gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 07:40:48 -08:00
Code Issues Packages Projects Releases Wiki Activity

docs: add misconfiguration (#1101)

Browse Source 
Co-authored-by: Itay Shakury <itay@itaysk.com>
This commit is contained in:
Teppei Fukuda
2021-07-12 03:14:17 +03:00
committed by GitHub
parent d9883e4442
commit 9e08bd44fb
153 changed files with 6243 additions and 1342 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/mkdocs-dev.yaml vendored
View File

@@ -4,8 +4,8 @@ on:
paths:
- 'docs/**'
- mkdocs.yml
branches:
- main
# branches:
# - main
jobs:
deploy:
name: Deploy the dev documentation

11
.github/workflows/test.yaml vendored
View File

@@ -1,5 +1,14 @@
name: Test
on: pull_request
on:
push:
branches:
- main
paths-ignore:
- '*.md'
- 'docs/**'
- 'mkdocs.yml'
- 'LICENSE'
pull_request:
env:
GO_VERSION: "1.16"
jobs:

240
README.md
View File

@@ -1,88 +1,45 @@
<img src="docs/imgs/logo.png" width="150">
<p align="center">
<img src="docs/imgs/logo.png" width="200">
</p>
<p align="center">
<a href="https://aquasecurity.github.io/trivy/">Documentation</a>
</p>
<p align="center">
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues
</p>
[![GitHub Release][release-img]][release]
[![Go Report Card](https://goreportcard.com/badge/github.com/aquasecurity/trivy)](https://goreportcard.com/report/github.com/aquasecurity/trivy)
[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)][license]
[![Test][test-img]][test]
[![Go Report Card][go-report-img]][go-report]
[![License: Apache-2.0][license-img]][license]
[![GitHub All Releases][github-all-releases-img]][release]
![Docker Pulls][docker-pulls]
[release]: https://github.com/aquasecurity/trivy/releases
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy.svg?logo=github
[github-all-releases-img]: https://img.shields.io/github/downloads/aquasecurity/trivy/total?logo=github
[docker-pulls]: https://img.shields.io/docker/pulls/aquasec/trivy?logo=docker&label=docker%20pulls%20%2F%20trivy
[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI.
# Abstract
`Trivy` (`tri` pronounced like **tri**gger, `vy` pronounced like en**vy**) is a simple and comprehensive vulnerability scanner for containers and other artifacts.
A software vulnerability is a glitch, flaw, or weakness present in the software or in an Operating System.
`Trivy` detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.).
`Trivy` is easy to use. Just install the binary and you're ready to scan. All you need to do for scanning is to specify a target such as an image name of the container.
`Trivy` (`tri` pronounced like **tri**gger, `vy` pronounced like en**vy**) is a simple and comprehensive scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues.
`Trivy` detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and language-specific packages (Bundler, Composer, npm, yarn, etc.).
In addition, `Trivy` scans Infrastructure as Code (IaC) files such as Terraform, Dockerfile and Kubernetes, to detect potential configuration issues that expose your deployments to the risk of attack.
`Trivy` is easy to use. Just install the binary and you're ready to scan.
<img src="docs/imgs/overview.png" width="700">
<p align="center">
<img src="docs/imgs/overview.png" width="800" alt="Trivy Overview">
</p>
Trivy can be run in two different modes:
- [Standalone](https://aquasecurity.github.io/trivy/latest/modes/standalone/)
- [Client/Server](https://aquasecurity.github.io/trivy/latest/modes/client-server/)
Trivy can scan three different artifacts:
- [Container Images](https://aquasecurity.github.io/trivy/latest/scanning/image/)
- [Filesystem](https://aquasecurity.github.io/trivy/latest/scanning/filesystem/)
- [Git Repositories](https://aquasecurity.github.io/trivy/latest/scanning/git-repository/)
<img src="docs/imgs/usage.gif" width="700">
<img src="docs/imgs/usage1.png" width="600">
<img src="docs/imgs/usage2.png" width="600">
It is considered to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
See [here](https://aquasecurity.github.io/trivy/latest/integrations/) for details.
# Features
- Detect comprehensive vulnerabilities
- OS packages (Alpine, **Red Hat Universal Base Image**, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- **Application dependencies** (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
- Simple
- Specify only an image name or artifact name
- See [Quick Start](#quick-start) and [Examples](#examples)
- Fast
- The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
- Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
- Easy installation
- `apt-get install`, `yum install` and `brew install` is possible (See [Installation](#installation))
- **No pre-requisites** such as installation of DB, libraries, etc.
- High accuracy
- **Especially Alpine Linux and RHEL/CentOS**
- Other OSes are also high
- DevSecOps
- **Suitable for CI** such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
- See [CI Example](#continuous-integration-ci)
- Support multiple formats
- container image
- A local image in Docker Engine which is running as a daemon
- A local image in Podman (>=2.0) which is exposing a socket
- A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
- A tar archive stored in the `docker save` / `podman save` formatted file
- An image directory compliant with [OCI Image Format](https://github.com/opencontainers/image-spec)
- local filesystem
- remote git repository
Please see [LICENSE][license] for Trivy licensing information. Note that Trivy uses vulnerability information from a variety of sources, some of which are licensed for non-commercial use only.
# Documentation
The official documentation, which provides detailed installation, configuration, and quick start guides, is available at https://aquasecurity.github.io/trivy/.
# Installation
See [here](https://aquasecurity.github.io/trivy/latest/installation/)
### Demo: Vulnerability Detection (Container Image)
<p align="center">
<img src="docs/imgs/vuln-demo.gif" width="1000" alt="Vulnerability Detection">
</p>
### Demo: Misconfiguration Detection (IaC Files)
<p align="center">
<img src="docs/imgs/misconf-demo.gif" width="1000" alt="Misconfiguration Detection">
</p>
# Quick Start
## Scan Image for Vulnerabilities
Simply specify an image name (and a tag).
```
@@ -113,21 +70,140 @@ Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
| | | | | | with long nonces |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
```
</details>
## Scan Filesystem for Vulnerabilities and Misconfigurations
Simply specify a directory to scan.
```bash
$ trivy fs --security-checks vuln,config [YOUR_PROJECT_DIR]
```
For example:
```bash
$ trivy fs --security-checks vuln,config myproject/
```
<details>
<summary>Result</summary>
```bash
2021-07-09T12:03:27.564+0300 INFO Number of language-specific files: 1
2021-07-09T12:03:27.564+0300 INFO Detecting pipenv vulnerabilities...
2021-07-09T12:03:27.566+0300 INFO Detected config files: 1
Pipfile.lock (pipenv)
=====================
Total: 1 (HIGH: 1, CRITICAL: 0)
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| httplib2 | CVE-2021-21240 | HIGH | 0.12.1 | 0.19.0 | python-httplib2: Regular |
| | | | | | expression denial of |
| | | | | | service via malicious header |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-21240 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
+---------------------------+------------+----------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+----------------------+----------+------------------------------------------+
| Dockerfile Security Check | DS002 | Image user is 'root' | HIGH | Last USER command in |
| | | | | Dockerfile should not be 'root' |
| | | | | -->avd.aquasec.com/appshield/ds002 |
+---------------------------+------------+----------------------+----------+------------------------------------------+
```
</details>
## Scan Directory for Misconfigurations
Simply specify a directory containing IaC files such as Terraform and Dockerfile.
```
$ trivy config [YOUR_IAC_DIR]
```
For example:
```
$ ls build/
Dockerfile
$ trivy config ./build
```
<details>
<summary>Result</summary>
```
2021-07-09T10:06:29.188+0300 INFO Need to update the built-in policies
2021-07-09T10:06:29.188+0300 INFO Downloading the built-in policies...
2021-07-09T10:06:30.520+0300 INFO Detected config files: 1
Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+---------------------------+------------+----------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+----------------------+----------+------------------------------------------+
| Dockerfile Security Check | DS002 | Image user is 'root' | HIGH | Last USER command in |
| | | | | Dockerfile should not be 'root' |
| | | | | -->avd.aquasec.com/appshield/ds002 |
+---------------------------+------------+----------------------+----------+------------------------------------------+
```
</details>
# Examples
See [here](https://aquasecurity.github.io/trivy/latest/examples/filter/)
# Continuous Integration (CI)
See [here](https://aquasecurity.github.io/trivy/latest/integrations/)
# Features
# Vulnerability Detection
See [here](https://aquasecurity.github.io/trivy/latest/vuln-detection/)
- Comprehensive vulnerability detection
- OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- **Language-specific packages** (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
- Misconfiguration detection (IaC scanning)
- A wide variety of built-in policies are provided **out of the box**
- Kubernetes, Docker, Terraform, and more coming soon
- Support custom policies
- Simple
- Specify only an image name, a path to config files, or an artifact name
- Fast
- The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
- Easy installation
- `apt-get install`, `yum install` and `brew install` are possible.
- **No pre-requisites** such as installation of DB, libraries, etc.
- High accuracy
- **Especially [Alpine Linux][alpine] and RHEL/CentOS**
- Other OSes are also high
- DevSecOps
- **Suitable for CI** such as GitHub Actions, Jenkins, GitLab CI, etc.
- Support multiple targets
- container image, local filesystem and remote git repository
# Usage
See [here](https://aquasecurity.github.io/trivy/latest/usage/)
# Integrations
- [GitHub Actions][action]
- [Visual Studio Code][vscode]
# Author
# Documentation
The official documentation, which provides detailed installation, configuration, and quick start guides, is available at https://aquasecurity.github.io/trivy/.
[Teppei Fukuda](https://github.com/knqyf263) (knqyf263)
[test]: https://github.com/aquasecurity/trivy/actions/workflows/test.yaml
[test-img]: https://github.com/aquasecurity/trivy/actions/workflows/test.yaml/badge.svg
[go-report]: https://goreportcard.com/report/github.com/aquasecurity/trivy
[go-report-img]: https://goreportcard.com/badge/github.com/aquasecurity/trivy
[release]: https://github.com/aquasecurity/trivy/releases
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy.svg?logo=github
[github-all-releases-img]: https://img.shields.io/github/downloads/aquasecurity/trivy/total?logo=github
[docker-pulls]: https://img.shields.io/docker/pulls/aquasec/trivy?logo=docker&label=docker%20pulls%20%2F%20trivy
[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
[license-img]: https://img.shields.io/badge/License-Apache%202.0-blue.svg
[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
[action]: https://github.com/aquasecurity/trivy-action
[vscode]: https://github.com/aquasecurity/trivy-vscode-extension

0
docs/air-gap.md → docs/advanced/air-gap.md
View File

0
docs/scanning/advanced/embed-in-dockerfile.md → docs/advanced/container/embed-in-dockerfile.md
View File

4
docs/scanning/advanced/oci.md → docs/advanced/container/oci.md
View File

@@ -1,6 +1,6 @@
# OCI
# OCI Image Layout
An image directory compliant with "Open Container Image Layout Specification".
An image directory compliant with [Open Container Image Layout Specification](https://github.com/opencontainers/image-spec/blob/master/spec.md).
Buildah:

6
docs/scanning/advanced/podman.md → docs/advanced/container/podman.md
View File

@@ -1,10 +1,12 @@
# Podman
[EXPERIMENTAL] This feature might change without preserving backwards compatibility.
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
Scan your image in Podman (>=2.0) running locally. The remote Podman is not supported.
Before performing Trivy commands, you must enable the podman.sock systemd service on your machine.
For more details, see [here][sock]
For more details, see [here][sock].
```bash
$ systemctl --user enable --now podman.socket

0
docs/scanning/advanced/unpacked-filesystem.md → docs/advanced/container/unpacked-filesystem.md
View File

0
docs/contrib/help-wanted.md → docs/advanced/contrib/help-wanted.md
View File

2
docs/contrib/triage.md → docs/advanced/contrib/triage.md
View File

@@ -185,7 +185,7 @@ We use two labels [help wanted](https://github.com/aquasecurity/trivy/issues?q=i
and [good first issue](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
to identify issues that have been specially groomed for new contributors.
We have specific [guidelines](/docs/contrib/help-wanted.md)
We have specific [guidelines](/docs/advanced/contribd/contrib/help-wanted.md)
for how to use these labels. If you see an issue that satisfies these
guidelines, you can add the `help wanted` label and the `good first issue` label.
Please note that adding the `good first issue` label must also

2
docs/advanced/index.md Normal file
View File

@@ -0,0 +1,2 @@
# Advanced
This section describes advanced features, integrations, etc.

0
docs/integrations/aws-codepipeline.md → docs/advanced/integrations/aws-codepipeline.md
View File

0
docs/integrations/aws-security-hub.md → docs/advanced/integrations/aws-security-hub.md
View File

0
docs/integrations/circleci.md → docs/advanced/integrations/circleci.md
View File

0
docs/integrations/github-actions.md → docs/advanced/integrations/github-actions.md
View File

0
docs/integrations/gitlab-ci.md → docs/advanced/integrations/gitlab-ci.md
View File

1
docs/integrations/index.md → docs/advanced/integrations/index.md
View File

@@ -1,3 +1,4 @@
# Integrations
Scan your image automatically as part of your CI workflow, failing the workflow if a vulnerability is found. When you don't want to fail the test, specify `--exit-code 0`.
Since in automated scenarios such as CI/CD you are only interested in the end result, and not the full report, use the `--light` flag to optimize for this scenario and get fast results.

0
docs/integrations/travis-ci.md → docs/advanced/integrations/travis-ci.md
View File

2
docs/modes/client-server.md → docs/advanced/modes/client-server.md
View File

@@ -55,5 +55,5 @@ $ trivy client --remote http://localhost:8080 --token dummy alpine:3.10
## Architecture
![architecture](../imgs/client-server.png)
![architecture](../../imgs/client-server.png)

6
docs/modes/standalone.md → docs/advanced/modes/standalone.md
View File

@@ -4,13 +4,13 @@
## Image
![standalone](../imgs/image.png)
![standalone](../../imgs/image.png)
## Filesystem
![fs](../imgs/fs.png)
![fs](../../imgs/fs.png)
## Git Repository
![repo](../imgs/repo.png)
![repo](../../imgs/repo.png)

0
docs/plugins.md → docs/advanced/plugins.md
View File

0
docs/private-registries/docker-hub.md → docs/advanced/private-registries/docker-hub.md
View File

0
docs/private-registries/ecr.md → docs/advanced/private-registries/ecr.md
View File

0
docs/private-registries/gcr.md → docs/advanced/private-registries/gcr.md
View File

0
docs/private-registries/index.md → docs/advanced/private-registries/index.md
View File

0
docs/private-registries/self.md → docs/advanced/private-registries/self.md
View File

17
docs/comparison.md
View File

@@ -1,17 +0,0 @@
# Comparison with other scanners
| Scanner | OS<br>Packages | Application<br>Dependencies | Easy to use | Accuracy | Suitable<br>for CI |
| -------------- | :-------------: | :-------------------------: | :----------: | :---------: | :-----------------: |
| Trivy | ✅ | ✅<br>(8 languages) | ⭐ ⭐ ⭐ | ⭐ ⭐ ⭐ | ⭐ ⭐ ⭐ |
| Clair | ✅ | × | ⭐ | ⭐ ⭐ | ⭐ ⭐ |
| Anchore Engine | ✅ | ✅<br>(4 languages) | ⭐ ⭐ | ⭐ ⭐ | ⭐ ⭐ ⭐ |
| Quay | ✅ | × | ⭐ ⭐ ⭐ | ⭐ ⭐ | × |
| Docker Hub | ✅ | × | ⭐ ⭐ ⭐ | ⭐ | × |
| GCR | ✅ | × | ⭐ ⭐ ⭐ | ⭐ ⭐ | × |
- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
- [Docker Image Security: Static Analysis Tool Comparison Anchore Engine vs Clair vs Trivy][tool-comparison]
- [Research Spike: evaluate Trivy for scanning running containers](https://gitlab.com/gitlab-org/gitlab/-/issues/270888)
[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/

14
docs/credit.md
View File

@@ -1,14 +0,0 @@
# Special Thanks to
- [Tomoya Amachi][tomoyamachi]
- [Masahiro Fujimura][masahiro331]
- [Naoki Harima][XapiMa]
# Author
[Teppei Fukuda][knqyf263] (knqyf263)
[tomoyamachi]: https://github.com/tomoyamachi
[masahiro331]: https://github.com/masahiro331
[XapiMa]: https://github.com/XapiMa
[knqyf263]: https://github.com/knqyf263

3
docs/examples/index.md
View File

@@ -1,3 +0,0 @@
# Examples
There are plenty of examples.

17
docs/examples/skip.md
View File

@@ -1,17 +0,0 @@
# Skip Traversal of Files/Directories
## Skip Files
Trivy traversals directories and looks for all lock files by default.
If your image contains lock files which are not maintained by you, you can skip the file.
```
$ trivy image --skip-files "/Gemfile.lock" --skip-files "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0/Gemfile.lock" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
```
## Skip Directories
Trivy traversals directories and look for all lock files by default.
If your image contains lock files which are not maintained by you, you can skip traversal in the specific directory.
```
$ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
```

0
docs/usage/client.md → docs/getting-started/cli/client.md
View File

29
docs/getting-started/cli/config.md Normal file
View File

@@ -0,0 +1,29 @@
# Config
``` bash
NAME:
trivy config - scan config files
USAGE:
trivy config [command options] dir
OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, template) (default: "table") [$TRIVY_FORMAT]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--output value, -o value output file name [$TRIVY_OUTPUT]
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
--skip-policy-update skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
--reset remove all caches and database (default: false) [$TRIVY_RESET]
--clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT]
--skip-files value specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
--skip-dirs value specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
--policy value, --config-policy value specify paths to the Rego policy files directory, applying config files [$TRIVY_POLICY]
--data value, --config-data value specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_DATA]
--policy-namespaces value, --namespaces value Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES]
--file-patterns value specify file patterns [$TRIVY_FILE_PATTERNS]
--include-successes include successes of misconfigurations (default: false) [$TRIVY_INCLUDE_SUCCESSES]
--help, -h show help (default: false)
```

36
docs/getting-started/cli/fs.md Normal file
View File

@@ -0,0 +1,36 @@
# Filesystem
```bash
NAME:
trivy filesystem - scan local filesystem
USAGE:
trivy filesystem [command options] dir
OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, template) (default: "table") [$TRIVY_FORMAT]
--input value, -i value input file path instead of image name [$TRIVY_INPUT]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--output value, -o value output file name [$TRIVY_OUTPUT]
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
--skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
--skip-policy-update skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
--clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
--ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
--vuln-type value comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
--security-checks value comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
--cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT]
--no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
--skip-files value specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
--skip-dirs value specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
--config-policy value specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]
--config-data value specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_CONFIG_DATA]
--policy-namespaces value, --namespaces value Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES]
--help, -h show help (default: false)
```

0
docs/usage/image.md → docs/getting-started/cli/image.md
View File

7
docs/usage/index.md → docs/getting-started/cli/index.md
View File

@@ -1,6 +1,6 @@
Trivy has several sub commands, image, fs, repo, client and server.
```
``` bash
NAME:
trivy - A simple and comprehensive vulnerability scanner for containers
@@ -8,7 +8,7 @@ USAGE:
trivy [global options] command [command options] target
VERSION:
v0.15.0
dev
COMMANDS:
image, i scan an image
@@ -16,6 +16,8 @@ COMMANDS:
repository, repo scan remote repository
client, c client mode
server, s server mode
config, conf scan config files
plugin, p manage plugins
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
@@ -24,4 +26,5 @@ GLOBAL OPTIONS:
--cache-dir value cache directory (default: "/Users/teppei/Library/Caches/trivy") [$TRIVY_CACHE_DIR]
--help, -h show help (default: false)
--version, -v print the version (default: false)
```

0
docs/usage/repo.md → docs/getting-started/cli/repo.md
View File

0
docs/usage/server.md → docs/getting-started/cli/server.md
View File

10
docs/getting-started/credit.md Normal file
View File

@@ -0,0 +1,10 @@
# Author
[Teppei Fukuda][knqyf263] (knqyf263)
# Contributors
Thanks to all [contributors][contributors]
[knqyf263]: https://github.com/knqyf263
[contributors]: https://github.com/aquasecurity/trivy/graphs/contributors

8
docs/further.md → docs/getting-started/further.md
View File

@@ -18,6 +18,10 @@
- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2]
- [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode]
## External Blogs
- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
- [Docker Image Security: Static Analysis Tool Comparison Anchore Engine vs Clair vs Trivy][tool-comparison]
- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
[intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA
[cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ
@@ -31,3 +35,7 @@
[actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions
[actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy
[vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code
[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888

107
docs/installation.md → docs/getting-started/installation.md
View File

@@ -2,56 +2,63 @@
## RHEL/CentOS
Add repository setting to `/etc/yum.repos.d`.
```bash
$ sudo vim /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/
gpgcheck=0
enabled=1
$ sudo yum -y update
$ sudo yum -y install trivy
```
=== "Repository"
Add repository setting to `/etc/yum.repos.d`.
or
``` bash
$ sudo vim /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/
gpgcheck=0
enabled=1
$ sudo yum -y update
$ sudo yum -y install trivy
```
```bash
rpm -ivh https://github.com/aquasecurity/trivy/releases/download/{{ git.tag }}/trivy_{{ git.tag[1:] }}_Linux-64bit.rpm
```
=== "RPM"
``` bash
rpm -ivh https://github.com/aquasecurity/trivy/releases/download/{{ git.tag }}/trivy_{{ git.tag[1:] }}_Linux-64bit.rpm
```
## Debian/Ubuntu
Add repository to `/etc/apt/sources.list.d`.
=== "Repository"
Add repository setting to `/etc/apt/sources.list.d`.
```bash
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
```
``` bash
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
```
or
=== "DEB"
```bash
wget https://github.com/aquasecurity/trivy/releases/download/{{ git.tag }}/trivy_{{ git.tag[1:] }}_Linux-64bit.deb
sudo dpkg -i trivy_{{ git.tag[1:] }}_Linux-64bit.deb
```
``` bash
wget https://github.com/aquasecurity/trivy/releases/download/{{ git.tag }}/trivy_{{ git.tag[1:] }}_Linux-64bit.deb
sudo dpkg -i trivy_{{ git.tag[1:] }}_Linux-64bit.deb
```
## Arch Linux
Package trivy-bin can be installed from the Arch User Repository. Examples:
Package trivy-bin can be installed from the Arch User Repository.
```bash
pikaur -Sy trivy-bin
```
or
```bash
yay -Sy trivy-bin
```
=== "pikaur"
``` bash
pikaur -Sy trivy-bin
```
=== "yay"
``` bash
yay -Sy trivy-bin
```
## Homebrew
@@ -106,17 +113,20 @@ Replace [YOUR_CACHE_DIR] with the cache directory on your machine.
docker pull aquasec/trivy:{{ git.tag[1:] }}
```
Example for Linux:
Example:
```bash
docker run --rm -v [YOUR_CACHE_DIR]:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} [YOUR_IMAGE_NAME]
```
=== "Linux"
Example for macOS:
``` bash
docker run --rm -v [YOUR_CACHE_DIR]:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} [YOUR_IMAGE_NAME]
```
```bash
docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} python:3.4-alpine
```
=== "macOS"
``` bash
yay -Sy trivy-bin
docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} python:3.4-alpine
```
If you would like to scan the image on your host machine, you need to mount `docker.sock`.
@@ -156,11 +166,10 @@ The same image is hosted on [GitHub Container Registry][registry] as well.
docker pull ghcr.io/aquasecurity/trivy:{{ git.tag[1:] }}
```
[registry]: https://github.com/orgs/aquasecurity/packages/container/package/trivy
### Amazon ECR Public
The same image is hosted on [Amazon ECR Public](https://gallery.ecr.aws/aquasecurity/trivy) as well.
The same image is hosted on [Amazon ECR Public][ecr] as well.
```bash
docker pull public.ecr.aws/aquasecurity/trivy:{{ git.tag[1:] }}
@@ -183,7 +192,11 @@ To install the chart with the release name `my-release`:
helm install my-release .
```
The command deploys Trivy on the Kubernetes cluster in the default configuration. The [Parameters](#parameters)
The command deploys Trivy on the Kubernetes cluster in the default configuration. The [Parameters][helm]
section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`.
[ecr]: https://gallery.ecr.aws/aquasecurity/trivy
[registry]: https://github.com/orgs/aquasecurity/packages/container/package/trivy
[helm]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/helm/trivy

82
docs/getting-started/overview.md Normal file
View File

@@ -0,0 +1,82 @@
# Overview
Trivy detects two types of security issues:
- [Vulnerabilities][vuln]
- [Misconfigurations][misconf]
Trivy can scan three different artifacts:
- [Container Images][container]
- [Filesystem][filesystem]
- [Git Repositories][repo]
Trivy can be run in two different modes:
- [Standalone][standalone]
- [Client/Server][client-server]
It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
See [Integrations][integrations] for details.
## Features
- Comprehensive vulnerability detection
- [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
- Detect IaC misconfigurations
- A wide variety of [built-in policies][builtin] are provided **out of the box**:
- Kubernetes
- Docker
- Terraform
- more coming soon
- Support custom policies
- Simple
- Specify only an image name, a directory containing IaC configs, or an artifact name
- See [Quick Start][quickstart]
- Fast
- The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
- Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
- Easy installation
- `apt-get install`, `yum install` and `brew install` is possible (See [Installation](installation.md))
- **No pre-requisites** such as installation of DB, libraries, etc.
- High accuracy
- **Especially Alpine Linux and RHEL/CentOS**
- Other OSes are also high
- DevSecOps
- **Suitable for CI** such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
- See [CI Example][integrations]
- Support multiple formats
- container image
- A local image in Docker Engine which is running as a daemon
- A local image in [Podman][podman] (>=2.0) which is exposing a socket
- A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
- A tar archive stored in the `docker save` / `podman save` formatted file
- An image directory compliant with [OCI Image Format][oci]
- local filesystem
- remote git repository
Please see [LICENSE][license] for Trivy licensing information.
!!! note
Trivy uses vulnerability information from a variety of sources, some of which are licensed for non-commercial use only.
[vuln]: ../vulnerability/scanning/index.md
[misconf]: ../misconfiguration/index.md
[container]: ../vulnerability/scanning/image.md
[filesystem]: ../vulnerability/scanning/filesystem.md
[repo]: ../vulnerability/scanning/git-repository.md
[standalone]: ../advanced/modes/standalone.md
[client-server]: ../advanced/modes/client-server.md
[integrations]: ../advanced/integrations/index.md
[os]: ../vulnerability/detection/os.md
[lang]: ../vulnerability/detection/language.md
[builtin]: ../misconfiguration/policy/builtin.md
[quickstart]: quickstart.md
[podman]: ../advanced/container/podman.md
[oci]: https://github.com/opencontainers/image-spec
[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE

83
docs/getting-started/quickstart.md Normal file
View File

@@ -0,0 +1,83 @@
# Quick Start
## Scan image for vulnerabilities
Simply specify an image name (and a tag).
```
$ trivy image [YOUR_IMAGE_NAME]
```
For example:
```
$ trivy image python:3.4-alpine
```
<details>
<summary>Result</summary>
```
2019-05-16T01:20:43.180+0900 INFO Updating vulnerability database...
2019-05-16T01:20:53.029+0900 INFO Detecting Alpine vulnerabilities...
python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |
| | | | | | with long nonces |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
```
</details>
For more details, see [here][vulnerability].
## Scan directory for misconfigurations
Simply specify a directory containing IaC files such as Terraform and Dockerfile.
```
$ trivy config [YOUR_IAC_DIR]
```
For example:
```
$ ls build/
Dockerfile
$ trivy config ./build
```
<details>
<summary>Result</summary>
```
2021-07-09T10:06:29.188+0300 INFO Need to update the built-in policies
2021-07-09T10:06:29.188+0300 INFO Downloading the built-in policies...
2021-07-09T10:06:30.520+0300 INFO Detected config files: 1
Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+---------------------------+------------+----------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+----------------------+----------+------------------------------------------+
| Dockerfile Security Check | DS002 | Image user is 'root' | HIGH | Last USER command in |
| | | | | Dockerfile should not be 'root' |
| | | | | -->avd.aquasec.com/appshield/ds002 |
+---------------------------+------------+----------------------+----------+------------------------------------------+
```
</details>
For more details, see [here][misconf].
[vulnerability]: ../vulnerability/scanning/index.md
[misconf]: ../misconfiguration/index.md

79
docs/faq.md → docs/getting-started/troubleshooting.md
View File

@@ -1,11 +1,57 @@
# FAQ
# Troubleshooting
## Scan
### analyze error: timeout: context deadline exceeded
### Timeout
!!! error
``` bash
$ trivy image ...
...
analyze error: timeout: context deadline exceeded
```
Your scan may time out. Java takes a particularly long time to scan. Try increasing the value of the ---timeout option such as `--timeout 15m`.
### Certification
!!! error
Error: x509: certificate signed by unknown authority
`TRIVY_INSECURE` can be used to allow insecure connections to a container registry when using SSL.
```
$ TRIVY_INSECURE=true trivy image [YOUR_IMAGE]
```
### GitHub Rate limiting
!!! error
``` bash
$ trivy image ...
...
API rate limit exceeded for xxx.xxx.xxx.xxx.
```
Specify GITHUB_TOKEN for authentication
https://developer.github.com/v3/#rate-limiting
```
$ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10
```
### Running in parallel takes same time as series run
When running trivy on multiple images simultaneously, it will take same time as running trivy in series.
This is because of a limitation of boltdb.
> Bolt obtains a file lock on the data file so multiple processes cannot open the same database at the same time. Opening an already open Bolt database will cause it to hang until the other process closes it.
Reference : [boltdb: Opening a database][boltdb].
[boltdb]: https://github.com/boltdb/bolt#opening-a-database
## Homebrew
### Error: Your macOS keychain GitHub credentials do not have sufficient scope!
### Scope error
!!! error
Error: Your macOS keychain GitHub credentials do not have sufficient scope!
```
$ brew tap aquasecurity/trivy
@@ -23,7 +69,9 @@ Try:
$ printf "protocol=https\nhost=github.com\n" | git credential-osxkeychain erase
```
### Error: aquasecurity/trivy/trivy 64 already installed
### Already installed
!!! error
Error: aquasecurity/trivy/trivy 64 already installed
```
$ brew upgrade
@@ -39,31 +87,8 @@ $ brew unlink trivy && brew uninstall trivy
$ brew install aquasecurity/trivy/trivy
```
### Error: x509: certificate signed by unknown authority
`TRIVY_INSECURE` can be used to allow insecure connections to a container registry when using SSL.
```
$ TRIVY_INSECURE=true trivy image [YOUR_IMAGE]
```
### Running in parallel takes same time as series run
When running trivy on multiple images simultaneously, it will take same time as running trivy in series.
This is because of a limitation of boltdb.
> Bolt obtains a file lock on the data file so multiple processes cannot open the same database at the same time. Opening an already open Bolt database will cause it to hang until the other process closes it.
Reference : [boltdb: Opening a database][boltdb].
[boltdb]: https://github.com/boltdb/bolt#opening-a-database
## Others
### GitHub Rate limiting
Specify GITHUB_TOKEN for authentication
https://developer.github.com/v3/#rate-limiting
```
$ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10
```
### Unknown error
Try again with `--reset` option:

352
docs/imgs/excalidraw/misconf.excalidraw Normal file
View File

@@ -0,0 +1,352 @@
{
"type": "excalidraw",
"version": 2,
"source": "https://excalidraw.com",
"elements": [
{
"type": "rectangle",
"version": 573,
"versionNonce": 2034670720,
"isDeleted": false,
"id": "BkXuq_6BxgqZGZWc8oCtu",
"fillStyle": "hachure",
"strokeWidth": 1,
"strokeStyle": "solid",
"roughness": 1,
"opacity": 100,
"angle": 0,
"x": 599.211669921875,
"y": 376.32061767578125,
"strokeColor": "#000000",
"backgroundColor": "#fd7e14",
"width": 867.8921508789062,
"height": 151.39703369140625,
"seed": 1632394695,
"groupIds": [],
"strokeSharpness": "sharp",
"boundElementIds": []
},
{
"type": "text",
"version": 572,
"versionNonce": 425683840,
"isDeleted": false,
"id": "YQURTHNPSe05RPSlYRcok",
"fillStyle": "hachure",
"strokeWidth": 1,
"strokeStyle": "solid",
"roughness": 1,
"opacity": 100,
"angle": 0,
"x": 983.89404296875,
"y": 399.98724365234375,
"strokeColor": "#000000",
"backgroundColor": "transparent",
"width": 88,
"height": 45,
"seed": 891391049,
"groupIds": [],
"strokeSharpness": "sharp",
"boundElementIds": [],
"fontSize": 36,
"fontFamily": 1,
"text": "Trivy",
"baseline": 32,
"textAlign": "left",
"verticalAlign": "top"
},
{
"type": "text",
"version": 822,
"versionNonce": 1061096576,
"isDeleted": false,
"id": "6dpF2EyZBtYgO6MrvGj0-",
"fillStyle": "hachure",
"strokeWidth": 1,
"strokeStyle": "solid",
"roughness": 1,
"opacity": 100,
"angle": 0,
"x": 771.2554931640625,
"y": 469.7777099609375,
"strokeColor": "#000000",
"backgroundColor": "transparent",
"width": 507,
"height": 35,
"seed": 687997545,
"groupIds": [],
"strokeSharpness": "sharp",
"boundElementIds": [],
"fontSize": 28,
"fontFamily": 1,
"text": "Vulnerability/Misconfiguration Scanner",
"baseline": 25,
"textAlign": "left",
"verticalAlign": "top"
},
{
"type": "rectangle",
"version": 763,
"versionNonce": 560331648,
"isDeleted": false,
"id": "cpnTMy7L2AUg9IDJppF4H",
"fillStyle": "hachure",
"strokeWidth": 1,
"strokeStyle": "solid",
"roughness": 1,
"opacity": 100,
"angle": 0,
"x": 602.28369140625,
"y": 258.8445587158203,
"strokeColor": "#000000",
"backgroundColor": "#fab005",
"width": 397.493408203125,
"height": 103.28388977050778,
"seed": 77164935,
"groupIds": [],
"strokeSharpness": "sharp",
"boundElementIds": []
},
{
"type": "text",
"version": 1072,
"versionNonce": 212434048,
"isDeleted": false,
"id": "9-blmNVtLesthMSY_f60t",
"fillStyle": "hachure",
"strokeWidth": 1,
"strokeStyle": "solid",
"roughness": 1,
"opacity": 100,
"angle": 0,
"x": 630.9301147460938,
"y": 292.4002990722656,
"strokeColor": "#000000",
"backgroundColor": "transparent",
"width": 331,
"height": 35,
"seed": 860091815,
"groupIds": [],
"strokeSharpness": "sharp",
"boundElementIds": [],
"fontSize": 28,
"fontFamily": 1,
"text": "Infrastructure as Code",
"baseline": 25,
"textAlign": "center",
"verticalAlign": "top"
},
{
"type": "rectangle",
"version": 1194,
"versionNonce": 131337088,
"isDeleted": false,
"id": "gugZxhi7ThlcjWY_MFO7q",
"fillStyle": "hachure",
"strokeWidth": 1,
"strokeStyle": "solid",
"roughness": 1,
"opacity": 100,
"angle": 0,
"x": 1021.5928955078125,
"y": 261.56090545654297,
"strokeColor": "#000000",
"backgroundColor": "#be4bdb",
"width": 441.0702514648438,
"height": 99.05134582519533,
"seed": 1232790121,
"groupIds": [],
"strokeSharpness": "sharp",
"boundElementIds": []
},
{
"type": "text",
"version": 1270,
"versionNonce": 591785088,
"isDeleted": false,
"id": "K48gtpesBxIGJxLTnI2CB",
"fillStyle": "hachure",
"strokeWidth": 1,
"strokeStyle": "solid",
"roughness": 1,
"opacity": 100,
"angle": 0,
"x": 1173.3179931640625,
"y": 294.12510681152344,
"strokeColor": "#000000",
"backgroundColor": "transparent",
"width": 137,
"height": 35,
"seed": 449264361,
"groupIds": [],
"strokeSharpness": "sharp",
"boundElementIds": [],
"fontSize": 28,
"fontFamily": 1,
"text": "Filesystem",
"baseline": 25,
"textAlign": "center",
"verticalAlign": "top"
},
{
"type": "rectangle",
"version": 1319,
"versionNonce": 1264839808,
"isDeleted": false,
"id": "BYJwfkhd1BilbLQGc973f",
"fillStyle": "hachure",
"strokeWidth": 1,
"strokeStyle": "solid",
"roughness": 1,
"opacity": 100,
"angle": 0,
"x": 1233.3157348632812,
"y": 168.29967880249023,
"strokeColor": "#000000",
"backgroundColor": "#82c91e",
"width": 229.03393554687523,
"height": 77.80606079101562,
"seed": 1923498546,
"groupIds": [],
"strokeSharpness": "sharp",
"boundElementIds": []
},
{
"type": "text",
"version": 659,
"versionNonce": 2122259328,
"isDeleted": false,
"id": "eedUyCpr8i1aY_3PHsHAB",
"fillStyle": "hachure",
"strokeWidth": 1,
"strokeStyle": "solid",
"roughness": 1,
"opacity": 100,
"angle": 0,
"x": 1241.1352844238281,
"y": 191.2939567565918,
"strokeColor": "#000000",
"backgroundColor": "#82c91e",
"width": 216,
"height": 35,
"seed": 595309038,
"groupIds": [],
"strokeSharpness": "sharp",
"boundElementIds": [],
"fontSize": 28,
"fontFamily": 1,
"text": "Misconfiguration",
"baseline": 25,
"textAlign": "center",
"verticalAlign": "middle"
},
{
"type": "rectangle",
"version": 1397,
"versionNonce": 20077696,
"isDeleted": false,
"id": "SPkrBrH6DGvkgQXtZQjIJ",
"fillStyle": "hachure",
"strokeWidth": 1,
"strokeStyle": "solid",
"roughness": 1,
"opacity": 100,
"angle": 0,
"x": 1023.8157043457031,
"y": 168.7816276550293,
"strokeColor": "#000000",
"backgroundColor": "#fa5252",
"width": 200.7496337890626,
"height": 77.80606079101562,
"seed": 1896460914,
"groupIds": [],
"strokeSharpness": "sharp",
"boundElementIds": []
},
{
"type": "text",
"version": 840,
"versionNonce": 655338368,
"isDeleted": false,
"id": "n06MNIqirDmVZBkDg_UPV",
"fillStyle": "hachure",
"strokeWidth": 1,
"strokeStyle": "solid",
"roughness": 1,
"opacity": 100,
"angle": 0,
"x": 1040.526611328125,
"y": 194.3111228942871,
"strokeColor": "#000000",
"backgroundColor": "#82c91e",
"width": 160,
"height": 35,
"seed": 1131832750,
"groupIds": [],
"strokeSharpness": "sharp",
"boundElementIds": [],
"fontSize": 28,
"fontFamily": 1,
"text": "Vulnerability",
"baseline": 25,
"textAlign": "center",
"verticalAlign": "middle"
},
{
"type": "rectangle",
"version": 1441,
"versionNonce": 1393118080,
"isDeleted": false,
"id": "8SHSNGf7PNddFLi2ZA3Vi",
"fillStyle": "hachure",
"strokeWidth": 1,
"strokeStyle": "solid",
"roughness": 1,
"opacity": 100,
"angle": 0,
"x": 673.6463928222656,
"y": 167.8159294128418,
"strokeColor": "#000000",
"backgroundColor": "#82c91e",
"width": 278.48516845703136,
"height": 77.80606079101562,
"seed": 1986948530,
"groupIds": [],
"strokeSharpness": "sharp",
"boundElementIds": []
},
{
"type": "text",
"version": 851,
"versionNonce": 2114620544,
"isDeleted": false,
"id": "3Z5w3RXdgpvP43dlHqq26",
"fillStyle": "hachure",
"strokeWidth": 1,
"strokeStyle": "solid",
"roughness": 1,
"opacity": 100,
"angle": 0,
"x": 701.5146789550781,
"y": 189.60757064819336,
"strokeColor": "#000000",
"backgroundColor": "#82c91e",
"width": 216,
"height": 35,
"seed": 1077804654,
"groupIds": [],
"strokeSharpness": "sharp",
"boundElementIds": [],
"fontSize": 28,
"fontFamily": 1,
"text": "Misconfiguration",
"baseline": 25,
"textAlign": "center",
"verticalAlign": "middle"
}
],
"appState": {
"gridSize": null,
"viewBackgroundColor": "#ffffff"
}
}

1063
docs/imgs/excalidraw/overview.excalidraw
View File

File diff suppressed because it is too large Load Diff

BIN
docs/imgs/logo.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 8.7 KiB

After

Width:  |  Height:  |  Size: 49 KiB

BIN
docs/imgs/misconf-demo.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.4 MiB

BIN
docs/imgs/misconf.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.4 MiB

BIN
docs/imgs/overview.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.0 MiB

After

Width:  |  Height:  |  Size: 878 KiB

BIN
docs/imgs/usage.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 3.6 MiB

BIN
docs/imgs/usage1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 315 KiB

BIN
docs/imgs/usage2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 215 KiB

BIN
docs/imgs/vuln-demo.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.4 MiB

BIN
docs/imgs/vulnerability.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 846 KiB

85
docs/index.md
View File

@@ -1,64 +1,39 @@
# Welcome to {{ config.site_name }}
---
hide:
- navigation
- toc
---
A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI.
![logo](imgs/logo.png){ align=left }
# Abstract
`Trivy` (`tri` pronounced like **tri**gger, `vy` pronounced like en**vy**) is a simple and comprehensive vulnerability scanner for containers and other artifacts.
`Trivy` (`tri` pronounced like **tri**gger, `vy` pronounced like en**vy**) is a simple and comprehensive [vulnerability][vulnerability]/[misconfiguration][misconf] scanner for containers and other artifacts.
A software vulnerability is a glitch, flaw, or weakness present in the software or in an Operating System.
`Trivy` detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.).
`Trivy` is easy to use. Just install the binary and you're ready to scan. All you need to do for scanning is to specify a target such as an image name of the container.
`Trivy` detects vulnerabilities of [OS packages][os] (Alpine, RHEL, CentOS, etc.) and [language-specific packages][lang] (Bundler, Composer, npm, yarn, etc.).
In addition, `Trivy` scans [Infrastructure as Code (IaC) files][iac] such as Terraform and Kubernetes, to detect potential configuration issues that expose your deployments to the risk of attack.
`Trivy` is easy to use. Just install the binary and you're ready to scan.
All you need to do for scanning is to specify a target such as an image name of the container.
<img src="imgs/overview.png" width="700">
<div style="text-align: center">
<img src="imgs/overview.png" width="800">
</div>
Trivy can be run in two different modes:
- [Standalone](./modes/standalone.md)
- [Client/Server](./modes/client-server.md)
<div style="text-align: center; margin-top: 150px">
<h1 id="demo">Demo</h1>
</div>
Trivy can scan three different artifacts:
<figure style="text-aligh: center">
<img src="imgs/vuln-demo.gif" width="1000">
<figcaption>Demo: Vulnerability Detection</figcaption>
</figure>
- [Container Images](./scanning/image.md)
- [Filesystem](./scanning/filesystem.md)
- [Git Repositories](./scanning/git-repository.md)
<figure style="text-aligh: center">
<img src="imgs/misconf-demo.gif" width="1000">
<figcaption>Demo: Misconfiguration Detection</figcaption>
</figure>
<img src="imgs/usage.gif" width="700">
<img src="imgs/usage1.png" width="600">
<img src="imgs/usage2.png" width="600">
It is considered to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
See [here](./integrations/index.md) for details.
## Features
- Detect comprehensive vulnerabilities
- OS packages (Alpine, **Red Hat Universal Base Image**, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- **Application dependencies** (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
- Simple
- Specify only an image name or artifact name
- See [Quick Start](quickstart.md) and [Examples](examples/index.md)
- Fast
- The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
- Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
- Easy installation
- `apt-get install`, `yum install` and `brew install` is possible (See [Installation](installation.md))
- **No pre-requisites** such as installation of DB, libraries, etc.
- High accuracy
- **Especially Alpine Linux and RHEL/CentOS**
- Other OSes are also high
- DevSecOps
- **Suitable for CI** such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
- See [CI Example](integrations/index.md)
- Support multiple formats
- container image
- A local image in Docker Engine which is running as a daemon
- A local image in Podman (>=2.0) which is exposing a socket
- A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
- A tar archive stored in the `docker save` / `podman save` formatted file
- An image directory compliant with [OCI Image Format](https://github.com/opencontainers/image-spec)
- local filesystem
- remote git repository
Please see [LICENSE](https://github.com/aquasecurity/trivy/blob/main/LICENSE) for Trivy licensing information.
!!! note
Trivy uses vulnerability information from a variety of sources, some of which are licensed for non-commercial use only.
[vulnerability]: vulnerability/scanning/index.md
[misconf]: misconfiguration/index.md
[os]: vulnerability/detection/os.md
[lang]: vulnerability/detection/language.md
[iac]: misconfiguration/iac.md

44
docs/misconfiguration/custom/combine.md Normal file
View File

@@ -0,0 +1,44 @@
# Combined input
## Overview
Trivy usually scans each configuration file individually.
Sometimes it might be useful to compare values from different configuration files simultaneously.
When `combine` is set to true, all config files under the specified directory are combined into one input data structure.
!!! example
```
__rego_input__ := {
"combine": false,
}
```
In "combine" mode, the `input` document becomes an array, where each element is an object with two fields:
- `"path": "path/to/file"`: the relative file path of the respective file
- `"contents": ...`: the parsed content of the respective file
Now you can ensure that duplicate values match across the entirety of your configuration files.
## Return value
In "combine" mode, the `deny` entrypoint must return an object with two keys
`filepath` (required)
: the relative file path of the file being evaluated
`msg` (required)
: the message describing an issue
!!! example
```
deny[res] {
resource := input[i].contents
... some logic ...
res := {
"filepath": input[i].path,
"msg": "something bad",
}
}
```

35
docs/misconfiguration/custom/data.md Normal file
View File

@@ -0,0 +1,35 @@
# Custom Data
Custom policies may require additional data in order to determine an answer.
For example, an allowed list of resources that can be created.
Instead of hardcoding this information inside of your policy, Trivy allows passing paths to data files with the `--data` flag.
Given the following yaml file:
```bash
$ cd examples/misconf/custom-data
$ cat data/ports.yaml [~/src/github.com/aquasecurity/trivy/examples/misconf/custom-data]
services:
ports:
- "20"
- "20/tcp"
- "20/udp"
- "23"
- "23/tcp"
```
This can be imported into your policy:
```rego
import data.services
ports := services.ports
```
Then, you need to pass data paths through `--data` option.
Trivy recursively searches the specified paths for JSON (`*.json`) and YAML (`*.yaml`) files.
```bash
$ trivy conf --policy ./policy --data data --namespaces user ./configs
```

225
docs/misconfiguration/custom/debug.md Normal file
View File

@@ -0,0 +1,225 @@
# Debugging policies
When working on more complex queries (or when learning Rego), it's useful to see exactly how the policy is applied.
For this purpose you can use the `--trace` flag.
This will output a large trace from Open Policy Agent like the following:
!!! tip
Only failed policies show traces. If you want to debug a passed policy, you need to make it fail on purpose.
```bash
$ trivy conf --trace configs/
2021-07-11T16:45:58.493+0300 INFO Detected config files: 1
Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+---------------------------+------------+----------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+----------------------+----------+------------------------------------------+
| Dockerfile Security Check | DS002 | Image user is 'root' | HIGH | Last USER command in |
| | | | | Dockerfile should not be 'root' |
| | | | | -->avd.aquasec.com/appshield/ds002 |
+---------------------------+------------+----------------------+----------+------------------------------------------+
ID: DS002
File: Dockerfile
Namespace: appshield.dockerfile.DS002
Query: data.appshield.dockerfile.DS002.deny
Message: Last USER command in Dockerfile should not be 'root'
TRACE Enter data.appshield.dockerfile.DS002.deny = _
TRACE | Eval data.appshield.dockerfile.DS002.deny = _
TRACE | Index data.appshield.dockerfile.DS002.deny matched 2 rules)
TRACE | Enter data.appshield.dockerfile.DS002.deny
TRACE | | Eval data.appshield.dockerfile.DS002.fail_user_count
TRACE | | Index data.appshield.dockerfile.DS002.fail_user_count (matched 1 rule)
TRACE | | Enter data.appshield.dockerfile.DS002.fail_user_count
TRACE | | | Eval __local559__ = data.appshield.dockerfile.DS002.get_user
TRACE | | | Index data.appshield.dockerfile.DS002.get_user (matched 1 rule)
TRACE | | | Enter data.appshield.dockerfile.DS002.get_user
TRACE | | | | Eval user = data.lib.docker.user[_]
TRACE | | | | Index data.lib.docker.user (matched 1 rule)
TRACE | | | | Enter data.lib.docker.user
TRACE | | | | | Eval instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Exit data.lib.docker.user
TRACE | | | | Eval username = user.Value[_]
TRACE | | | | Exit data.appshield.dockerfile.DS002.get_user
TRACE | | | Redo data.appshield.dockerfile.DS002.get_user
TRACE | | | | Redo username = user.Value[_]
TRACE | | | | Redo user = data.lib.docker.user[_]
TRACE | | | | Redo data.lib.docker.user
TRACE | | | | | Redo instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Exit data.lib.docker.user
TRACE | | | | Eval username = user.Value[_]
TRACE | | | | Exit data.appshield.dockerfile.DS002.get_user
TRACE | | | Redo data.appshield.dockerfile.DS002.get_user
TRACE | | | | Redo username = user.Value[_]
TRACE | | | | Redo user = data.lib.docker.user[_]
TRACE | | | | Redo data.lib.docker.user
TRACE | | | | | Redo instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | Eval count(__local559__, __local391__)
TRACE | | | Eval lt(__local391__, 1)
TRACE | | | Fail lt(__local391__, 1)
TRACE | | | Redo count(__local559__, __local391__)
TRACE | | | Redo __local559__ = data.appshield.dockerfile.DS002.get_user
TRACE | | Fail data.appshield.dockerfile.DS002.fail_user_count
TRACE | Enter data.appshield.dockerfile.DS002.deny
TRACE | | Eval data.appshield.dockerfile.DS002.fail_last_user_root
TRACE | | Index data.appshield.dockerfile.DS002.fail_last_user_root (matched 1 rule)
TRACE | | Enter data.appshield.dockerfile.DS002.fail_last_user_root
TRACE | | | Eval __local560__ = data.appshield.dockerfile.DS002.get_user
TRACE | | | Index data.appshield.dockerfile.DS002.get_user (matched 1 rule)
TRACE | | | Enter data.appshield.dockerfile.DS002.get_user
TRACE | | | | Eval user = data.lib.docker.user[_]
TRACE | | | | Index data.lib.docker.user (matched 1 rule)
TRACE | | | | Enter data.lib.docker.user
TRACE | | | | | Eval instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Exit data.lib.docker.user
TRACE | | | | Eval username = user.Value[_]
TRACE | | | | Exit data.appshield.dockerfile.DS002.get_user
TRACE | | | Redo data.appshield.dockerfile.DS002.get_user
TRACE | | | | Redo username = user.Value[_]
TRACE | | | | Redo user = data.lib.docker.user[_]
TRACE | | | | Redo data.lib.docker.user
TRACE | | | | | Redo instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Exit data.lib.docker.user
TRACE | | | | Eval username = user.Value[_]
TRACE | | | | Exit data.appshield.dockerfile.DS002.get_user
TRACE | | | Redo data.appshield.dockerfile.DS002.get_user
TRACE | | | | Redo username = user.Value[_]
TRACE | | | | Redo user = data.lib.docker.user[_]
TRACE | | | | Redo data.lib.docker.user
TRACE | | | | | Redo instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | Eval cast_array(__local560__, __local392__)
TRACE | | | Eval user = __local392__
TRACE | | | Eval __local561__ = data.appshield.dockerfile.DS002.get_user
TRACE | | | Index data.appshield.dockerfile.DS002.get_user (matched 1 rule)
TRACE | | | Enter data.appshield.dockerfile.DS002.get_user
TRACE | | | | Eval user = data.lib.docker.user[_]
TRACE | | | | Index data.lib.docker.user (matched 1 rule)
TRACE | | | | Enter data.lib.docker.user
TRACE | | | | | Eval instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Exit data.lib.docker.user
TRACE | | | | Eval username = user.Value[_]
TRACE | | | | Exit data.appshield.dockerfile.DS002.get_user
TRACE | | | Redo data.appshield.dockerfile.DS002.get_user
TRACE | | | | Redo username = user.Value[_]
TRACE | | | | Redo user = data.lib.docker.user[_]
TRACE | | | | Redo data.lib.docker.user
TRACE | | | | | Redo instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Exit data.lib.docker.user
TRACE | | | | Eval username = user.Value[_]
TRACE | | | | Exit data.appshield.dockerfile.DS002.get_user
TRACE | | | Redo data.appshield.dockerfile.DS002.get_user
TRACE | | | | Redo username = user.Value[_]
TRACE | | | | Redo user = data.lib.docker.user[_]
TRACE | | | | Redo data.lib.docker.user
TRACE | | | | | Redo instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | | | Eval instruction.Cmd = "user"
TRACE | | | | | Fail instruction.Cmd = "user"
TRACE | | | | | Redo instruction = input.stages[_][_]
TRACE | | | Eval count(__local561__, __local393__)
TRACE | | | Eval len = __local393__
TRACE | | | Eval minus(len, 1, __local394__)
TRACE | | | Eval user[__local394__] = "root"
TRACE | | | Exit data.appshield.dockerfile.DS002.fail_last_user_root
TRACE | | Eval res = "Last USER command in Dockerfile should not be 'root'"
TRACE | | Exit data.appshield.dockerfile.DS002.deny
TRACE | Redo data.appshield.dockerfile.DS002.deny
TRACE | | Redo res = "Last USER command in Dockerfile should not be 'root'"
TRACE | | Redo data.appshield.dockerfile.DS002.fail_last_user_root
TRACE | | Redo data.appshield.dockerfile.DS002.fail_last_user_root
TRACE | | | Redo user[__local394__] = "root"
TRACE | | | Redo minus(len, 1, __local394__)
TRACE | | | Redo len = __local393__
TRACE | | | Redo count(__local561__, __local393__)
TRACE | | | Redo __local561__ = data.appshield.dockerfile.DS002.get_user
TRACE | | | Redo user = __local392__
TRACE | | | Redo cast_array(__local560__, __local392__)
TRACE | | | Redo __local560__ = data.appshield.dockerfile.DS002.get_user
TRACE | Exit data.appshield.dockerfile.DS002.deny = _
TRACE Redo data.appshield.dockerfile.DS002.deny = _
TRACE | Redo data.appshield.dockerfile.DS002.deny = _
```

296
docs/misconfiguration/custom/examples.md Normal file
View File

@@ -0,0 +1,296 @@
# Examples
## Custom Policy
### Kubernetes
See [here][k8s].
The custom policy is defined in `user.kubernetes.ID001` package.
You need to pass the package prefix you want to evaluate through `--namespaces` option.
In this case, the package prefix should be `user`, `user.kuberntes`, or `user.kubernetes.ID001`.
### Dockerfile
See [here][dockerfile].
The input will be a dictionary of stages.
#### Single Stage
??? example
Dockerfile
```dockerfile
FROM foo
COPY . /
RUN echo hello
```
Rego Input
```json
{
"stages": {
"foo": [
{
"Cmd": "from",
"EndLine": 1,
"Flags": [],
"JSON": false,
"Original": "FROM foo",
"Stage": 0,
"StartLine": 1,
"SubCmd": "",
"Value": [
"foo"
]
},
{
"Cmd": "copy",
"EndLine": 2,
"Flags": [],
"JSON": false,
"Original": "COPY . /",
"Stage": 0,
"StartLine": 2,
"SubCmd": "",
"Value": [
".",
"/"
]
},
{
"Cmd": "run",
"EndLine": 3,
"Flags": [],
"JSON": false,
"Original": "RUN echo hello",
"Stage": 0,
"StartLine": 3,
"SubCmd": "",
"Value": [
"echo hello"
]
}
]
}
}
```
#### Multi Stage
??? example
Dockerfile
```dockerfile
FROM golang:1.16 AS builder
WORKDIR /go/src/github.com/alexellis/href-counter/
RUN go get -d -v golang.org/x/net/html
COPY app.go .
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .
FROM alpine:latest
RUN apk --no-cache add ca-certificates \
&& apk add --no-cache bash
WORKDIR /root/
COPY --from=builder /go/src/github.com/alexellis/href-counter/app .
CMD ["./app"]
```
Rego Input
```json
{
"stages": {
"alpine:latest": [
{
"Cmd": "from",
"EndLine": 7,
"Flags": [],
"JSON": false,
"Original": "FROM alpine:latest",
"Stage": 1,
"StartLine": 7,
"SubCmd": "",
"Value": [
"alpine:latest"
]
},
{
"Cmd": "run",
"EndLine": 9,
"Flags": [],
"JSON": false,
"Original": "RUN apk --no-cache add ca-certificates \u0026\u0026 apk add --no-cache bash",
"Stage": 1,
"StartLine": 8,
"SubCmd": "",
"Value": [
"apk --no-cache add ca-certificates \u0026\u0026 apk add --no-cache bash"
]
},
{
"Cmd": "workdir",
"EndLine": 10,
"Flags": [],
"JSON": false,
"Original": "WORKDIR /root/",
"Stage": 1,
"StartLine": 10,
"SubCmd": "",
"Value": [
"/root/"
]
},
{
"Cmd": "copy",
"EndLine": 11,
"Flags": [
"--from=builder"
],
"JSON": false,
"Original": "COPY --from=builder /go/src/github.com/alexellis/href-counter/app .",
"Stage": 1,
"StartLine": 11,
"SubCmd": "",
"Value": [
"/go/src/github.com/alexellis/href-counter/app",
"."
]
},
{
"Cmd": "cmd",
"EndLine": 12,
"Flags": [],
"JSON": true,
"Original": "CMD [\"./app\"]",
"Stage": 1,
"StartLine": 12,
"SubCmd": "",
"Value": [
"./app"
]
}
],
"golang:1.16 AS builder": [
{
"Cmd": "from",
"EndLine": 1,
"Flags": [],
"JSON": false,
"Original": "FROM golang:1.16 AS builder",
"Stage": 0,
"StartLine": 1,
"SubCmd": "",
"Value": [
"golang:1.16",
"AS",
"builder"
]
},
{
"Cmd": "workdir",
"EndLine": 2,
"Flags": [],
"JSON": false,
"Original": "WORKDIR /go/src/github.com/alexellis/href-counter/",
"Stage": 0,
"StartLine": 2,
"SubCmd": "",
"Value": [
"/go/src/github.com/alexellis/href-counter/"
]
},
{
"Cmd": "run",
"EndLine": 3,
"Flags": [],
"JSON": false,
"Original": "RUN go get -d -v golang.org/x/net/html",
"Stage": 0,
"StartLine": 3,
"SubCmd": "",
"Value": [
"go get -d -v golang.org/x/net/html"
]
},
{
"Cmd": "copy",
"EndLine": 4,
"Flags": [],
"JSON": false,
"Original": "COPY app.go .",
"Stage": 0,
"StartLine": 4,
"SubCmd": "",
"Value": [
"app.go",
"."
]
},
{
"Cmd": "run",
"EndLine": 5,
"Flags": [],
"JSON": false,
"Original": "RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .",
"Stage": 0,
"StartLine": 5,
"SubCmd": "",
"Value": [
"CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app ."
]
}
]
}
}
```
### Docker Compose
See [here][compose].
Docker Compose uses YAML format for configurations. You can apply your Rego policies to `docker-compose.yml`.
### HCL
See [here][hcl].
Trivy parses HCL files and converts into structured data.
!!! warning
Terraform HCL files are not supported yet.
### Terraform Plan
See [here][tfplan].
Use the command [terraform show][terraform-show] to convert the Terraform plan into JSON so that OPA can read the plan.
```bash
$ terraform init
$ terraform plan --out tfplan.binary
$ terraform show -json tfplan.binary > tfplan.json
```
For more details, see also [OPA document][opa-terraform].
### Serverless Framework
See [here][serverless].
Server Framework uses YAML format for configurations. You can apply your Rego policies to `serverless.yaml`.
## Custom Data
See [here][data].
## Combined Input
See [here][combine].
## Go Testing
See [here][go-testing].
[k8s]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/kubernetes/
[dockerfile]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/dockerfile/
[compose]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/docker-compose/
[hcl]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/hcl/
[serverless]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/serverless/
[tfplan]:https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy/terraform-plan/
[terraform-show]: https://www.terraform.io/docs/cli/commands/show.html
[opa-terraform]: https://www.openpolicyagent.org/docs/latest/terraform/
[custom]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-policy
[data]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/custom-data
[combine]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/combine
[go-testing]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/go-testing

183
docs/misconfiguration/custom/index.md Normal file
View File

@@ -0,0 +1,183 @@
# Custom Policies
## Overview
You can write custom policies in [Rego][rego].
Once you fisnish writing custom policies, you can pass the directory where those policies are stored with `--policy` option.
``` bash
trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir
```
As for `--namespaces` option, the detail is described as below.
### File formats
If a file name matches the following file patterns, Trivy will parse the file and pass it as input to your Rego policy.
| File format | File pattern |
| -------------- | ------------------------------------------------ |
| JSON | `*.json` |
| YAML | `*.yaml` |
| TOML | `*.toml` |
| HCL | `*.hcl`, `*.hcl1`, and `*.hcl2` |
| Dockerfile | `Dockerfile`, `Dockerfile.*`, and `*.Dockerfile` |
### Configuration languages
In the above general file formats, Trivy automatically identifies the following types of configuration files:
- Ansible (YAML)
- CloudFormation (JSON/YAML)
- Kubernetes (JSON/YAML)
This is useful for filtering inputs, as described below.
!!! warning
Custom policies do not support Terraform at the moment.
## Rego format
A single package must contain only one policy.
!!!example
``` rego
package user.kubernetes.ID001
__rego_metadata__ := {
"id": "ID001",
"title": "Deployment not allowed",
"severity": "LOW",
"type": "Custom Kubernetes Check",
"description": "Deployments are not allowed because of some reasons.",
}
__rego_input__ := {
"selector": [
{"type": "kubernetes"},
],
}
deny[msg] {
input.kind == "Deployment"
msg = sprintf("Found deployment '%s' but deployments are not allowed", [input.metadata.name])
}
```
In this example, ID001 "Deployment not allowed" is defined under `user.kubernetes.ID001`.
If you add a new custom policy, it must be defined under a new package like `user.kubernetes.ID002`.
### Policy structure
`package` (required)
: - MUST follow the Rego's [specification][package]
- MUST be unique per policy
- SHOULD include policy id for uniqueness
- MAY include the group name such as `kubernetes` for clarity
- Group name has no effect on policy evaluation
`__rego_metadata__` (optional)
: - SHOULD be defined for clarity since these values will be displayed in the scan results
`__rego_input__` (optional)
: - MAY be defined when you want to specify input format
`deny` (required)
: - SHOULD be `deny` or start with `deny_`
- Although `warn`, `warn_*`, `violation`, `violation_` also work for compatibility, `deny` is recommended as severity can be defined in `__rego_metadata__`.
- SHOULD return `string`
- Although `object` with `msg` field is accepted, other fields are dropped and `string` is recommended.
- e.g. `{"msg": "deny message", "details": "something"}`
### Package
A package name must be unique per policy.
!!!example
``` rego
package user.kubernetes.ID001
```
By default, only `appshield.*` packages will be evaluated.
If you define custom packages, you have to specify the package prefix via `--namespaces` option.
``` bash
trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir
```
In this case, `user.*` will be evaluated.
Any package prefixes such as `main` and `user` are allowed.
### Metadata
Metadata helps enrich Trivy's scan results with useful information.
!!!example
``` rego
__rego_metadata__ := {
"id": "ID001",
"title": "Deployment not allowed",
"severity": "LOW",
"type": "Custom Kubernetes Check",
"description": "Deployments are not allowed because of some reasons.",
"recommended_actions": "Remove Deployment",
"url": "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits",
}
```
All fields under `__rego_metadata__` are optional.
| Field name | Allowed values | Default value | In table | In JSON |
| ------------------ | ------------------------------------| :-----------: | :----------------: |:---------------: |
| id | Any characters | N/A | :material-check: | :material-check: |
| title | Any characters | N/A | :material-check: | :material-check: |
| severity | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` | UNKNOWN | :material-check: | :material-check: |
| type | Any characters | N/A | :material-check: | :material-check: |
| description | Any characters | | :material-close: | :material-check: |
| recommended_actions| Any characters | | :material-close: | :material-check: |
| url | Any characters | | :material-close: | :material-check: |
Some fields are displayed in scan results.
``` bash
deployment.yaml (kubernetes)
============================
Tests: 28 (SUCCESSES: 14, FAILURES: 14, EXCEPTIONS: 0)
Failures: 14 (HIGH: 1)
+---------------------------+------------+-------------------------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+-------------------------------------+----------+------------------------------------------+
| Custom Kubernetes Check | ID001 | Deployment not allowed | LOW | Found deployment 'test' but deployments |
| | | | | are not allowed |
+---------------------------+------------+-------------------------------------+----------+------------------------------------------+
```
### Input
You can specify input format via `__rego_input__`.
All fields under `__rego_input` are optional.
!!!example
``` rego
__rego_input__ := {
"combine": false,
"selector": [
{"type": "kubernetes"},
],
}
```
`combine` (boolean)
: The details is [here](combine.md).
`selector` (array)
: This option filters the input by file formats or configuration languages.
In the above example, Trivy passes only Kubernetes files to this policy.
Even if Dockerfile exists in the specified directory, it will not be passed to the policy as input.
When configuration language such as Kubernetes is not identified, file format such as JSON will be used as `type`.
When configuration language is identified, it will overwrite `type`.
!!! example
`pod.yaml` including Kubernetes Pod will be handled as `kubernetes`, not `yaml`.
`type` is overwritten by `kubernetes` from `yaml`.
`type` accepts `kubernetes`, `dockerfile`, `ansible`, `cloudformation`, `json`, `yaml`, `toml`, or `hcl`.
[rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
[package]: https://www.openpolicyagent.org/docs/latest/policy-language/#packages

90
docs/misconfiguration/custom/testing.md Normal file
View File

@@ -0,0 +1,90 @@
# Testing
It is highly recommended to write tests for your custom policies.
## Rego testing
To help you verify the correctness of your custom policies, OPA gives you a framework that you can use to write tests for your policies.
By writing tests for your custom policies you can speed up the development process of new rules and reduce the amount of time it takes to modify rules as requirements evolve.
For more details, see [Policy Testing][opa-testing].
!!! example
```
package user.dockerfile.ID002
test_add_denied {
r := deny with input as {"stages": {"alpine:3.13": [
{"Cmd": "add", "Value": ["/target/resources.tar.gz", "resources.jar"]},
{"Cmd": "add", "Value": ["/target/app.jar", "app.jar"]},
]}}
count(r) == 1
r[_] == "Consider using 'COPY /target/app.jar app.jar' command instead of 'ADD /target/app.jar app.jar'"
}
```
To write tests for custom policies, you can refer to existing tests under [AppShield][appshield].
## Go testing
[Fanal][fanal] which is a core library of Trivy can be imported as a Go library.
You can scan config files in Go and test your custom policies using Go's testing methods, such as [table-driven tests][table].
This allows you to use the actual configuration file as input, making it easy to prepare test data and ensure that your custom policies work in practice.
In particular, Dockerfile and HCL need to be converted to structural data as input, which may be different from the expected input format.
!!! tip
We recommend writing OPA and Go tests both since they have different roles, like unit tests and integration tests.
The following example stores allowed and denied configuration files in a directory.
`Successes` contains the result of successes, and `Failures` contains the result of failures.
``` go
{
name: "disallowed ports",
input: "configs/",
fields: fields{
policyPaths: []string{"policy"},
dataPaths: []string{"data"},
namespaces: []string{"user"},
},
want: []types.Misconfiguration{
{
FileType: types.Dockerfile,
FilePath: "Dockerfile.allowed",
Successes: types.MisconfResults{
{
Namespace: "user.dockerfile.ID002",
PolicyMetadata: types.PolicyMetadata{
ID: "ID002",
Type: "Docker Custom Check",
Title: "Disallowed ports exposed",
Severity: "HIGH",
},
},
},
},
{
FileType: types.Dockerfile,
FilePath: "Dockerfile.denied",
Failures: types.MisconfResults{
{
Namespace: "user.dockerfile.ID002",
Message: "Port 23 should not be exposed",
PolicyMetadata: types.PolicyMetadata{
ID: "ID002",
Type: "Docker Custom Check",
Title: "Disallowed ports exposed",
Severity: "HIGH",
},
},
},
},
},
},
```
`Dockerfile.allowed` has one successful result in `Successes`, while `Dockerfile.denied` has one failure result in `Failures`.
[opa-testing]: https://www.openpolicyagent.org/docs/latest/policy-testing/
[appshield]: https://github.com/aquasecurity/appshield
[table]: https://github.com/golang/go/wiki/TableDrivenTests
[fanal]: https://github.com/aquasecurity/fanal

56
docs/misconfiguration/filesystem.md Normal file
View File

@@ -0,0 +1,56 @@
# Filesystem
## Quick start
Trivy scans a filesystem such as a virtual machine to detect misconfigurations.
You have to specify `--security-checks config` to enable misconfiguration detection.
```bash
$ trivy fs --security-checks config /path/to/dir
```
Internally, it is the same as [config subcommand](iac.md).
## Vulnerability and Misconfiguration scanning
The difference between `fs` and `config` subcommand is that `fs` can detect both vulnerabilities and misconfiguration at the same time.
You have to specify `--security-checks vuln,config` to enable vulnerability and misconfiguration detection.
``` bash
$ ls myapp/
Dockerfile Pipfile.lock
$ trivy fs --security-checks vuln,config --severity HIGH,CRITICAL myapp/
2021-07-09T12:03:27.564+0300 INFO Detected OS: unknown
2021-07-09T12:03:27.564+0300 INFO Number of language-specific files: 1
2021-07-09T12:03:27.564+0300 INFO Detecting pipenv vulnerabilities...
2021-07-09T12:03:27.566+0300 INFO Detected config files: 1
Pipfile.lock (pipenv)
=====================
Total: 1 (HIGH: 1, CRITICAL: 0)
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| httplib2 | CVE-2021-21240 | HIGH | 0.12.1 | 0.19.0 | python-httplib2: Regular |
| | | | | | expression denial of |
| | | | | | service via malicious header |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-21240 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
+---------------------------+------------+----------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+----------------------+----------+------------------------------------------+
| Dockerfile Security Check | DS002 | Image user is 'root' | HIGH | Last USER command in |
| | | | | Dockerfile should not be 'root' |
| | | | | -->avd.aquasec.com/appshield/ds002 |
+---------------------------+------------+----------------------+----------+------------------------------------------+
```
In the above example, Trivy detected vulnerabilities of Python dependencies and misconfigurations in Dockerfile.

157
docs/misconfiguration/iac.md Normal file
View File

@@ -0,0 +1,157 @@
# Infrastructure as Code (IaC)
## Quick start
Simply specify a directory containing IaC files such as Terraform and Dockerfile.
``` bash
$ trivy config [YOUR_IaC_DIRECTORY]
```
Trivy will automatically fetch the managed policies and will keep them up-to-date in future scans.
!!! example
```
$ ls build/
Dockerfile
$ trivy config ./build
2021-07-09T10:06:29.188+0300 INFO Need to update the built-in policies
2021-07-09T10:06:29.188+0300 INFO Downloading the built-in policies...
2021-07-09T10:06:30.520+0300 INFO Detected config files: 1
Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+---------------------------+------------+----------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+----------------------+----------+------------------------------------------+
| Dockerfile Security Check | DS002 | Image user is 'root' | HIGH | Last USER command in |
| | | | | Dockerfile should not be 'root' |
| | | | | -->avd.aquasec.com/appshield/ds002 |
+---------------------------+------------+----------------------+----------+------------------------------------------+
```
## Type detection
The specified directory can contain mixed types of IaC files.
Trivy automatically detects config types and applies relevant policies.
For example, the following example holds IaC files for Terraform, Kubernetes, and Dockerfile in the same directory.
``` bash
$ ls iac/
Dockerfile deployment.yaml main.tf
$ trivy conf --severith HIGH,CRITICAL ./iac
```
<details>
<summary>Result</summary>
```
2021-07-09T11:51:08.212+0300 INFO Need to update the built-in policies
2021-07-09T11:51:08.212+0300 INFO Downloading the built-in policies...
2021-07-09T11:51:09.527+0300 INFO Detected config files: 3
Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
+---------------------------+------------+----------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+----------------------+----------+------------------------------------------+
| Dockerfile Security Check | DS002 | Image user is 'root' | HIGH | Last USER command in |
| | | | | Dockerfile should not be 'root' |
| | | | | -->avd.aquasec.com/appshield/ds002 |
+---------------------------+------------+----------------------+----------+------------------------------------------+
deployment.yaml (kubernetes)
============================
Tests: 28 (SUCCESSES: 15, FAILURES: 13, EXCEPTIONS: 0)
Failures: 13 (HIGH: 1, CRITICAL: 0)
+---------------------------+------------+----------------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+----------------------------+----------+------------------------------------------+
| Kubernetes Security Check | KSV005 | SYS_ADMIN capability added | HIGH | Container 'hello-kubernetes' of |
| | | | | Deployment 'hello-kubernetes' |
| | | | | should not include 'SYS_ADMIN' in |
| | | | | 'securityContext.capabilities.add' |
| | | | | -->avd.aquasec.com/appshield/ksv005 |
+---------------------------+------------+----------------------------+----------+------------------------------------------+
main.tf (terraform)
===================
Tests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)
Failures: 9 (HIGH: 6, CRITICAL: 1)
+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+
| Terraform Security Check powered by | AWS003 | AWS Classic resource usage. | HIGH | Resource |
| tfsec | | | | 'aws_db_security_group.my-group' |
| | | | | uses EC2 Classic. Use a VPC instead. |
| | | | | -->tfsec.dev/docs/aws/AWS003/ |
+ +------------+------------------------------------------+----------+--------------------------------------------------------+
| | AWS004 | Use of plain HTTP. | CRITICAL | Resource |
| | | | | 'aws_alb_listener.my-alb-listener' |
| | | | | uses plain HTTP instead of HTTPS. |
| | | | | -->tfsec.dev/docs/aws/AWS004/ |
+ +------------+------------------------------------------+----------+--------------------------------------------------------+
| | AWS018 | Missing description for security | HIGH | Resource |
| | | group/security group rule. | | 'aws_security_group_rule.my-rule' should |
| | | | | include a description for auditing |
| | | | | purposes. -->tfsec.dev/docs/aws/AWS018/ |
+ +------------+------------------------------------------+ +--------------------------------------------------------+
| | AWS025 | API Gateway domain name uses outdated | | Resource |
| | | SSL/TLS protocols. | | 'aws_api_gateway_domain_name.empty_security_policy' |
| | | | | defines outdated SSL/TLS policies (not using |
| | | | | TLS_1_2). -->tfsec.dev/docs/aws/AWS025/ |
+ + + + +--------------------------------------------------------+
| | | | | Resource |
| | | | | 'aws_api_gateway_domain_name.missing_security_policy' |
| | | | | should include security_policy (defauls to outdated |
| | | | | SSL/TLS policy). -->tfsec.dev/docs/aws/AWS025/ |
+ + + + +--------------------------------------------------------+
| | | | | Resource |
| | | | | 'aws_api_gateway_domain_name.outdated_security_policy' |
| | | | | defines outdated SSL/TLS policies (not using TLS_1_2). |
| | | | | -->tfsec.dev/docs/aws/AWS025/ |
+ +------------+------------------------------------------+ +--------------------------------------------------------+
| | AZU003 | Unencrypted managed disk. | | Resource 'azurerm_managed_disk.source' |
| | | | | defines an unencrypted managed disk. |
| | | | | -->tfsec.dev/docs/azure/AZU003/ |
+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+
```
</details>
You can see the config type next to each file name.
!!! example
``` bash
Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
...
deployment.yaml (kubernetes)
============================
Tests: 28 (SUCCESSES: 15, FAILURES: 13, EXCEPTIONS: 0)
Failures: 13 (HIGH: 1, CRITICAL: 0)
...
main.tf (terraform)
===================
Tests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)
Failures: 9 (HIGH: 6, CRITICAL: 1)
...
```
## Example
See [here](https://github.com/aquasecurity/trivy/tree/125c457517f05b6498bc68eaeec6e683dd36c49a/examples/misconf/mixed)

8
docs/misconfiguration/index.md Normal file
View File

@@ -0,0 +1,8 @@
# Misconfiguration Scanning
Trivy provides built-in policies to detect configuration issues in Docker, Kubernetes and Terraform.
Also, you can write your own policies in [Rego][rego] to scan JSON, YAML, HCL, etc, like [Conftest][conftest].
![misconf](../imgs/misconf.png)
[rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
[conftest]: https://github.com/open-policy-agent/conftest/

212
docs/misconfiguration/options/filter.md Normal file
View File

@@ -0,0 +1,212 @@
# Filter Misconfigurations
## By Severity
Use `--severity` option.
```bash
trivy conf --severity HIGH,CRITICAL examples/misconf/mixed
```
<details>
<summary>Result</summary>
```bash
2021-07-10T17:37:13.267+0300 INFO Detected config files: 4
configs/Dockerfile (dockerfile)
===============================
Tests: 23 (SUCCESSES: 21, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 0)
+---------------------------+------------+----------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+----------------------+----------+------------------------------------------+
| Dockerfile Security Check | DS002 | Image user is 'root' | HIGH | Specify at least 1 USER |
| | | | | command in Dockerfile with |
| | | | | non-root user as argument |
| | | | | -->avd.aquasec.com/appshield/ds002 |
+---------------------------+------------+----------------------+----------+------------------------------------------+
configs/deployment.yaml (kubernetes)
====================================
Tests: 28 (SUCCESSES: 14, FAILURES: 14, EXCEPTIONS: 0)
Failures: 14 (HIGH: 1, CRITICAL: 0)
+---------------------------+------------+-------------------------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+-------------------------------------+----------+------------------------------------------+
| Kubernetes Security Check | KSV006 | docker.sock is mounted to container | HIGH | Deployment 'hello-kubernetes' should |
| | | | | not specify '/var/run/docker.socker' in |
| | | | | 'spec.template.volumes.hostPath.path' |
| | | | | -->avd.aquasec.com/appshield/ksv006 |
+---------------------------+------------+-------------------------------------+----------+------------------------------------------+
configs/main.tf (terraform)
===========================
Tests: 19 (SUCCESSES: 11, FAILURES: 8, EXCEPTIONS: 0)
Failures: 8 (HIGH: 6, CRITICAL: 1)
+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+
| Terraform Security Check powered by | AWS003 | AWS Classic resource usage. | HIGH | Resource |
| tfsec | | | | 'aws_db_security_group.my-group' |
| | | | | uses EC2 Classic. Use a VPC instead. |
| | | | | -->tfsec.dev/docs/aws/AWS003/ |
+ +------------+------------------------------------------+----------+--------------------------------------------------------+
| | AWS004 | Use of plain HTTP. | CRITICAL | Resource |
| | | | | 'aws_alb_listener.my-alb-listener' |
| | | | | uses plain HTTP instead of HTTPS. |
| | | | | -->tfsec.dev/docs/aws/AWS004/ |
+ +------------+------------------------------------------+----------+--------------------------------------------------------+
| | AWS018 | Missing description for security | HIGH | Resource |
| | | group/security group rule. | | 'aws_security_group_rule.my-rule' should |
| | | | | include a description for auditing |
| | | | | purposes. -->tfsec.dev/docs/aws/AWS018/ |
+ +------------+------------------------------------------+ +--------------------------------------------------------+
| | AWS025 | API Gateway domain name uses outdated | | Resource |
| | | SSL/TLS protocols. | | 'aws_api_gateway_domain_name.empty_security_policy' |
| | | | | defines outdated SSL/TLS policies (not using |
| | | | | TLS_1_2). -->tfsec.dev/docs/aws/AWS025/ |
+ + + + +--------------------------------------------------------+
| | | | | Resource |
| | | | | 'aws_api_gateway_domain_name.missing_security_policy' |
| | | | | should include security_policy (defauls to outdated |
| | | | | SSL/TLS policy). -->tfsec.dev/docs/aws/AWS025/ |
+ + + + +--------------------------------------------------------+
| | | | | Resource |
| | | | | 'aws_api_gateway_domain_name.outdated_security_policy' |
| | | | | defines outdated SSL/TLS policies (not using TLS_1_2). |
| | | | | -->tfsec.dev/docs/aws/AWS025/ |
+ +------------+------------------------------------------+ +--------------------------------------------------------+
| | AZU003 | Unencrypted managed disk. | | Resource 'azurerm_managed_disk.source' |
| | | | | defines an unencrypted managed disk. |
| | | | | -->tfsec.dev/docs/azure/AZU003/ |
+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+
configs/variables.tf (terraform)
================================
Tests: 1 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 0)
Failures: 0 (HIGH: 0, CRITICAL: 0)
```
</details>
## By Misconfiguration IDs
Use `.trivyignore`.
```bash
$ cat .trivyignore
# Accept the risk
AWS003
AWS018
AWS025
$ trivy conf --severity HIGH,CRITICAL examples/misconf/mixed
```
<details>
<summary>Result</summary>
```bash
2021-07-10T17:38:51.306+0300 INFO Detected config files: 4
configs/Dockerfile (dockerfile)
===============================
Tests: 23 (SUCCESSES: 21, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 0)
+---------------------------+------------+----------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+----------------------+----------+------------------------------------------+
| Dockerfile Security Check | DS002 | Image user is 'root' | HIGH | Specify at least 1 USER |
| | | | | command in Dockerfile with |
| | | | | non-root user as argument |
| | | | | -->avd.aquasec.com/appshield/ds002 |
+---------------------------+------------+----------------------+----------+------------------------------------------+
configs/deployment.yaml (kubernetes)
====================================
Tests: 28 (SUCCESSES: 14, FAILURES: 14, EXCEPTIONS: 0)
Failures: 14 (HIGH: 1, CRITICAL: 0)
+---------------------------+------------+-------------------------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+-------------------------------------+----------+------------------------------------------+
| Kubernetes Security Check | KSV006 | docker.sock is mounted to container | HIGH | Deployment 'hello-kubernetes' should |
| | | | | not specify '/var/run/docker.socker' in |
| | | | | 'spec.template.volumes.hostPath.path' |
| | | | | -->avd.aquasec.com/appshield/ksv006 |
+---------------------------+------------+-------------------------------------+----------+------------------------------------------+
configs/main.tf (terraform)
===========================
Tests: 19 (SUCCESSES: 11, FAILURES: 8, EXCEPTIONS: 0)
Failures: 8 (HIGH: 1, CRITICAL: 1)
+------------------------------------------+------------+---------------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+------------------------------------------+------------+---------------------------+----------+------------------------------------------+
| Terraform Security Check powered by | AWS004 | Use of plain HTTP. | CRITICAL | Resource |
| tfsec | | | | 'aws_alb_listener.my-alb-listener' |
| | | | | uses plain HTTP instead of HTTPS. |
| | | | | -->tfsec.dev/docs/aws/AWS004/ |
+ +------------+---------------------------+----------+------------------------------------------+
| | AZU003 | Unencrypted managed disk. | HIGH | Resource 'azurerm_managed_disk.source' |
| | | | | defines an unencrypted managed disk. |
| | | | | -->tfsec.dev/docs/azure/AZU003/ |
+------------------------------------------+------------+---------------------------+----------+------------------------------------------+
configs/variables.tf (terraform)
================================
Tests: 1 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 0)
Failures: 0 (HIGH: 0, CRITICAL: 0)
```
</details>
## By Exceptions
See [Exceptions](../policy/exceptions.md)
## Show Successes and Exceptions
Use `--include-non-failures` option to show successes and exceptions as well as failures.
```bash
trivy conf --severity CRITICAL --include-non-failures examples/misconf/mixed
```
<details>
<summary>Result</summary>
```
2021-07-10T17:44:02.049+0300 INFO Detected config files: 4
configs/Dockerfile (dockerfile)
===============================
Tests: 23 (SUCCESSES: 21, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (CRITICAL: 0)
+---------------------------+------------+------------------------------------------+----------+--------+-----------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | STATUS | MESSAGE |
+---------------------------+------------+------------------------------------------+----------+--------+-----------------+
| Dockerfile Security Check | DS006 | COPY '--from' refers to the current | CRITICAL | PASS | No issues found |
| | | image | | | |
+ +------------+------------------------------------------+ + + +
| | DS007 | Multiple ENTRYPOINT instructions are | | | |
| | | listed | | | |
+ +------------+------------------------------------------+ + + +
| | DS008 | Exposed port is out of range | | | |
+ +------------+------------------------------------------+ + + +
| | DS010 | 'sudo' is used | | | |
+ +------------+------------------------------------------+ + + +
| | DS011 | COPY with more than two arguments is not | | | |
| | | ending with slash | | | |
+ +------------+------------------------------------------+ + + +
| | DS012 | Duplicate aliases are defined in | | | |
| | | different FROMs | | | |
+---------------------------+------------+------------------------------------------+----------+--------+-----------------+
...
```
</details>

22
docs/misconfiguration/options/others.md Normal file
View File

@@ -0,0 +1,22 @@
# Others
!!! hint
See also [Others](../../vulnerability/examples/others.md) in Vulnerability section.
## File patterns
When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
The default file patterns are [here](../custom/index.md).
In addition to the default file patterns, the `--file-patterns` option takes regexp patterns to look for your files.
For example, it may be useful when your file name of Dockerfile doesn't match the default patterns.
This can be repeated for specifying multiple file patterns.
Allowed values are here:
- dockerfile
- yaml
- json
- toml
- hcl
For more details, see [an example](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/file-patterns)

88
docs/misconfiguration/options/policy.md Normal file
View File

@@ -0,0 +1,88 @@
# Policy
## Pass custom policies
You can pass directories including your custom policies through `--policy` option.
This can be repeated for specifying multiple directories.
```bash
cd examplex/misconf/
trivy conf --policy custom-policy/policy --policy combine/policy --namespaces user misconf/mixed
```
For more details, see [Custom Policies](../custom/index.md).
!!! tip
You also need to specify `--namespaces` option.
## Pass custom data
You can pass directories including your custom data through `--data` option.
This can be repeated for specifying multiple directories.
```bash
cd examples/misconf/custom-data
trivy conf --policy ./policy --data ./data --namespaces user ./configs
```
For more details, see [Custom Data](../custom/data.md).
## Pass namespaces
By default, Trivy evaluate policies defined in `appshield.*`.
If you want to evaluate custom policies in other packages, you have to specify package prefixes through `--namespaces` option.
This can be repeated for specifying multiple packages.
``` bash
trivy conf --policy ./policy --namespaces main --namespaces user ./configs
```
## Skip update of built-in policies
`Trivy` downloads built-in policies when it starts operating.
Then, it checks for updates every 24 hours.
You can use the `--skip-policy-update` option to skip it.
If you skip it the first time, the built-in policies will not be loaded.
!!! note
Even if you specify the option the first time, it will be loaded as Terraform policies are written in Go.
```
trivy conf --skip-policy-update examples/misconf/mixed [~/src/github.com/aquasecurity/trivy]
```
<details>
<summary>Result</summary>
```
2021-07-10T18:04:19.083+0300 INFO No builtin policies were loaded
2021-07-10T18:04:19.174+0300 INFO Detected config files: 2
configs/main.tf (terraform)
===========================
Tests: 19 (SUCCESSES: 11, FAILURES: 8, EXCEPTIONS: 0)
Failures: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 1)
+------------------------------------------+------------+------------------------------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+------------------------------------------+------------+------------------------------------------+----------+------------------------------------------+
| Terraform Security Check powered by | AWS004 | Use of plain HTTP. | CRITICAL | Resource |
| tfsec | | | | 'aws_alb_listener.my-alb-listener' |
| | | | | uses plain HTTP instead of HTTPS. |
| | | | | -->tfsec.dev/docs/aws/AWS004/ |
+ +------------+------------------------------------------+----------+------------------------------------------+
| | AWS006 | An ingress security group rule allows | MEDIUM | Resource |
| | | traffic from /0. | | 'aws_security_group_rule.my-rule' |
| | | | | defines a fully open |
| | | | | ingress security group rule. |
| | | | | -->tfsec.dev/docs/aws/AWS006/ |
+ +------------+------------------------------------------+----------+------------------------------------------+
| | AZU003 | Unencrypted managed disk. | HIGH | Resource 'azurerm_managed_disk.source' |
| | | | | defines an unencrypted managed disk. |
| | | | | -->tfsec.dev/docs/azure/AZU003/ |
+------------------------------------------+------------+------------------------------------------+----------+------------------------------------------+
configs/variables.tf (terraform)
================================
Tests: 1 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 0)
Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
```
</details>

6
docs/misconfiguration/options/report.md Normal file
View File

@@ -0,0 +1,6 @@
# Report Formats
See [Reports Formats](../../vulnerability/examples/report.md) in Vulnerability section.
!!! caution
Misconfiguration scanning doesn't support default templates such as XML and SARIF for now.

41
docs/misconfiguration/policy/builtin.md Normal file
View File

@@ -0,0 +1,41 @@
# Built-in Policies
## Policy Sources
Built-in policies are mainly written in [Rego][rego].
Those policies are managed under [AppShield repository][appshield].
Only Terraform's policies are currently powered by [tfsec][tfsec].
| Config type | Source |
| ---------------| ----------------------------- |
| Kubernetes | [AppShield][kubernetes] |
| Dockerfile | [AppShield][docker] |
| Terraform | [tfsec][tfsec-checks] |
Most of policies are from [Best practices for writing Dockerfiles][dockerfile-bestpractice], [Pod Security Standards][pss], and best practices from cloud providers such as [Azure best practices for network security][azure].
Also, some policies are powered by [KICS][kics].
For suggestions or issues regarding policy content, please open an issue under [AppShield][appshield] or [tfsec][tfsec] repository.
CloudFormation and Ansible are coming soon.
## Policy Distribution
AppShield policies are destributed as OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
When misconfiguration detection is enabled, Trivy pulls OPA bundle from GHCR as OCI artifact and stores it in the cache.
Then, those policies are loaded into Trivy OPA engine and used for detecting misconfigurations.
## Update Interval
Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
[rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
[appshield]: https://github.com/aquasecurity/appshield
[kubernetes]: https://github.com/aquasecurity/appshield/tree/master/kubernetes
[docker]: https://github.com/aquasecurity/appshield/tree/master/docker
[tfsec-checks]: https://tfsec.dev/docs/aws/home/
[tfsec]: https://github.com/tfsec/tfsec
[ghcr]: https://github.com/aquasecurity/appshield/pkgs/container/appshield
[dockerfile-bestpractice]: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
[pss]: https://kubernetes.io/docs/concepts/security/pod-security-standards/
[azure]: https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
[kics]: https://github.com/Checkmarx/kics/

98
docs/misconfiguration/policy/exceptions.md Normal file
View File

@@ -0,0 +1,98 @@
# Exceptions
Exceptions lets you to specify cases where you allow policy violations.
Trivy supports two types of exceptions.
!!! info
Exceptions can be applied to built-in policies as well as custom policies.
## Namespace-based exceptions
There are some cases where you need to disable built-in policies partially or fully.
Namespace-based exceptions lets you rough choose which individual packages to exempt.
To use namespace-based exceptions, create a Rego rule with the name `exception` that returns the package names to exempt.
The `exception` rule must be defined under `namespace.exceptions`.
`data.namespaces` includes all package names.
!!! example
``` rego
package namespace.exceptions
import data.namespaces
exception[ns] {
ns := data.namespaces[_]
startswith(ns, "appshield")
}
```
This example exempts all built-in policies for Kubernetes.
For more details, see [an example][ns-example].
## Rule-based exceptions
There are some cases where you need more flexibility and granularity in defining which cases to exempt.
Rule-based exceptions lets you granularly choose which individual rules to exempt, while also declaring under which conditions to exempt them.
To use rule-based exceptions, create a Rego rule with the name `exception` that returns the rule name suffixes to exempt, prefixed by `deny_` (for example, returning `foo` will exempt `deny_foo`).
The rule can make any other assertion, for example, on the input or data documents.
This is useful to specify the exemption for a specific case.
Note that if you specify the empty string, the exception will match all rules named `deny`.
```
exception[rules] {
# Logic
rules = ["foo","bar"]
}
```
The above would provide an exception from `deny_foo` and `deny_bar`.
!!! example
```
package user.kubernetes.ID100
__rego_metadata := {
"id": "ID100",
"title": "Deployment not allowed",
"severity": "HIGH",
"type": "Kubernetes Custom Check",
}
deny_deployment[msg] {
input.kind == "Deployment"
msg = sprintf("Found deployment '%s' but deployments are not allowed", [name])
}
exception[rules] {
input.kind == "Deployment"
input.metadata.name == "allow-deployment"
rules := ["deployment"]
}
```
If you want to apply rule-based exceptions to built-in policies, you have to define the exception under the same package.
!!! example
``` rego
package appshield.kubernetes.KSV012
exception[rules] {
input.metadata.name == "can-run-as-root"
rules := [""]
}
```
This exception is applied to [KSV012][ksv012] in AppShield.
You can get the package names in [AppShield repository][appshield] or the JSON output from Trivy.
For more details, see [an example][rule-example].
[ns-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/namespace-exception
[rule-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/rule-exception
[ksv012]: https://github.com/aquasecurity/appshield/blob/57bccc1897b2500a731415bda3990b0d4fbc959e/kubernetes/policies/pss/restricted/3_runs_as_root.rego
[appshield]: https://github.com/aquasecurity/appshield/

34
docs/quickstart.md
View File

@@ -1,34 +0,0 @@
# Quick Start
Simply specify an image name (and a tag).
```
$ trivy image [YOUR_IMAGE_NAME]
```
For example:
```
$ trivy image python:3.4-alpine
```
<details>
<summary>Result</summary>
```
2019-05-16T01:20:43.180+0900 INFO Updating vulnerability database...
2019-05-16T01:20:53.029+0900 INFO Detecting Alpine vulnerabilities...
python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |
| | | | | | with long nonces |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
```
</details>

7
docs/scanning/index.md
View File

@@ -1,7 +0,0 @@
# Scanning
Trivy can be used to scan
- [Container Images](image.md)
- [Filesystem](filesystem.md)
- [Git Repositores](git-repository.md)

31
docs/usage/fs.md
View File

@@ -1,31 +0,0 @@
# Filesystem
```bash
NAME:
trivy filesystem - scan local filesystem
USAGE:
trivy filesystem [command options] dir
OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, template) (default: "table") [$TRIVY_FORMAT]
--input value, -i value input file path instead of image name [$TRIVY_INPUT]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--output value, -o value output file name [$TRIVY_OUTPUT]
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
--skip-update skip db update (default: false) [$TRIVY_SKIP_UPDATE]
--clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
--ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
--vuln-type value comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
--cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT]
--no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
--skip-files value specify the file path to skip traversal [$TRIVY_SKIP_FILES]
--skip-dirs value specify the directory where the traversal is skipped [$TRIVY_SKIP_DIRS]
--help, -h show help (default: false)
```

43
docs/vuln-detection/data-source.md
View File

@@ -1,43 +0,0 @@
# OS
| OS | Source |
| ---------------| ------------------------------------------------------------------------------------|
| Arch Linux | [Vulnerable Issues](https://security.archlinux.org/) |
| Alpine Linux | [secdb](https://secdb.alpinelinux.org/) |
| Amazon Linux 1 | [Amazon Linux Security Center](https://alas.aws.amazon.com/) |
| Amazon Linux 2 | [Amazon Linux Security Center](https://alas.aws.amazon.com/alas2.html) |
| Debian | [Security Bug Tracker](https://security-tracker.debian.org/tracker/) |
| | [OVAL](https://www.debian.org/security/oval/) |
| Ubuntu | [Ubuntu CVE Tracker](https://ubuntu.com/security/cve) |
| RHEL/CentOS | [OVAL](https://www.redhat.com/security/data/oval/v2/) |
| | [Security Data](https://www.redhat.com/security/data/metrics/) |
| Oracle Linux | [OVAL](https://linux.oracle.com/security/oval/) |
| OpenSUSE/SLES | [CVRF](http://ftp.suse.com/pub/projects/security/cvrf/) |
| Photon OS | [Photon Security Advisory](https://packages.vmware.com/photon/photon_cve_metadata/) |
# Programming Language
| Language | Source | Commercial Use | Delay *1 |
| ---------------------------- | ------------------------------------------------------------------------------------------------ |:---------------:|:--------:|
| PHP | [PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories) | ✅ | - |
| | [GitHub Advisory Database (Composer)](https://github.com/advisories?query=ecosystem%3Acomposer) | ✅ | - |
| Python | [Safety DB](https://github.com/pyupio/safety-db) | ❌ | 1 month |
| | [GitHub Advisory Database (pip)](https://github.com/advisories?query=ecosystem%3Apip) | ✅ | - |
| Ruby | [Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db) | ❌ (partially) | - |
| | [GitHub Advisory Database (RubyGems)](https://github.com/advisories?query=ecosystem%3Arubygems) | ✅ | - |
| Node.js | [Ecosystem Security Working Group](https://github.com/nodejs/security-wg) | ✅ | - |
| | [GitHub Advisory Database (npm)](https://github.com/advisories?query=ecosystem%3Anpm) | ✅ | - |
| Java | [GitLab Advisories Community](https://gitlab.com/gitlab-org/advisories-community) | ✅ | 1 month |
| | [GitHub Advisory Database (Maven)](https://github.com/advisories?query=ecosystem%3Amaven) | ✅ | - |
| Go | [GitLab Advisories Community](https://gitlab.com/gitlab-org/advisories-community) | ✅ | 1 month |
| | [The Go Vulnerability Database](https://github.com/golang/vulndb) | ✅ | - |
| Rust | [RustSec Advisory Database](https://github.com/advisories?query=ecosystem%3Anuget) | ✅ | - |
| .NET | [GitHub Advisory Database (NuGet)](https://github.com/RustSec/advisory-db) | ✅ | - |
*1: Intentional delay between vulnerability disclosure and registration in the DB
# Others
| Name | Source |
| --------------------------------|---------------------------------------------------------|
| National Vulnerability Database | [NVD](https://nvd.nist.gov/) |

9
docs/vuln-detection/image-tar-format.md
View File

@@ -1,9 +0,0 @@
# Supported Image Tar Formats
Trivy scans a tar image with the following format.
- Docker Image Specification (https://github.com/moby/moby/tree/master/image/spec)
- Moby Project (https://github.com/moby/moby/)
- Buildah, Podman (https://github.com/containers/buildah)
- img (https://github.com/genuinetools/img)
- Kaniko
- Kaniko (https://github.com/GoogleContainerTools/kaniko)

4
docs/vuln-detection/index.md
View File

@@ -1,4 +0,0 @@
Trivy detects vulnerabilities in [OS packages][os] and [application libraries][library]
[os]: os.md
[library]: library.md

27
docs/vuln-detection/library.md
View File

@@ -1,27 +0,0 @@
# Application Dependencies
`Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.
- Ruby
- Gemfile.lock
- Python
- Pipfile.lock
- poetry.lock
- PHP
- composer.lock
- Node.js
- package-lock.json (dev dependencies are excluded)
- yarn.lock
- Rust
- Cargo.lock
- .NET
- packages.lock.json
- Java
- JAR/WAR/EAR files (*.jar, *.war, and *.ear)
- Go
- Binaries built by Go (UPX-compressed binaries don't work)
- go.sum
The path of these files does not matter.
Example: https://github.com/aquasecurity/trivy-ci-test/blob/main/Dockerfile

20
docs/vuln-detection/os.md
View File

@@ -1,20 +0,0 @@
# Supported OS
The unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution. Trivy doesn't support self-compiled packages/binaries, but official packages provided by vendors such as Red Hat and Debian.
| OS | Supported Versions | Target Packages | Detection of unfixed vulnerabilities |
| ---------------------------- | ---------------------------------------- | ----------------------------- | :----------------------------------: |
| Alpine Linux | 2.2 - 2.7, 3.0 - 3.13 | Installed by apk | NO |
| Red Hat Universal Base Image | 7, 8 | Installed by yum/rpm | YES |
| Red Hat Enterprise Linux | 6, 7, 8 | Installed by yum/rpm | YES |
| CentOS | 6, 7 | Installed by yum/rpm | YES |
| Oracle Linux | 5, 6, 7, 8 | Installed by yum/rpm | NO |
| Amazon Linux | 1, 2 | Installed by yum/rpm | NO |
| openSUSE Leap | 42, 15 | Installed by zypper/rpm | NO |
| SUSE Enterprise Linux | 11, 12, 15 | Installed by zypper/rpm | NO |
| Photon OS | 1.0, 2.0, 3.0 | Installed by tdnf/yum/rpm | NO |
| Debian GNU/Linux | wheezy, jessie, stretch, buster | Installed by apt/apt-get/dpkg | YES |
| Ubuntu | All versions supported by Canonical | Installed by apt/apt-get/dpkg | YES |
| Distroless* | Any | Installed by apt/apt-get/dpkg | YES |
*Distroless: https://github.com/GoogleContainerTools/distroless

73
docs/vulnerability/detection/data-source.md Normal file
View File

@@ -0,0 +1,73 @@
# OS
| OS | Source |
| ---------------| ---------------------------------------- |
| Arch Linux | [Vulnerable Issues][arch] |
| Alpine Linux | [secdb][alpine] |
| Amazon Linux 1 | [Amazon Linux Security Center][amazon1] |
| Amazon Linux 2 | [Amazon Linux Security Center][amazon2] |
| Debian | [Security Bug Tracker][debian-tracker] |
| | [OVAL][debian-oval] |
| Ubuntu | [Ubuntu CVE Tracker][ubuntu] |
| RHEL/CentOS | [OVAL][rhel-oval] |
| | [Security Data][rhel-api] |
| Oracle Linux | [OVAL][oracle] |
| OpenSUSE/SLES | [CVRF][suse] |
| Photon OS | [Photon Security Advisory][photon] |
# Programming Language
| Language | Source | Commercial Use | Delay[^1]|
| ---------------------------- | -------------------------------------------------|:---------------:|:--------:|
| PHP | [PHP Security Advisories Database][php] | ✅ | - |
| | [GitHub Advisory Database (Composer)][php-ghsa] | ✅ | - |
| Python | [Safety DB][python] | ❌ | 1 month |
| | [GitHub Advisory Database (pip)][python-ghsa] | ✅ | - |
| Ruby | [Ruby Advisory Database][ruby] | ❌ (partially) | - |
| | [GitHub Advisory Database (RubyGems)][ruby-ghsa] | ✅ | - |
| Node.js | [Ecosystem Security Working Group][nodejs] | ✅ | - |
| | [GitHub Advisory Database (npm)][nodejs-ghsa] | ✅ | - |
| Java | [GitLab Advisories Community][gitlab] | ✅ | 1 month |
| | [GitHub Advisory Database (Maven)][java-ghsa] | ✅ | - |
| Go | [GitLab Advisories Community][gitlab] | ✅ | 1 month |
| | [The Go Vulnerability Database][go] | ✅ | - |
| Rust | [RustSec Advisory Database][rust] | ✅ | - |
| .NET | [GitHub Advisory Database (NuGet)][dotnet-ghsa] | ✅ | - |
[^1]: Intentional delay between vulnerability disclosure and registration in the DB
# Others
| Name | Source |
| --------------------------------|------------|
| National Vulnerability Database | [NVD][nvd] |
[arch]: https://security.archlinux.org/
[alpine]: https://secdb.alpinelinux.org/
[amazon1]: https://alas.aws.amazon.com/
[amazon2]: https://alas.aws.amazon.com/alas2.html
[debian-tracker]: https://security-tracker.debian.org/tracker/
[debian-oval]: https://www.debian.org/security/oval/
[ubuntu]: https://ubuntu.com/security/cve
[rhel-oval]: https://www.redhat.com/security/data/oval/v2/
[rhel-api]: https://www.redhat.com/security/data/metrics/
[oracle]: https://linux.oracle.com/security/oval/
[suse]: http://ftp.suse.com/pub/projects/security/cvrf/
[photon]: https://packages.vmware.com/photon/photon_cve_metadata/
[php-ghsa]: https://github.com/advisories?query=ecosystem%3Acomposer
[python-ghsa]: https://github.com/advisories?query=ecosystem%3Apip
[ruby-ghsa]: https://github.com/advisories?query=ecosystem%3Arubygems
[nodejs-ghsa]: https://github.com/advisories?query=ecosystem%3Anpm
[java-ghsa]: https://github.com/advisories?query=ecosystem%3Amaven
[dotnet-ghsa]: https://github.com/advisories?query=ecosystem%3Anuget
[php]: https://github.com/FriendsOfPHP/security-advisories
[python]: https://github.com/pyupio/safety-db
[ruby]: https://github.com/rubysec/ruby-advisory-db
[nodejs]: https://github.com/nodejs/security-wg
[gitlab]: https://gitlab.com/gitlab-org/advisories-community
[go]: https://github.com/golang/vulndb
[rust]: (https://github.com/RustSec/advisory-db)
[nvd]: https://nvd.nist.gov/

24
docs/vulnerability/detection/language.md Normal file
View File

@@ -0,0 +1,24 @@
# Language-specific Packages
`Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.
| Language | File | Dev dependencies |
| ---------| ------------------------------------------------| -----------------|
| Ruby | Gemfile.lock | included |
| Python | Pipfile.lock | excluded |
| | poetry.lock | included |
| PHP | composer.lock | excluded |
| Node.js | package-lock.json | excluded |
| | yarn.lock | included |
| .NET | packages.lock.json | included |
| Java | JAR/WAR/EAR (`*.jar`, `*.war`, and `*.ear`)[^1] | included |
| Go | Binaries built by Go[^2] | excluded |
| | go.sum | included |
The path of these files does not matter.
Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Dockerfile)
[^1]: It requires the Internet access
[^2]: UPX-compressed binaries don't work

21
docs/vulnerability/detection/os.md Normal file
View File

@@ -0,0 +1,21 @@
# Supported OS
The unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution. Trivy doesn't support self-compiled packages/binaries, but official packages provided by vendors such as Red Hat and Debian.
| OS | Supported Versions | Target Packages | Detection of unfixed vulnerabilities |
| -------------------------------- | ---------------------------------------- | ----------------------------- | :----------------------------------: |
| Alpine Linux | 2.2 - 2.7, 3.0 - 3.13 | Installed by apk | NO |
| Red Hat Universal Base Image[^1] | 7, 8 | Installed by yum/rpm | YES |
| Red Hat Enterprise Linux | 6, 7, 8 | Installed by yum/rpm | YES |
| CentOS | 6, 7 | Installed by yum/rpm | YES |
| Oracle Linux | 5, 6, 7, 8 | Installed by yum/rpm | NO |
| Amazon Linux | 1, 2 | Installed by yum/rpm | NO |
| openSUSE Leap | 42, 15 | Installed by zypper/rpm | NO |
| SUSE Enterprise Linux | 11, 12, 15 | Installed by zypper/rpm | NO |
| Photon OS | 1.0, 2.0, 3.0 | Installed by tdnf/yum/rpm | NO |
| Debian GNU/Linux | wheezy, jessie, stretch, buster | Installed by apt/apt-get/dpkg | YES |
| Ubuntu | All versions supported by Canonical | Installed by apt/apt-get/dpkg | YES |
| Distroless[^2] | Any | Installed by apt/apt-get/dpkg | YES |
[^1]: https://developers.redhat.com/products/rhel/ubi
[^2]: https://github.com/GoogleContainerTools/distroless

22
docs/vulnerability/detection/supported.md Normal file
View File

@@ -0,0 +1,22 @@
# Supported
## Container Runtime
- [Docker Engine](https://docs.docker.com/engine/)
- [Podman](../../advanced/container/podman.md)
## Container Registry
- [Docker Registry HTTP API V2](https://docs.docker.com/registry/spec/api/)
- [OCI Distribution Specification](https://github.com/opencontainers/distribution-spec)
## Image Tar Formats
Trivy scans a tar image with the following format.
- [Docker Image Specification](https://github.com/moby/moby/tree/master/image/spec)
- [Moby Project](https://github.com/moby/moby/)
- [Buildah](https://github.com/containers/buildah)
- [Podman](https://github.com/containers/podman)
- [img](https://github.com/genuinetools/img)
- [Kaniko](https://github.com/GoogleContainerTools/kaniko)
## Image Layout
- [OCI Image Format Specification](https://github.com/opencontainers/image-spec)

3
docs/examples/cache.md → docs/vulnerability/examples/cache.md
View File

@@ -27,7 +27,8 @@ $ trivy --cache-dir /tmp/trivy/ image python:3.4-alpine3.9
```
## Cache Backend
[EXPERIMENTAL] This feature might change without preserving backwards compatibility.
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
Trivy supports local filesystem and Redis as the cache backend. This option is useful especially for client/server mode.

4
docs/examples/db.md → docs/vulnerability/examples/db.md
View File

@@ -3,10 +3,10 @@
## Skip update of vulnerability DB
`Trivy` downloads its vulnerability database every 12 hours when it starts operating.
This is usually fast, as the size of the DB is only 10~30MB.
But if you want to skip even that, use the `--skip-update` option.
But if you want to skip even that, use the `--skip-db-update` option.
```
$ trivy image --skip-update python:3.4-alpine3.9
$ trivy image --skip-db-update python:3.4-alpine3.9
```
<details>

7
docs/examples/filter.md → docs/vulnerability/examples/filter.md
View File

@@ -283,7 +283,8 @@ Total: 4751 (UNKNOWN: 1, LOW: 150, MEDIUM: 3504, HIGH: 1013, CRITICAL: 83)
## By Open Policy Agent
[EXPERIMENTAL] This feature might change without preserving backwards compatibility.
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
Trivy supports Open Policy Agent (OPA) to filter vulnerabilities. You can specify a Rego file with `--ignore-policy` option.
@@ -316,5 +317,5 @@ Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
</details>
[helper]: https://github.com/aquasecurity/trivy/tree/main/pkg/vulnerability/module.go
[policy]: https://github.com/aquasecurity/trivy/tree/main/contrib/example_policy
[helper]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/vulnerability/module.go
[policy]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/contrib/example_policy

16
docs/examples/others.md → docs/vulnerability/examples/others.md
View File

@@ -1,5 +1,21 @@
# Others
## Skip Files
Trivy traversals directories and looks for all lock files by default.
If your image contains lock files which are not maintained by you, you can skip the file.
```
$ trivy image --skip-files "/Gemfile.lock" --skip-files "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0/Gemfile.lock" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
```
## Skip Directories
Trivy traversals directories and look for all lock files by default.
If your image contains lock files which are not maintained by you, you can skip traversal in the specific directory.
```
$ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
```
## Exit Code
By default, `Trivy` exits with code 0 even when vulnerabilities are detected.
Use the `--exit-code` option if you want to exit with a non-zero exit code.

4
docs/examples/report.md → docs/vulnerability/examples/report.md
View File

@@ -12,6 +12,9 @@ $ trivy image -f table golang:1.12-alpine
$ trivy image -f json -o results.json golang:1.12-alpine
```
!!! caution
v0.20.0 changes the JSON schema. For more details, see [here][new-json].
<details>
<summary>Result</summary>
@@ -201,6 +204,7 @@ Trivy also supports an [ASFF template for reporting findings to AWS Security Hub
$ trivy image --format template --template "@contrib/html.tpl" -o report.html golang:1.12-alpine
```
[new-json]: https://github.com/aquasecurity/trivy/discussions/1050
[action]: https://github.com/aquasecurity/trivy-action
[asff]: https://github.com/aquasecurity/trivy/blob/main/docs/integrations/aws-security-hub.md
[sarif]: https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-results-from-code-scanning

0
docs/scanning/filesystem.md → docs/vulnerability/scanning/filesystem.md
View File

0
docs/scanning/git-repository.md → docs/vulnerability/scanning/git-repository.md
View File

0
docs/scanning/image.md → docs/vulnerability/scanning/image.md
View File

10
docs/vulnerability/scanning/index.md Normal file
View File

@@ -0,0 +1,10 @@
# Vulnerability Scanning
Trivy scans [Container Images][image], [Filesystem][fs], and [Git Repositores][repo] to detect vulnerabilities.
![vulnerability][vuln]
[image]: image.md
[fs]: filesystem.md
[repo]: git-repository.md
[vuln]: ../../imgs/vulnerability.png

30
examples/misconf/combine/README.md Normal file
View File

@@ -0,0 +1,30 @@
# Combine
## Scan
The `"combine": true` flag combines files into one input data structure.
It allows you to compare multiple values from different configurations simultaneously.
This example compares the values in `deployment.yaml` and `service.yaml`.
``` bash
$ trivy conf --severity CRITICAL --policy ./policy --namespaces user ./configs
2021-07-10T01:22:46.477+0300 INFO Detected config files: 2
deployment.yaml (kubernetes)
============================
Tests: 29 (SUCCESSES: 17, FAILURES: 12, EXCEPTIONS: 0)
Failures: 12 (CRITICAL: 0)
service.yaml (kubernetes)
=========================
Tests: 29 (SUCCESSES: 28, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (CRITICAL: 1)
+-------------------------+------------+------------------------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+-------------------------+------------+------------------------------------+----------+------------------------------------------+
| Kubernetes Custom Check | ID003 | Servide does not target Pod | CRITICAL | Service 'my-nginx' selector does not |
| | | | | match with any Pod label |
+-------------------------+------------+------------------------------------+----------+------------------------------------------+
```

19
examples/misconf/combine/configs/deployment.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-nginx
spec:
selector:
matchLabels:
run: my-nginx
replicas: 2
template:
metadata:
labels:
run: my-nginx
spec:
containers:
- name: my-nginx
image: nginx
ports:
- containerPort: 80

10
examples/misconf/combine/configs/service.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: Service
metadata:
name: my-nginx
spec:
ports:
- port: 80
protocol: TCP
selector:
run: my-nginx123

32
examples/misconf/combine/policy/custom.rego Normal file
View File

@@ -0,0 +1,32 @@
package user.kubernetes.ID003
__rego_metadata__ := {
"id": "ID003",
"title": "Servide does not target Pod",
"severity": "CRITICAL",
"type": "Kubernetes Custom Check",
"description": "Service selector does not match any Pod label",
}
__rego_input__ := {
"combine": true,
"selector": [{"type": "kubernetes"}],
}
deny[res] {
service := input[i].contents
service.kind == "Service"
value := service.spec.selector[key]
not match_label(key, value)
res := {
"filepath": input[i].path,
"msg": sprintf("Service '%s' selector does not match with any Pod label", [service.metadata.name]),
}
}
match_label(key, value) {
deployment := input[i].contents
deployment.kind == "Deployment"
deployment.spec.template.metadata.labels[key] == value
}

25
examples/misconf/custom-data/README.md Normal file
View File

@@ -0,0 +1,25 @@
# Custom Data
Disallowed ports are defined in `data/ports.yaml`.
They are imported in `policy/custom.rego`.
```
$ trivy conf --severity HIGH,CRITICAL --policy ./policy --data data --namespaces user ./configs
2021-07-10T00:10:21.775+0300 INFO Detected config files: 1
Dockerfile (dockerfile)
=======================
Tests: 24 (SUCCESSES: 22, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)
+---------------------------+------------+--------------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+--------------------------+----------+------------------------------------------+
| Docker Custom Check | ID002 | Disallowed ports exposed | HIGH | Port 23 should not be exposed |
+---------------------------+------------+--------------------------+ +------------------------------------------+
| Dockerfile Security Check | DS002 | Image user is 'root' | | Specify at least 1 USER |
| | | | | command in Dockerfile with |
| | | | | non-root user as argument |
| | | | | -->avd.aquasec.com/appshield/ds002 |
+---------------------------+------------+--------------------------+----------+------------------------------------------+
```

5
examples/misconf/custom-data/configs/Dockerfile Normal file
View File

@@ -0,0 +1,5 @@
FROM alpine:3.11
RUN apk add bash
EXPOSE 23

7
examples/misconf/custom-data/data/ports.yaml Normal file
View File

@@ -0,0 +1,7 @@
services:
ports:
- "20"
- "20/tcp"
- "20/udp"
- "23"
- "23/tcp"

24
examples/misconf/custom-data/policy/custom.rego Normal file
View File

@@ -0,0 +1,24 @@
package user.dockerfile.ID002
import data.services
__rego_metadata__ := {
"id": "ID002",
"title": "Disallowed ports exposed",
"severity": "HIGH",
"type": "Docker Custom Check",
"description": "Vulnerable ports are exposed.",
}
__rego_input__ := {"selector": [{"type": "dockerfile"}]}
deny[res] {
expose := input.stages[_][_]
expose.Cmd == "expose"
exposed_port := expose.Value[_]
disallowed_port := services.ports[_]
exposed_port == disallowed_port
res := sprintf("Port %s should not be exposed", [exposed_port])
}

5
examples/misconf/custom-policy/docker-compose/README.md Normal file
View File

@@ -0,0 +1,5 @@
# Docker Compose
```
$ trivy conf --policy ./policy --namespaces user ./configs
```

Some files were not shown because too many files have changed in this diff Show More