration/terraform.md | 2 +- go.mod | 2 +- go.sum | 4 +- mkdocs.yml | 2 +- pkg/commands/artifact/run.go | 1 + pkg/flag/rego_flags.go | 50 +++++---- pkg/iac/rego/embed_test.go | 100 ++++++++++++++++++ pkg/iac/rego/load.go | 4 +- pkg/iac/rego/metadata.go | 8 ++ pkg/iac/rego/metadata_test.go | 17 +++ pkg/iac/rego/scanner.go | 43 +++++--- pkg/iac/rego/scanner_test.go | 75 +++++++++++++ pkg/iac/scan/flat.go | 2 + pkg/iac/scan/rule.go | 5 + pkg/iac/scanners/azure/arm/scanner.go | 2 + pkg/iac/scanners/cloudformation/scanner.go | 2 + pkg/iac/scanners/dockerfile/scanner.go | 2 + pkg/iac/scanners/helm/scanner.go | 2 + pkg/iac/scanners/json/scanner.go | 2 + pkg/iac/scanners/kubernetes/scanner.go | 2 + pkg/iac/scanners/options/scanner.go | 7 ++ pkg/iac/scanners/terraform/scanner.go | 2 + .../scanners/terraformplan/tfjson/scanner.go | 2 + pkg/iac/scanners/toml/scanner.go | 2 + pkg/iac/scanners/yaml/scanner.go | 2 + pkg/misconf/scanner.go | 2 + 47 files changed, 358 insertions(+), 90 deletions(-) diff --git a/docs/docs/advanced/air-gap.md b/docs/docs/advanced/air-gap.md index 3cb7eff65c..171b80249e 100644 --- a/docs/docs/advanced/air-gap.md +++ b/docs/docs/advanced/air-gap.md @@ -129,8 +129,8 @@ $ trivy image --skip-db-update --skip-java-db-update --offline-scan alpine:3.12 No special measures are required to detect misconfigurations in an air-gapped environment. -### Run Trivy with `--skip-policy-update` option -In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies. +### Run Trivy with `--skip-check-update` option +In an air-gapped environment, specify `--skip-check-update` so that Trivy doesn't attempt to download the latest misconfiguration checks. ``` $ trivy conf --skip-policy-update /path/to/conf diff --git a/docs/docs/configuration/cache.md b/docs/docs/configuration/cache.md index d8149f16cc..ff3a373c22 100644 --- a/docs/docs/configuration/cache.md +++ b/docs/docs/configuration/cache.md @@ -3,7 +3,7 @@ The cache directory includes - [Vulnerability Database][trivy-db][^1] - [Java Index Database][trivy-java-db][^2] -- [Misconfiguration Policies][misconf-policies][^3] +- [Misconfiguration Checks][misconf-checks][^3] - Cache of previous scans. The cache option is common to all scanners. @@ -70,7 +70,7 @@ $ trivy server --cache-backend redis://localhost:6379 \ [trivy-db]: ./db.md#vulnerability-database [trivy-java-db]: ./db.md#java-index-database -[misconf-policies]: ../scanner/misconfiguration/check/builtin.md +[misconf-checks]: ../scanner/misconfiguration/check/builtin.md [^1]: Downloaded when scanning for vulnerabilities [^2]: Downloaded when scanning `jar/war/par/ear` files diff --git a/docs/docs/configuration/filtering.md b/docs/docs/configuration/filtering.md index 965c2873c2..e3d38f3cdc 100644 --- a/docs/docs/configuration/filtering.md +++ b/docs/docs/configuration/filtering.md @@ -483,7 +483,7 @@ trivy image --ignore-policy contrib/example_policy/basic.rego centos:7 For more advanced use cases, there is a built-in Rego library with helper functions that you can import into your policy using: `import data.lib.trivy`. More info about the helper functions are in the library [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go). -You can find more example policies [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go) +You can find more example checks [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go) ### By Vulnerability Exploitability Exchange (VEX) | Scanner | Supported | diff --git a/docs/docs/coverage/iac/helm.md b/docs/docs/coverage/iac/helm.md index cc8ddc0656..8d0352fc42 100644 --- a/docs/docs/coverage/iac/helm.md +++ b/docs/docs/coverage/iac/helm.md @@ -11,7 +11,7 @@ The following scanners are supported. Trivy recursively searches directories and scans all found Helm files. It evaluates variables, functions, and other elements within Helm templates and resolve the chart to Kubernetes manifests then run the Kubernetes checks. -See [here](../../scanner/misconfiguration/check/builtin.md) for more details on the built-in policies. +See [here](../../scanner/misconfiguration/check/builtin.md) for more details on the built-in checks. ### Value overrides There are a number of options for overriding values in Helm charts. diff --git a/docs/docs/references/configuration/cli/trivy_aws.md b/docs/docs/references/configuration/cli/trivy_aws.md index 44774dffcd..aa0255a7eb 100644 --- a/docs/docs/references/configuration/cli/trivy_aws.md +++ b/docs/docs/references/configuration/cli/trivy_aws.md @@ -87,6 +87,7 @@ trivy aws [flags] -h, --help help for aws --ignore-policy string specify the Rego file path to evaluate each vulnerability --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-deprecated-checks include deprecated checks --include-non-failures include successes and exceptions, available with '--scanners misconfig' --list-all-pkgs enabling the option will output all packages regardless of vulnerability --max-cache-age duration The maximum age of the cloud cache. Cached data will be required from the cloud provider if it is older than this. (default 24h0m0s) diff --git a/docs/docs/references/configuration/cli/trivy_config.md b/docs/docs/references/configuration/cli/trivy_config.md index 73bf450244..993570f158 100644 --- a/docs/docs/references/configuration/cli/trivy_config.md +++ b/docs/docs/references/configuration/cli/trivy_config.md @@ -31,6 +31,7 @@ trivy config [flags] DIR -h, --help help for config --ignore-policy string specify the Rego file path to evaluate each vulnerability --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-deprecated-checks include deprecated checks --include-non-failures include successes and exceptions, available with '--scanners misconfig' --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0) --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) diff --git a/docs/docs/references/configuration/cli/trivy_filesystem.md b/docs/docs/references/configuration/cli/trivy_filesystem.md index 79601ddc05..e79b923e37 100644 --- a/docs/docs/references/configuration/cli/trivy_filesystem.md +++ b/docs/docs/references/configuration/cli/trivy_filesystem.md @@ -49,6 +49,7 @@ trivy filesystem [flags] PATH --ignore-unfixed display only fixed vulnerabilities --ignored-licenses strings specify a list of license to ignore --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-deprecated-checks include deprecated checks --include-dev-deps include development dependencies in the report (supported: npm, yarn) --include-non-failures include successes and exceptions, available with '--scanners misconfig' --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1") diff --git a/docs/docs/references/configuration/cli/trivy_image.md b/docs/docs/references/configuration/cli/trivy_image.md index ab7951fa8d..980cf68a79 100644 --- a/docs/docs/references/configuration/cli/trivy_image.md +++ b/docs/docs/references/configuration/cli/trivy_image.md @@ -67,6 +67,7 @@ trivy image [flags] IMAGE_NAME --ignorefile string specify .trivyignore file (default ".trivyignore") --image-config-scanners strings comma-separated list of what security issues to detect on container image configurations (misconfig,secret) --image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote]) + --include-deprecated-checks include deprecated checks --include-non-failures include successes and exceptions, available with '--scanners misconfig' --input string input file path instead of image name --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1") diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md index 62ee6cd3b4..cdc50f9f54 100644 --- a/docs/docs/references/configuration/cli/trivy_kubernetes.md +++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md @@ -62,6 +62,7 @@ trivy kubernetes [flags] [CONTEXT] --ignore-unfixed display only fixed vulnerabilities --ignorefile string specify .trivyignore file (default ".trivyignore") --image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote]) + --include-deprecated-checks include deprecated checks --include-kinds strings indicate the kinds included in scanning (example: node) --include-namespaces strings indicate the namespaces included in scanning (example: kube-system) --include-non-failures include successes and exceptions, available with '--scanners misconfig' diff --git a/docs/docs/references/configuration/cli/trivy_repository.md b/docs/docs/references/configuration/cli/trivy_repository.md index e3daa569d9..7efde1657c 100644 --- a/docs/docs/references/configuration/cli/trivy_repository.md +++ b/docs/docs/references/configuration/cli/trivy_repository.md @@ -49,6 +49,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL) --ignore-unfixed display only fixed vulnerabilities --ignored-licenses strings specify a list of license to ignore --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-deprecated-checks include deprecated checks --include-dev-deps include development dependencies in the report (supported: npm, yarn) --include-non-failures include successes and exceptions, available with '--scanners misconfig' --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1") diff --git a/docs/docs/references/configuration/cli/trivy_rootfs.md b/docs/docs/references/configuration/cli/trivy_rootfs.md index 4bc3fc61d2..ea6a309380 100644 --- a/docs/docs/references/configuration/cli/trivy_rootfs.md +++ b/docs/docs/references/configuration/cli/trivy_rootfs.md @@ -52,6 +52,7 @@ trivy rootfs [flags] ROOTDIR --ignore-unfixed display only fixed vulnerabilities --ignored-licenses strings specify a list of license to ignore --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-deprecated-checks include deprecated checks --include-non-failures include successes and exceptions, available with '--scanners misconfig' --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1") --license-confidence-level float specify license classifier's confidence level (default 0.9) diff --git a/docs/docs/references/configuration/config-file.md b/docs/docs/references/configuration/config-file.md index 755913a0bf..1a7020d94f 100644 --- a/docs/docs/references/configuration/config-file.md +++ b/docs/docs/references/configuration/config-file.md @@ -382,10 +382,14 @@ misconfiguration: # Same as '--include-non-failures' # Default is false include-non-failures: false + + # Same as '--include-deprecated-checks' + # Default is false + include-deprecated-checks: false - # Same as '--policy-bundle-repository' + # Same as '--check-bundle-repository' and '--policy-bundle-repository' # Default is 'ghcr.io/aquasecurity/trivy-checks:0' - policy-bundle-repository: ghcr.io/aquasecurity/trivy-checks:0 + check-bundle-repository: ghcr.io/aquasecurity/trivy-checks:0 # Same as '--miconfig-scanners' # Default is all scanners diff --git a/docs/docs/scanner/misconfiguration/check/exceptions.md b/docs/docs/scanner/misconfiguration/check/exceptions.md index e4020c0299..70ef974a4b 100644 --- a/docs/docs/scanner/misconfiguration/check/exceptions.md +++ b/docs/docs/scanner/misconfiguration/check/exceptions.md @@ -3,10 +3,10 @@ Exceptions let you specify cases where you allow policy violations. Trivy supports two types of exceptions. !!! info - Exceptions can be applied to built-in policies as well as custom policies. + Exceptions can be applied to built-in checks as well as custom checks. ## Namespace-based exceptions -There are some cases where you need to disable built-in policies partially or fully. +There are some cases where you need to disable built-in checks partially or fully. Namespace-based exceptions lets you rough choose which individual packages to exempt. To use namespace-based exceptions, create a Rego rule with the name `exception` that returns the package names to exempt. @@ -26,7 +26,7 @@ The `exception` rule must be defined under `namespace.exceptions`. } ``` -This example exempts all built-in policies for Kubernetes. +This example exempts all built-in checks for Kubernetes. ## Rule-based exceptions There are some cases where you need more flexibility and granularity in defining which cases to exempt. @@ -73,7 +73,7 @@ The above would provide an exception from `deny_foo` and `deny_bar`. } ``` -If you want to apply rule-based exceptions to built-in policies, you have to define the exception under the same package. +If you want to apply rule-based exceptions to built-in checks, you have to define the exception under the same package. !!! example ``` rego diff --git a/docs/docs/scanner/misconfiguration/custom/data.md b/docs/docs/scanner/misconfiguration/custom/data.md index 6e858d86ed..51af206b4c 100644 --- a/docs/docs/scanner/misconfiguration/custom/data.md +++ b/docs/docs/scanner/misconfiguration/custom/data.md @@ -1,6 +1,6 @@ # Custom Data -Custom policies may require additional data in order to determine an answer. +Custom checks may require additional data in order to determine an answer. For example, an allowed list of resources that can be created. Instead of hardcoding this information inside your policy, Trivy allows passing paths to data files with the `--data` flag. diff --git a/docs/docs/scanner/misconfiguration/custom/debug.md b/docs/docs/scanner/misconfiguration/custom/debug.md index 8ea0cc5e0e..751e43633e 100644 --- a/docs/docs/scanner/misconfiguration/custom/debug.md +++ b/docs/docs/scanner/misconfiguration/custom/debug.md @@ -1,10 +1,10 @@ -# Debugging policies +# Debugging checks When working on more complex queries (or when learning Rego), it's useful to see exactly how the policy is applied. For this purpose you can use the `--trace` flag. This will output a large trace from Open Policy Agent like the following: !!! tip - Only failed policies show traces. If you want to debug a passed policy, you need to make it fail on purpose. + Only failed checks show traces. If you want to debug a passed check, you need to make it fail on purpose. ```shell $ trivy conf --trace configs/ diff --git a/docs/docs/scanner/misconfiguration/custom/index.md b/docs/docs/scanner/misconfiguration/custom/index.md index 8b08c5e412..9ce6250552 100644 --- a/docs/docs/scanner/misconfiguration/custom/index.md +++ b/docs/docs/scanner/misconfiguration/custom/index.md @@ -1,8 +1,8 @@ -# Custom Policies +# Custom Checks ## Overview -You can write custom policies in [Rego][rego]. -Once you finish writing custom policies, you can pass the policy files or the directory where those policies are stored with `--policy` option. +You can write custom checks in [Rego][rego]. +Once you finish writing custom checks, you can pass the policy files or the directory where those policies are stored with `--policy` option. ``` bash trivy conf --policy /path/to/policy.rego --policy /path/to/custom_policies --namespaces user /path/to/config_dir @@ -120,7 +120,7 @@ Trivy supports extra fields in the `custom` section as described below. ``` All fields are optional. The `schemas` field should be used to enable policy validation using a built-in schema. The -schema that will be used is based on the input document type. It is recommended to use this to ensure your policies are +schema that will be used is based on the input document type. It is recommended to use this to ensure your checks are correct and do not reference incorrect properties/values. | Field name | Allowed values | Default value | In table | In JSON | @@ -131,6 +131,7 @@ correct and do not reference incorrect properties/values. | custom.id | Any characters | N/A | :material-check: | :material-check: | | custom.severity | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` | UNKNOWN | :material-check: | :material-check: | | custom.recommended_actions | Any characters | | :material-close: | :material-check: | +| custom.deprecated | `true`, `false` | `false` | :material-close: | :material-check: | | custom.input.selector.type | Any item(s) in [this list][source-types] | | :material-close: | :material-check: | | url | Any characters | | :material-close: | :material-check: | diff --git a/docs/docs/scanner/misconfiguration/custom/schema.md b/docs/docs/scanner/misconfiguration/custom/schema.md index ea5efeb7b3..3487299723 100644 --- a/docs/docs/scanner/misconfiguration/custom/schema.md +++ b/docs/docs/scanner/misconfiguration/custom/schema.md @@ -54,7 +54,7 @@ Currently, out of the box the following schemas are supported natively: 3. [Cloud](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/cloud.json) -## Custom Policies with Custom Schemas +## Custom Checks with Custom Schemas You can also bring a custom policy that defines one or more custom schema. @@ -71,21 +71,21 @@ You can also bring a custom policy that defines one or more custom schema. } ``` -The policies can be placed in a structure as follows +The checks can be placed in a structure as follows !!! example ``` - /Users/user/my-custom-policies + /Users/user/my-custom-checks ├── my_policy.rego └── schemas └── fooschema.json └── barschema.json ``` -To use such a policy with Trivy, use the `--config-policy` flag that points to the policy file or to the directory where the schemas and policies are contained. +To use such a policy with Trivy, use the `--config-policy` flag that points to the policy file or to the directory where the schemas and checks are contained. ```bash -$ trivy --config-policy=/Users/user/my-custom-policies +$ trivy --config-policy=/Users/user/my-custom-checks ``` -For more details on how to define schemas within Rego policies, please see the [OPA guide](https://www.openpolicyagent.org/docs/latest/policy-language/#schema-annotations) that describes it in more detail. \ No newline at end of file +For more details on how to define schemas within Rego checks, please see the [OPA guide](https://www.openpolicyagent.org/docs/latest/policy-language/#schema-annotations) that describes it in more detail. \ No newline at end of file diff --git a/docs/docs/scanner/misconfiguration/custom/testing.md b/docs/docs/scanner/misconfiguration/custom/testing.md index fcda218ff8..2db2fa8235 100644 --- a/docs/docs/scanner/misconfiguration/custom/testing.md +++ b/docs/docs/scanner/misconfiguration/custom/testing.md @@ -1,9 +1,9 @@ # Testing -It is highly recommended to write tests for your custom policies. +It is highly recommended to write tests for your custom checks. ## Rego testing -To help you verify the correctness of your custom policies, OPA gives you a framework that you can use to write tests for your policies. -By writing tests for your custom policies you can speed up the development process of new rules and reduce the amount of time it takes to modify rules as requirements evolve. +To help you verify the correctness of your custom checks, OPA gives you a framework that you can use to write tests for your checks. +By writing tests for your custom checks you can speed up the development process of new rules and reduce the amount of time it takes to modify rules as requirements evolve. For more details, see [Policy Testing][opa-testing]. @@ -22,12 +22,12 @@ For more details, see [Policy Testing][opa-testing]. } ``` -To write tests for custom policies, you can refer to existing tests under [trivy-checks][trivy-checks]. +To write tests for custom checks, you can refer to existing tests under [trivy-checks][trivy-checks]. ## Go testing [Fanal][fanal] which is a core library of Trivy can be imported as a Go library. -You can scan config files in Go and test your custom policies using Go's testing methods, such as [table-driven tests][table]. -This allows you to use the actual configuration file as input, making it easy to prepare test data and ensure that your custom policies work in practice. +You can scan config files in Go and test your custom checks using Go's testing methods, such as [table-driven tests][table]. +This allows you to use the actual configuration file as input, making it easy to prepare test data and ensure that your custom checks work in practice. In particular, Dockerfile and HCL need to be converted to structural data as input, which may be different from the expected input format. diff --git a/docs/docs/scanner/misconfiguration/index.md b/docs/docs/scanner/misconfiguration/index.md index b243d3e8dc..701d469d65 100644 --- a/docs/docs/scanner/misconfiguration/index.md +++ b/docs/docs/scanner/misconfiguration/index.md @@ -1,6 +1,6 @@ # Misconfiguration Scanning -Trivy provides built-in policies to detect configuration issues in popular Infrastructure as Code files, such as: Docker, Kubernetes, Terraform, CloudFormation, and more. -In addition to built-in policies, you can write your own custom policies, as you can see [here][custom]. +Trivy provides built-in checks to detect configuration issues in popular Infrastructure as Code files, such as: Docker, Kubernetes, Terraform, CloudFormation, and more. +In addition to built-in checks, you can write your own custom checks, as you can see [here][custom]. ## Quick start @@ -94,7 +94,7 @@ In the above example, Trivy detected vulnerabilities of Python dependencies and ## Type detection The specified directory can contain mixed types of IaC files. -Trivy automatically detects config types and applies relevant policies. +Trivy automatically detects config types and applies relevant checks. For example, the following example holds IaC files for Terraform, CloudFormation, Kubernetes, Helm Charts, and Dockerfile in the same directory. @@ -326,8 +326,8 @@ trivy config --misconfig-scanners=terraform,dockerfile . Will only scan for misconfigurations that pertain to Terraform and Dockerfiles. -### Passing custom policies -You can pass policy files or directories including your custom policies through `--policy` option. +### Passing custom checks +You can pass policy files or directories including your custom checks through `--policy` option. This can be repeated for specifying multiple files or directories. ```bash @@ -335,7 +335,7 @@ cd examplex/misconf/ trivy conf --policy custom-policy/policy --policy combine/policy --policy policy.rego --namespaces user misconf/mixed ``` -For more details, see [Custom Policies](./custom/index.md). +For more details, see [Custom Checks](./custom/index.md). !!! tip You also need to specify `--namespaces` option. @@ -352,8 +352,8 @@ trivy conf --policy ./policy --data ./data --namespaces user ./configs For more details, see [Custom Data](./custom/data.md). ### Passing namespaces -By default, Trivy evaluates policies defined in `builtin.*`. -If you want to evaluate custom policies in other packages, you have to specify package prefixes through `--namespaces` option. +By default, Trivy evaluates checks defined in `builtin.*`. +If you want to evaluate custom checks in other packages, you have to specify package prefixes through `--namespaces` option. This can be repeated for specifying multiple packages. ``` bash diff --git a/docs/docs/target/aws.md b/docs/docs/target/aws.md index 78781646b1..ef23825129 100644 --- a/docs/docs/target/aws.md +++ b/docs/docs/target/aws.md @@ -99,11 +99,11 @@ If you want to force the cache to be refreshed with the latest data, you can use Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.). Regardless of whether the cache is used or not, rules will be evaluated again with each run of `trivy aws`. -## Custom Policies +## Custom Checks -You can write custom policies for Trivy to evaluate against your AWS account. -These policies are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the same language used by [Open Policy Agent](https://www.openpolicyagent.org/). -See the [Custom Policies](../scanner/misconfiguration/custom/index.md) page for more information on how to write custom policies. +You can write custom checks for Trivy to evaluate against your AWS account. +These checks are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the same language used by [Open Policy Agent](https://www.openpolicyagent.org/). +See the [Custom Checks](../scanner/misconfiguration/custom/index.md) page for more information on how to write custom checks. -Custom policies in cloud scanning also support passing in custom data. This can be useful when you want to selectively enable/disable certain aspects of your cloud policies. -See the [Custom Data](../scanner/misconfiguration/custom/data.md) page for more information on how to provide custom data to custom policies. +Custom checks in cloud scanning also support passing in custom data. This can be useful when you want to selectively enable/disable certain aspects of your cloud checks. +See the [Custom Data](../scanner/misconfiguration/custom/data.md) page for more information on how to provide custom data to custom checks. diff --git a/docs/tutorials/additional-resources/community.md b/docs/tutorials/additional-resources/community.md index c1ab7241e4..2f5ab5a15c 100644 --- a/docs/tutorials/additional-resources/community.md +++ b/docs/tutorials/additional-resources/community.md @@ -16,7 +16,7 @@ Below is a list of additional resources from the community. ## Misconfiguration Scanning - [Identifying Misconfigurations in your Terraform](https://youtu.be/cps1V5fOHtE) -- [How to write custom policies for Trivy](https://blog.ediri.io/how-to-write-custom-policies-for-trivy) +- [How to write custom checks for Trivy](https://blog.ediri.io/how-to-write-custom-policies-for-trivy) ## SBOM, Attestation & related diff --git a/docs/tutorials/misconfiguration/terraform.md b/docs/tutorials/misconfiguration/terraform.md index 8240e1ba53..24b8eebfa6 100644 --- a/docs/tutorials/misconfiguration/terraform.md +++ b/docs/tutorials/misconfiguration/terraform.md @@ -90,7 +90,7 @@ trivy conf --tf-vars terraform.tfvars ./ ``` ### Custom Checks -We have lots of examples in the [documentation](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/custom/) on how you can write and pass custom Rego policies into terraform misconfiguration scans. +We have lots of examples in the [documentation](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/custom/) on how you can write and pass custom Rego checks into terraform misconfiguration scans. ## Secret and vulnerability scans diff --git a/go.mod b/go.mod index 0849da324b..d25d339b8a 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/aquasecurity/table v1.8.0 github.com/aquasecurity/testdocker v0.0.0-20240419073403-90bd43849334 github.com/aquasecurity/tml v0.6.1 - github.com/aquasecurity/trivy-aws v0.8.0 + github.com/aquasecurity/trivy-aws v0.8.1-0.20240511051125-4393910b056b github.com/aquasecurity/trivy-checks v0.10.5-0.20240514040354-93bcb2f8c233 github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 diff --git a/go.sum b/go.sum index 1ea2d226a9..d62a5fb3c1 100644 --- a/go.sum +++ b/go.sum @@ -773,8 +773,8 @@ github.com/aquasecurity/testdocker v0.0.0-20240419073403-90bd43849334 h1:MgvbLyL github.com/aquasecurity/testdocker v0.0.0-20240419073403-90bd43849334/go.mod h1:TKXn7bPfMM52ETP4sjjwkTKCZ18CqCs+I/vtFePSdBc= github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo= github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY= -github.com/aquasecurity/trivy-aws v0.8.0 h1:4ij8MiZ2sJUH+vWpSeoGVhPr109ZBcNp7LNLfPuv5Cw= -github.com/aquasecurity/trivy-aws v0.8.0/go.mod h1:Pb9xqOuTKMHVgjsnjvudjqZh3nmzdFqFVfRkXnoIZBM= +github.com/aquasecurity/trivy-aws v0.8.1-0.20240511051125-4393910b056b h1:mBMM6+kLTPaqSxNLO51rL6HiCKL1ElV5RXM+BEAK8fg= +github.com/aquasecurity/trivy-aws v0.8.1-0.20240511051125-4393910b056b/go.mod h1:z638DsULU5CCIk8QZqcj8u2D5IIRzvjq4jI1VDQGda4= github.com/aquasecurity/trivy-checks v0.10.5-0.20240514040354-93bcb2f8c233 h1:7TnJS1JEmrNfznu1Y9Rzbboxl7J4hxjIKQ8tV3k5UQs= github.com/aquasecurity/trivy-checks v0.10.5-0.20240514040354-93bcb2f8c233/go.mod h1:+G8Ft1pJAmsSPzfSQHdSQ5zcWHWPOxVdQHHA+eHP3eU= github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d h1:fjI9mkoTUAkbGqpzt9nJsO24RAdfG+ZSiLFj0G2jO8c= diff --git a/mkdocs.yml b/mkdocs.yml index 0a7947b4d7..4f8a42c9ce 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -57,7 +57,7 @@ nav: - Policy: - Built-in Checks: docs/scanner/misconfiguration/check/builtin.md - Exceptions: docs/scanner/misconfiguration/check/exceptions.md - - Custom Policies: + - Custom Checks: - Overview: docs/scanner/misconfiguration/custom/index.md - Data: docs/scanner/misconfiguration/custom/data.md - Combine: docs/scanner/misconfiguration/custom/combine.md diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go index 14aae3659c..f61e849282 100644 --- a/pkg/commands/artifact/run.go +++ b/pkg/commands/artifact/run.go @@ -587,6 +587,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi K8sVersion: opts.K8sVersion, DisableEmbeddedPolicies: disableEmbedded, DisableEmbeddedLibraries: disableEmbedded, + IncludeDeprecatedChecks: opts.IncludeDeprecatedChecks, TfExcludeDownloaded: opts.TfExcludeDownloaded, } } diff --git a/pkg/flag/rego_flags.go b/pkg/flag/rego_flags.go index e7358e065b..4b291f0a5e 100644 --- a/pkg/flag/rego_flags.go +++ b/pkg/flag/rego_flags.go @@ -7,6 +7,11 @@ package flag // config-policy: "custom-policy/policy" // policy-namespaces: "user" var ( + IncludeDeprecatedChecksFlag = Flag[bool]{ + Name: "include-deprecated-checks", + ConfigName: "rego.include-deprecated-checks", + Usage: "include deprecated checks", + } SkipCheckUpdateFlag = Flag[bool]{ Name: "skip-check-update", ConfigName: "rego.skip-check-update", @@ -53,28 +58,31 @@ var ( // RegoFlagGroup composes common printer flag structs used for commands providing misconfinguration scanning. type RegoFlagGroup struct { - SkipCheckUpdate *Flag[bool] - Trace *Flag[bool] - CheckPaths *Flag[[]string] - DataPaths *Flag[[]string] - CheckNamespaces *Flag[[]string] + IncludeDeprecatedChecks *Flag[bool] + SkipCheckUpdate *Flag[bool] + Trace *Flag[bool] + CheckPaths *Flag[[]string] + DataPaths *Flag[[]string] + CheckNamespaces *Flag[[]string] } type RegoOptions struct { - SkipCheckUpdate bool - Trace bool - CheckPaths []string - DataPaths []string - CheckNamespaces []string + IncludeDeprecatedChecks bool + SkipCheckUpdate bool + Trace bool + CheckPaths []string + DataPaths []string + CheckNamespaces []string } func NewRegoFlagGroup() *RegoFlagGroup { return &RegoFlagGroup{ - SkipCheckUpdate: SkipCheckUpdateFlag.Clone(), - Trace: TraceFlag.Clone(), - CheckPaths: ConfigCheckFlag.Clone(), - DataPaths: ConfigDataFlag.Clone(), - CheckNamespaces: CheckNamespaceFlag.Clone(), + IncludeDeprecatedChecks: IncludeDeprecatedChecksFlag.Clone(), + SkipCheckUpdate: SkipCheckUpdateFlag.Clone(), + Trace: TraceFlag.Clone(), + CheckPaths: ConfigCheckFlag.Clone(), + DataPaths: ConfigDataFlag.Clone(), + CheckNamespaces: CheckNamespaceFlag.Clone(), } } @@ -84,6 +92,7 @@ func (f *RegoFlagGroup) Name() string { func (f *RegoFlagGroup) Flags() []Flagger { return []Flagger{ + f.IncludeDeprecatedChecks, f.SkipCheckUpdate, f.Trace, f.CheckPaths, @@ -98,10 +107,11 @@ func (f *RegoFlagGroup) ToOptions() (RegoOptions, error) { } return RegoOptions{ - SkipCheckUpdate: f.SkipCheckUpdate.Value(), - Trace: f.Trace.Value(), - CheckPaths: f.CheckPaths.Value(), - DataPaths: f.DataPaths.Value(), - CheckNamespaces: f.CheckNamespaces.Value(), + IncludeDeprecatedChecks: f.IncludeDeprecatedChecks.Value(), + SkipCheckUpdate: f.SkipCheckUpdate.Value(), + Trace: f.Trace.Value(), + CheckPaths: f.CheckPaths.Value(), + DataPaths: f.DataPaths.Value(), + CheckNamespaces: f.CheckNamespaces.Value(), }, nil } diff --git a/pkg/iac/rego/embed_test.go b/pkg/iac/rego/embed_test.go index 36d136259a..35fd4a667e 100644 --- a/pkg/iac/rego/embed_test.go +++ b/pkg/iac/rego/embed_test.go @@ -5,6 +5,7 @@ import ( checks "github.com/aquasecurity/trivy-checks" "github.com/aquasecurity/trivy/pkg/iac/rules" + "github.com/aquasecurity/trivy/pkg/iac/scan" "github.com/open-policy-agent/opa/ast" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -103,3 +104,102 @@ deny[res]{ }) } } + +func Test_RegisterDeprecatedRule(t *testing.T) { + var testCases = []struct { + name string + id string + inputPolicy string + expected scan.Rule + }{ + { + name: "deprecated check", + id: "AVD-DEP-0001", + inputPolicy: `# METADATA +# title: "deprecated check" +# description: "some description" +# scope: package +# schemas: +# - input: schema["dockerfile"] +# custom: +# avd_id: AVD-DEP-0001 +# input: +# selector: +# - type: dockerfile +# deprecated: true +package builtin.dockerfile.DS1234 +deny[res]{ + res := true +}`, + expected: scan.Rule{ + Deprecated: true, + }, + }, + { + name: "not a deprecated check", + id: "AVD-NOTDEP-0001", + inputPolicy: `# METADATA +# title: "not a deprecated check" +# description: "some description" +# scope: package +# schemas: +# - input: schema["dockerfile"] +# custom: +# avd_id: AVD-NOTDEP-0001 +# input: +# selector: +# - type: dockerfile +package builtin.dockerfile.DS1234 +deny[res]{ + res := true +}`, + expected: scan.Rule{ + Deprecated: false, + }, + }, + { + name: "invalid deprecation value", + id: "AVD-BADDEP-0001", + inputPolicy: `# METADATA +# title: "badly deprecated check" +# description: "some description" +# scope: package +# schemas: +# - input: schema["dockerfile"] +# custom: +# avd_id: AVD-BADDEP-0001 +# input: +# selector: +# - type: dockerfile +# deprecated: "this is bad, deprecation is a bool value not a string" +package builtin.dockerfile.DS1234 +deny[res]{ + res := true +}`, + expected: scan.Rule{ + Deprecated: false, + }, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + policies := make(map[string]*ast.Module) + newRule, err := ast.ParseModuleWithOpts("/rules/newrule.rego", tc.inputPolicy, ast.ParserOptions{ + ProcessAnnotation: true, + }) + require.NoError(t, err) + + policies["/rules/newrule.rego"] = newRule + assert.NotPanics(t, func() { + RegisterRegoRules(policies) + }) + + for _, rule := range rules.GetRegistered() { + if rule.AVDID == tc.id { + assert.Equal(t, tc.expected.Deprecated, rule.GetRule().Deprecated, tc.name) + } + } + }) + } +} diff --git a/pkg/iac/rego/load.go b/pkg/iac/rego/load.go index 2fd3955ce3..f2e4c0645c 100644 --- a/pkg/iac/rego/load.go +++ b/pkg/iac/rego/load.go @@ -100,12 +100,12 @@ func (s *Scanner) LoadPolicies(enableEmbeddedLibraries, enableEmbeddedPolicies b if len(paths) > 0 { loaded, err := LoadPoliciesFromDirs(srcFS, paths...) if err != nil { - return fmt.Errorf("failed to load rego policies from %s: %w", paths, err) + return fmt.Errorf("failed to load rego checks from %s: %w", paths, err) } for name, policy := range loaded { s.policies[name] = policy } - s.debug.Log("Loaded %d policies from disk.", len(loaded)) + s.debug.Log("Loaded %d checks from disk.", len(loaded)) } if len(readers) > 0 { diff --git a/pkg/iac/rego/metadata.go b/pkg/iac/rego/metadata.go index 6d6996dd68..5699276ad0 100644 --- a/pkg/iac/rego/metadata.go +++ b/pkg/iac/rego/metadata.go @@ -20,6 +20,7 @@ import ( const annotationScopePackage = "package" type StaticMetadata struct { + Deprecated bool ID string AVDID string Title string @@ -70,6 +71,12 @@ func (sm *StaticMetadata) Update(meta map[string]any) error { upd(&sm.RecommendedActions, "recommended_actions") upd(&sm.RecommendedActions, "recommended_action") + if raw, ok := meta["deprecated"]; ok { + if dep, ok := raw.(bool); ok { + sm.Deprecated = dep + } + } + if raw, ok := meta["severity"]; ok { sm.Severity = strings.ToUpper(fmt.Sprintf("%s", raw)) } @@ -208,6 +215,7 @@ func (m StaticMetadata) ToRule() scan.Rule { } return scan.Rule{ + Deprecated: m.Deprecated, AVDID: m.AVDID, Aliases: append(m.Aliases, m.ID), ShortCode: m.ShortCode, diff --git a/pkg/iac/rego/metadata_test.go b/pkg/iac/rego/metadata_test.go index d12b2d5d55..423ddc1a20 100644 --- a/pkg/iac/rego/metadata_test.go +++ b/pkg/iac/rego/metadata_test.go @@ -117,6 +117,23 @@ func Test_UpdateStaticMetadata(t *testing.T) { assert.Equal(t, expected, sm) }) + + t.Run("check is deprecated", func(t *testing.T) { + sm := StaticMetadata{ + Deprecated: false, + } + require.NoError(t, sm.Update(map[string]any{ + "deprecated": true, + })) + + expected := StaticMetadata{ + Deprecated: true, + CloudFormation: &scan.EngineMetadata{}, + Terraform: &scan.EngineMetadata{}, + } + + assert.Equal(t, expected, sm) + }) } func Test_getEngineMetadata(t *testing.T) { diff --git a/pkg/iac/rego/scanner.go b/pkg/iac/rego/scanner.go index f2b9fff0fd..ceed9bd7ae 100644 --- a/pkg/iac/rego/scanner.go +++ b/pkg/iac/rego/scanner.go @@ -26,28 +26,33 @@ import ( var _ options.ConfigurableScanner = (*Scanner)(nil) type Scanner struct { - ruleNamespaces map[string]struct{} - policies map[string]*ast.Module - store storage.Store - dataDirs []string - runtimeValues *ast.Term - compiler *ast.Compiler - regoErrorLimit int - debug debug.Logger - traceWriter io.Writer - tracePerResult bool - retriever *MetadataRetriever - policyFS fs.FS - dataFS fs.FS - frameworks []framework.Framework - spec string - inputSchema interface{} // unmarshalled into this from a json schema document - sourceType types.Source + ruleNamespaces map[string]struct{} + policies map[string]*ast.Module + store storage.Store + dataDirs []string + runtimeValues *ast.Term + compiler *ast.Compiler + regoErrorLimit int + debug debug.Logger + traceWriter io.Writer + tracePerResult bool + retriever *MetadataRetriever + policyFS fs.FS + dataFS fs.FS + frameworks []framework.Framework + spec string + inputSchema interface{} // unmarshalled into this from a json schema document + sourceType types.Source + includeDeprecatedChecks bool embeddedLibs map[string]*ast.Module embeddedChecks map[string]*ast.Module } +func (s *Scanner) SetIncludeDeprecatedChecks(b bool) { + s.includeDeprecatedChecks = b +} + func (s *Scanner) SetUseEmbeddedLibraries(b bool) { // handled externally } @@ -248,6 +253,10 @@ func (s *Scanner) ScanInput(ctx context.Context, inputs ...Input) (scan.Results, continue } + if !s.includeDeprecatedChecks && staticMeta.Deprecated { + continue // skip deprecated checks + } + if isPolicyWithSubtype(s.sourceType) { // skip if check isn't relevant to what is being scanned if !isPolicyApplicable(staticMeta, inputs...) { diff --git a/pkg/iac/rego/scanner_test.go b/pkg/iac/rego/scanner_test.go index d2868764ed..f2d115ba05 100644 --- a/pkg/iac/rego/scanner_test.go +++ b/pkg/iac/rego/scanner_test.go @@ -1011,3 +1011,78 @@ deny { assert.Contains(t, buf.String(), `Error occurred while applying rule "deny" from check "checks/bad.rego"`) } + +func Test_RegoScanning_WithDeprecatedCheck(t *testing.T) { + var testCases = []struct { + name string + policy string + expectedResults int + }{ + { + name: "happy path check is deprecated", + policy: `# METADATA +# title: i am a deprecated check +# description: i am a description +# related_resources: +# - https://google.com +# custom: +# id: EG123 +# avd_id: AVD-EG-0123 +# severity: LOW +# recommended_action: have a cup of tea +# deprecated: true +package defsec.test + +deny { + input.text +} + +`, + expectedResults: 0, + }, + { + name: "happy path check is not deprecated", + policy: `# METADATA +# title: i am a deprecated check +# description: i am a description +# related_resources: +# - https://google.com +# custom: +# id: EG123 +# avd_id: AVD-EG-0123 +# severity: LOW +# recommended_action: have a cup of tea +package defsec.test + +deny { + input.text +} + +`, + expectedResults: 1, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + srcFS := CreateFS(t, map[string]string{ + "policies/test.rego": tc.policy, + }) + + scanner := NewScanner(types.SourceJSON) + require.NoError( + t, + scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), + ) + + results, err := scanner.ScanInput(context.TODO(), Input{ + Path: "/evil.lol", + Contents: map[string]interface{}{ + "text": "test", + }, + }) + require.NoError(t, err) + require.Len(t, results, tc.expectedResults, tc.name) + }) + } +} diff --git a/pkg/iac/scan/flat.go b/pkg/iac/scan/flat.go index c640b5fc14..a3abc143d2 100755 --- a/pkg/iac/scan/flat.go +++ b/pkg/iac/scan/flat.go @@ -6,6 +6,7 @@ import ( ) type FlatResult struct { + Deprecated bool `json:"deprecated,omitempty"` RuleID string `json:"rule_id"` LongID string `json:"long_id"` RuleSummary string `json:"rule_description"` @@ -48,6 +49,7 @@ func (r *Result) Flatten() FlatResult { } return FlatResult{ + Deprecated: r.rule.Deprecated, RuleID: r.rule.AVDID, LongID: r.Rule().LongID(), RuleSummary: r.rule.Summary, diff --git a/pkg/iac/scan/rule.go b/pkg/iac/scan/rule.go index a1a3ada18e..c4318b7aad 100755 --- a/pkg/iac/scan/rule.go +++ b/pkg/iac/scan/rule.go @@ -36,6 +36,7 @@ type TerraformCustomCheck struct { } type Rule struct { + Deprecated bool `json:"deprecated"` AVDID string `json:"avd_id"` Aliases []string `json:"aliases"` ShortCode string `json:"short_code"` @@ -55,6 +56,10 @@ type Rule struct { Check CheckFunc `json:"-"` } +func (r Rule) IsDeprecated() bool { + return r.Deprecated +} + func (r Rule) HasID(id string) bool { if r.AVDID == id || r.LongID() == id { return true diff --git a/pkg/iac/scanners/azure/arm/scanner.go b/pkg/iac/scanners/azure/arm/scanner.go index d9ae227a09..b4bcfc5394 100644 --- a/pkg/iac/scanners/azure/arm/scanner.go +++ b/pkg/iac/scanners/azure/arm/scanner.go @@ -40,6 +40,8 @@ type Scanner struct { // nolint: gocritic sync.Mutex } +func (s *Scanner) SetIncludeDeprecatedChecks(b bool) {} + func (s *Scanner) SetSpec(spec string) { s.spec = spec } diff --git a/pkg/iac/scanners/cloudformation/scanner.go b/pkg/iac/scanners/cloudformation/scanner.go index 0920f4425f..1bbbe39f21 100644 --- a/pkg/iac/scanners/cloudformation/scanner.go +++ b/pkg/iac/scanners/cloudformation/scanner.go @@ -64,6 +64,8 @@ type Scanner struct { // nolint: gocritic sync.Mutex } +func (s *Scanner) SetIncludeDeprecatedChecks(bool) {} + func (s *Scanner) addParserOptions(opt options.ParserOption) { s.parserOptions = append(s.parserOptions, opt) } diff --git a/pkg/iac/scanners/dockerfile/scanner.go b/pkg/iac/scanners/dockerfile/scanner.go index 88a18e35ed..29df54634d 100644 --- a/pkg/iac/scanners/dockerfile/scanner.go +++ b/pkg/iac/scanners/dockerfile/scanner.go @@ -34,6 +34,8 @@ type Scanner struct { // nolint: gocritic loadEmbeddedPolicies bool } +func (s *Scanner) SetIncludeDeprecatedChecks(bool) {} + func (s *Scanner) SetSpec(spec string) { s.spec = spec } diff --git a/pkg/iac/scanners/helm/scanner.go b/pkg/iac/scanners/helm/scanner.go index e2b666082c..fc54af4478 100644 --- a/pkg/iac/scanners/helm/scanner.go +++ b/pkg/iac/scanners/helm/scanner.go @@ -43,6 +43,8 @@ type Scanner struct { mu sync.Mutex } +func (s *Scanner) SetIncludeDeprecatedChecks(bool) {} + func (s *Scanner) SetSpec(spec string) { s.spec = spec } diff --git a/pkg/iac/scanners/json/scanner.go b/pkg/iac/scanners/json/scanner.go index 5c53d0a108..3d563c34c7 100644 --- a/pkg/iac/scanners/json/scanner.go +++ b/pkg/iac/scanners/json/scanner.go @@ -34,6 +34,8 @@ type Scanner struct { // nolint: gocritic loadEmbeddedLibraries bool } +func (s *Scanner) SetIncludeDeprecatedChecks(bool) {} + func (s *Scanner) SetRegoOnly(bool) { } diff --git a/pkg/iac/scanners/kubernetes/scanner.go b/pkg/iac/scanners/kubernetes/scanner.go index 121c954990..44f13ce5b0 100644 --- a/pkg/iac/scanners/kubernetes/scanner.go +++ b/pkg/iac/scanners/kubernetes/scanner.go @@ -38,6 +38,8 @@ type Scanner struct { // nolint: gocritic loadEmbeddedLibraries bool } +func (s *Scanner) SetIncludeDeprecatedChecks(bool) {} + func (s *Scanner) SetSpec(spec string) { s.spec = spec } diff --git a/pkg/iac/scanners/options/scanner.go b/pkg/iac/scanners/options/scanner.go index 02c01be5c9..8e79b0c4a1 100644 --- a/pkg/iac/scanners/options/scanner.go +++ b/pkg/iac/scanners/options/scanner.go @@ -24,6 +24,7 @@ type ConfigurableScanner interface { SetRegoOnly(regoOnly bool) SetRegoErrorLimit(limit int) SetUseEmbeddedLibraries(bool) + SetIncludeDeprecatedChecks(bool) } type ScannerOption func(s ConfigurableScanner) @@ -65,6 +66,12 @@ func ScannerWithEmbeddedLibraries(enabled bool) ScannerOption { } } +func ScannerWithIncludeDeprecatedChecks(enabled bool) ScannerOption { + return func(s ConfigurableScanner) { + s.SetIncludeDeprecatedChecks(enabled) + } +} + // ScannerWithTrace specifies an io.Writer for trace logs (mainly rego tracing) - if not set, they are discarded func ScannerWithTrace(w io.Writer) ScannerOption { return func(s ConfigurableScanner) { diff --git a/pkg/iac/scanners/terraform/scanner.go b/pkg/iac/scanners/terraform/scanner.go index 1f051a1665..c999acf337 100644 --- a/pkg/iac/scanners/terraform/scanner.go +++ b/pkg/iac/scanners/terraform/scanner.go @@ -45,6 +45,8 @@ type Scanner struct { // nolint: gocritic loadEmbeddedPolicies bool } +func (s *Scanner) SetIncludeDeprecatedChecks(b bool) {} + func (s *Scanner) SetSpec(spec string) { s.spec = spec } diff --git a/pkg/iac/scanners/terraformplan/tfjson/scanner.go b/pkg/iac/scanners/terraformplan/tfjson/scanner.go index 1a73bd6af0..6f62d82217 100644 --- a/pkg/iac/scanners/terraformplan/tfjson/scanner.go +++ b/pkg/iac/scanners/terraformplan/tfjson/scanner.go @@ -38,6 +38,8 @@ type Scanner struct { policyReaders []io.Reader } +func (s *Scanner) SetIncludeDeprecatedChecks(bool) {} + func (s *Scanner) SetUseEmbeddedLibraries(b bool) { s.loadEmbeddedLibraries = b } diff --git a/pkg/iac/scanners/toml/scanner.go b/pkg/iac/scanners/toml/scanner.go index 57f27df92d..0a05fdbac1 100644 --- a/pkg/iac/scanners/toml/scanner.go +++ b/pkg/iac/scanners/toml/scanner.go @@ -32,6 +32,8 @@ type Scanner struct { // nolint: gocritic loadEmbeddedLibraries bool } +func (s *Scanner) SetIncludeDeprecatedChecks(bool) {} + func (s *Scanner) SetRegoOnly(bool) {} func (s *Scanner) SetFrameworks(frameworks []framework.Framework) { diff --git a/pkg/iac/scanners/yaml/scanner.go b/pkg/iac/scanners/yaml/scanner.go index 02a68f0d55..0adc43bbd4 100644 --- a/pkg/iac/scanners/yaml/scanner.go +++ b/pkg/iac/scanners/yaml/scanner.go @@ -32,6 +32,8 @@ type Scanner struct { // nolint: gocritic loadEmbeddedPolicies bool } +func (s *Scanner) SetIncludeDeprecatedChecks(bool) {} + func (s *Scanner) SetRegoOnly(bool) {} func (s *Scanner) SetFrameworks(frameworks []framework.Framework) { diff --git a/pkg/misconf/scanner.go b/pkg/misconf/scanner.go index 9d81851b84..90ee90cb42 100644 --- a/pkg/misconf/scanner.go +++ b/pkg/misconf/scanner.go @@ -54,6 +54,7 @@ type ScannerOption struct { DataPaths []string DisableEmbeddedPolicies bool DisableEmbeddedLibraries bool + IncludeDeprecatedChecks bool HelmValues []string HelmValueFiles []string @@ -217,6 +218,7 @@ func scannerOptions(t detection.FileType, opt ScannerOption) ([]options.ScannerO options.ScannerWithSkipRequiredCheck(true), options.ScannerWithEmbeddedPolicies(!opt.DisableEmbeddedPolicies), options.ScannerWithEmbeddedLibraries(!opt.DisableEmbeddedLibraries), + options.ScannerWithIncludeDeprecatedChecks(opt.IncludeDeprecatedChecks), } policyFS, policyPaths, err := CreatePolicyFS(opt.PolicyPaths)