gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 15:50:15 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat: add k8s cis bench (#3315)

Browse Source 
Signed-off-by: chenk <hen.keinan@gmail.com>
This commit is contained in:
chenk
2022-12-28 20:38:48 +02:00
committed by GitHub
parent 62b369ee39
commit a888440922
12 changed files with 580 additions and 329 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/docs/compliance/compliance.md
View File

@@ -4,5 +4,6 @@ Trivy supports producing compliance reports.
## Supported reports
- [NSA, CISA Kubernetes Hardening Guidance v1.0](../kubernetes/cli/compliance.md)
- [AWS CIS v1.2 and v1.4](../cloud/aws/compliance.md)
- [NSA, CISA Kubernetes Hardening Guidance v1.0](../kubernetes/cli/compliance.md)
- [CIS Benchmark for Kubernetes v1.23](../kubernetes/cli/compliance.md)
- [AWS CIS v1.2 and v1.4](../cloud/aws/compliance.md)

189
docs/docs/kubernetes/cli/compliance.md
View File

@@ -1,86 +1,46 @@
# Kubernetes Compliance
## NSA Compliance Report
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
The Trivy K8s CLI allows you to scan your Kubernetes cluster resources and generate the `NSA, CISA Kubernetes Hardening Guidance` report
[NSA, CISA Kubernetes Hardening Guidance v1.2](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF) cybersecurity technical report is produced by trivy and validate the following control checks :
| NAME | DESCRIPTION | |
|----------------------------------------------------------|---------------------------------------------------------------------------------------------------------|---------------|
| Non-root containers | Check that container is not running as root |
| Immutable container file systems | Check that container root file system is immutable |
| Preventing privileged containers | Controls whether Pods can run privileged containers |
| Share containers process namespaces | Controls whether containers can share process namespaces |
| Share host process namespaces | Controls whether share host process namespaces |
| Use the host network | Controls whether containers can use the host network |
| Run with root privileges or with root group membership | Controls whether container applications can run with <br/>root privileges or with root group membership |
| Restricts escalation to root privileges | Control check restrictions escalation to root privileges |
| Sets the SELinux context of the container | Control checks if pod sets the SELinux context of the container |
| Restrict a container's access to resources with AppArmor | Control checks the restriction of containers access to resources with AppArmor |
| Sets the seccomp profile used to sandbox containers | Control checks the sets the seccomp profile used to sandbox containers |
| Protecting Pod service account tokens | Control check whether disable secret token been mount ,automountServiceAccountToken: false |
| Namespace kube-system should not be used by users | Control check whether Namespace kube-system is not be used by users |
| Pod and/or namespace Selectors usage | Control check validate the pod and/or namespace Selectors usage |
| Use CNI plugin that supports NetworkPolicy API | Control check whether check cni plugin installed |
| Use ResourceQuota policies to limit resources | Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace |
| Use LimitRange policies to limit resources | Control check the use of LimitRange policy limit resource usage for namespaces or nodes |
| Control plan disable insecure port | Control check whether control plan disable insecure port |
| Encrypt etcd communication | Control check whether etcd communication is encrypted |
| Ensure kube config file permission | Control check whether kube config file permissions |
| Check that encryption resource has been set | Control checks whether encryption resource has been set |
| Check encryption provider | Control checks whether encryption provider has been set |
| Make sure anonymous-auth is unset | Control checks whether anonymous-auth is unset |
| Make sure -authorization-mode=RBAC | Control check whether RBAC permission is in use |
| Audit policy is configure | Control check whether audit policy is configure |
| Audit log path is configure | Control check whether audit log path is configure |
| Audit log aging | Control check whether audit log aging is configure |
</details>
## CLI Commands
Scan a full cluster and generate a complliance NSA summary report:
Scan a full cluster and generate a complliance NSA / CIS Kubernetes Benchmark summary report:
```
$ trivy k8s cluster --compliance=nsa --report summary
trivy k8s cluster --compliance=nsa --report summary
```
![k8s Summary Report](../../../imgs/trivy-nsa-summary.png)
***Note*** : The `Issues` column represent the total number of failed checks for this control.
An additional report is supported to get all of the detail the output contains, use `--report all`
```
$ trivy k8s cluster --compliance=nsa --report all
trivy k8s cluster --compliance=cis --report all
```
Report also supported in json format examples :
```
$ trivy k8s cluster --compliance=nsa --report summary --format json
trivy k8s cluster --compliance=nsa --report summary --format json
```
```
$ trivy k8s cluster --compliance=nsa --report all --format json
trivy k8s cluster --compliance=cis --report all --format json
```
## Custom compliance report
The Trivy K8s CLI allows you to create a custom compliance specification and pass it to trivy for generating scan report .
The report is generated based on scanning result mapping between users define controls and trivy checks ID.
The supported checks are from two types and can be found at [Aqua vulnerability DB](https://avd.aquasec.com/):
- [misconfiguration](https://avd.aquasec.com/misconfig/)
- [vulnerabilities](https://avd.aquasec.com/nvd)
- [misconfiguration](https://avd.aquasec.com/misconfig/)
- [vulnerabilities](https://avd.aquasec.com/nvd)
### Compliance spec format
The compliance spec file format should look as follow :
```yaml
---
spec:
@@ -109,8 +69,133 @@ spec:
To generate the custom report, an custom spec file path should be passed to the `--compliance` flag with `@` prefix as follow:
```
$ trivy k8s cluster --compliance=@/spec/my_complaince.yaml --report summary
trivy k8s cluster --compliance=@/spec/my_complaince.yaml --report summary
```
The Trivy K8s CLI allows you to scan your Kubernetes cluster resources and generate the `NSA, CISA Kubernetes Hardening Guidance` report
## NSA Compliance Report
[NSA, CISA Kubernetes Hardening Guidance v1.2](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF) cybersecurity technical report is produced by trivy and validate the following control checks :
<details>
<summary>NSA Control Checks</summary>
```
| ID | Name |
|-------|---------------------------------------------------------------------------------------------------------|
| 1.0 | Check that container is not running as root |
| 1.1 | Check that container root file system is immutable |
| 1.2 | Controls whether Pods can run privileged containers |
| 1.3 | Controls whether containers can share process namespaces |
| 1.4 | Controls whether share host process namespaces |
| 1.5 | Controls whether containers can use the host network |
| 1.6 | Controls whether container applications can run with <br/>root privileges or with root group membership |
| 1.7 | Control check restrictions escalation to root privileges |
| 1.8 | Control checks if pod sets the SELinux context of the container |
| 1.9 | Control checks the restriction of containers access to resources with AppArmor |
| 1.10 | Control checks the sets the seccomp profile used to sandbox containers |
| 1.11 | Control check whether disable secret token been mount ,automountServiceAccountToken: false |
| 1.12 | Control check whether Namespace kube-system is not be used by users |
| 2.0 | Control check validate the pod and/or namespace Selectors usage |
| 3.0 | Control check whether check cni plugin installed |
| 4.0 | Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace |
| 4.1 | Control check the use of LimitRange policy limit resource usage for namespaces or nodes |
| 5.0 | Control check whether control plan disable insecure port |
| 5.1 | Control check whether etcd communication is encrypted |
| 6.0 | Control check whether kube config file permissions |
| 6.1 | Control checks whether encryption resource has been set |
| 6.2 | Control checks whether encryption provider has been set |
| 7.0 | Control checks whether anonymous-auth is unset |
| 7.1 | Control check whether RBAC permission is in use |
| 8.0 | Control check whether audit policy is configure |
| 8.1 | Control check whether audit log path is configure |
| 8.2 | Control check whether audit log aging is configure |
```
</details>
## CIS Bebchmark Report
The Trivy K8s CLI allows you to scan your Kubernetes cluster resources and generate the `CIS Kubernetes Benchmark` report
[CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes) report is produced by trivy and validate the following control checks :
<details>
<summary>CIS Benchmark Control Checks</summary>
```
| ID | Name |
| ------ | ------------------------------------------------------------------------------------------------------ |
| 1.2.1 | Ensure that the --anonymous-auth argument is set to false | server |
| 1.2.2 | Ensure that the --token-auth-file parameter is not set |
| 1.2.3 | Ensure that the --DenyServiceExternalIPs is not set |
| 1.2.4 | Ensure that the --kubelet-https argument is set to true |
| 1.2.5 | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set |
| 1.2.6 | Ensure that the --kubelet-certificate-authority argument is set as appropriate |
| 1.2.7 | Ensure that the --authorization-mode argument is not set to AlwaysAllow |
| 1.2.8 | Ensure that the --authorization-mode argument includes Node |
| 1.2.9 | Ensure that the --authorization-mode argument includes RBAC |
| 1.2.10 | Ensure that the admission control plugin EventRateLimit is set |
| 1.2.11 | Ensure that the admission control plugin AlwaysAdmit is not set |
| 1.2.12 | Ensure that the admission control plugin AlwaysPullImages is set |
| 1.2.13 | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used |
| 1.2.14 | Ensure that the admission control plugin ServiceAccount is set |
| 1.2.15 | Ensure that the admission control plugin NamespaceLifecycle is set |
| 1.2.16 | Ensure that the admission control plugin NodeRestriction is set |
| 1.2.17 | Ensure that the --secure-port argument is not set to 0 |
| 1.2.18 | Ensure that the --profiling argument is set to false |
| 1.2.19 | Ensure that the --audit-log-path argument is set |
| 1.2.20 | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate |
| 1.2.21 | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate |
| 1.2.22 | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate |
| 1.2.24 | Ensure that the --service-account-lookup argument is set to true |
| 1.2.25 | Ensure that the --service-account-key-file argument is set as appropriate |
| 1.2.26 | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate |
| 1.2.27 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as |
| 1.2.28 | Ensure that the --client-ca-file argument is set appropriate |
| 1.2.29 | Ensure that the --etcd-cafile argument is set as appropriate |
| 1.2.30 | Ensure that the --encryption-provider-config argument is set as appropriate |
| 1.3.1 | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate |
| 1.3.3 | Ensure that the --use-service-account-credentials argument is set to true |
| 1.3.4 | Ensure that the --service-account-private-key-file argument is set as appropriate |
| 1.3.5 | Ensure that the --root-ca-file argument is set as appropriate |
| 1.3.6 | Ensure that the RotateKubeletServerCertificate argument is set |
| 1.3.7 | Ensure that the --bind-address argument is set to 127.0.0.1 |
| 1.4.1 | Ensure that the --profiling argument is set to false |
| 1.4.2 | Ensure that the --bind-address argument is set to 127.0.0.1 |
| 2.1 | Ensure that the --cert-file and --key-file arguments are set as appropriate |
| 2.2 | Ensure that the --client-cert-auth argument is set to true |
| 2.3 | Ensure that the --auto-tls argument is not set to true |
| 2.4 | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate |
| 2.5 | Ensure that the --peer-client-cert-auth argument is set to true |
| 2.6 | Ensure that the --peer-auto-tls argument is not set to true |
| 3.1.1 | Client certificate authentication should not be used for users (Manual) |
| 3.2.1 | Ensure that a minimal audit policy is created (Manual) |
| 3.2.2 | Ensure that the audit policy covers key security concerns (Manual) |
| 5.1.1 | Ensure that the cluster-admin role is only used where required |
| 5.1.2 | Minimize access to secrets |
| 5.1.3 | Minimize wildcard use in Roles and ClusterRoles |
| 5.1.6 | Ensure that Service Account Tokens are only mounted where necessary |
| 5.1.8 | Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster |
| 5.2.2 | Minimize the admission of privileged containers |
| 5.2.3 | Minimize the admission of containers wishing to share the host process ID namespace |
| 5.2.4 | Minimize the admission of containers wishing to share the host IPC namespace |
| 5.2.5 | Minimize the admission of containers wishing to share the host network namespace |
| 5.2.6 | Minimize the admission of containers with allowPrivilegeEscalation |
| 5.2.7 | Minimize the admission of root containers |
| 5.2.8 | Minimize the admission of containers with the NET_RAW capability |
| 5.2.9 | Minimize the admission of containers with added capabilities |
| 5.2.10 | Minimize the admission of containers with capabilities assigned |
| 5.2.11 | Minimize the admission of containers with capabilities assigned |
| 5.2.12 | Minimize the admission of HostPath volumes |
| 5.2.13 | Minimize the admission of containers which use HostPorts |
| 5.3.1 | Ensure that the CNI in use supports Network Policies (Manual) |
| 5.3.2 | Ensure that all Namespaces have Network Policies defined |
| 5.4.1 | Prefer using secrets as files over secrets as environment variables (Manual) |
| 5.4.2 | Consider external secret storage (Manual) |
| 5.5.1 | Configure Image Provenance using ImagePolicyWebhook admission controller (Manual) |
| 5.7.1 | Create administrative boundaries between resources using namespaces (Manual) |
| 5.7.2 | Ensure that the seccomp profile is set to docker/default in your pod definitions |
| 5.7.3 | Apply Security Context to Your Pods and Containers |
| 5.7.4 | The default namespace should not be used |
```
</details>

BIN
docs/imgs/trivy-nsa-summary.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 318 KiB

2
go.mod
View File

@@ -8,7 +8,7 @@ require (
github.com/NYTimes/gziphandler v1.1.1
github.com/alicebob/miniredis/v2 v2.23.0
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
github.com/aquasecurity/defsec v0.82.6
github.com/aquasecurity/defsec v0.82.7-0.20221225070347-3a6cfb67e460
github.com/aquasecurity/go-dep-parser v0.0.0-20221208150335-299772f066c4
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798

4
go.sum
View File

@@ -193,8 +193,8 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
github.com/aquasecurity/defsec v0.82.6 h1:whb9ygS+cANcvGSq51s44+hY3nU6OV3VOR2Q4dIz3kc=
github.com/aquasecurity/defsec v0.82.6/go.mod h1:sUdW6pzASralDcs+CDOE+QpWfBJt3/PY1Qbg8CS5flg=
github.com/aquasecurity/defsec v0.82.7-0.20221225070347-3a6cfb67e460 h1:XHYo9HDWlrn3l+GH1ZTVUQAeP//r/iyEVUoP4Rmhuuw=
github.com/aquasecurity/defsec v0.82.7-0.20221225070347-3a6cfb67e460/go.mod h1:sUdW6pzASralDcs+CDOE+QpWfBJt3/PY1Qbg8CS5flg=
github.com/aquasecurity/go-dep-parser v0.0.0-20221208150335-299772f066c4 h1:cFQv/JghmN6dC/vuu6JbDkziwhBgLPfQvyi/TxJN+6I=
github.com/aquasecurity/go-dep-parser v0.0.0-20221208150335-299772f066c4/go.mod h1:ZCiGJgdQxCateSw3nPMwZvp9J/+nU8/3DcGY/NO71e4=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=

6
integration/testdata/helm.json.golden vendored
View File

@@ -20,7 +20,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 80,
"Successes": 82,
"Failures": 2,
"Exceptions": 0
},
@@ -270,7 +270,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 82,
"Successes": 84,
"Failures": 0,
"Exceptions": 0
}
@@ -280,7 +280,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 82,
"Successes": 84,
"Failures": 0,
"Exceptions": 0
}

6
integration/testdata/helm_testchart.json.golden vendored
View File

@@ -20,7 +20,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 80,
"Successes": 82,
"Failures": 2,
"Exceptions": 0
},
@@ -270,7 +270,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 82,
"Successes": 84,
"Failures": 0,
"Exceptions": 0
}
@@ -280,7 +280,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 82,
"Successes": 84,
"Failures": 0,
"Exceptions": 0
}

6
integration/testdata/helm_testchart.overridden.json.golden vendored
View File

@@ -20,7 +20,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 78,
"Successes": 80,
"Failures": 4,
"Exceptions": 0
},
@@ -481,7 +481,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 82,
"Successes": 84,
"Failures": 0,
"Exceptions": 0
}
@@ -491,7 +491,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 82,
"Successes": 84,
"Failures": 0,
"Exceptions": 0
}

2
mkdocs.yml
View File

@@ -92,6 +92,8 @@ nav:
- Virtual Machine Image:
- Overview: docs/vm/index.md
- AWS EC2: docs/vm/aws.md
- Compliance:
- Reports: docs/compliance/compliance.md
- SBOM:
- Overview: docs/sbom/index.md
- Supported: docs/sbom/supported.md

2
pkg/commands/app.go
View File

@@ -755,7 +755,7 @@ func NewKubernetesCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
reportFlagGroup := flag.NewReportFlagGroup()
compliance := flag.ComplianceFlag
compliance.Usage += fmt.Sprintf(" (%s)", types.ComplianceNsa)
compliance.Usage += fmt.Sprintf(" (%s,%s)", types.ComplianceNsa, types.ComplianceCIS)
reportFlagGroup.Compliance = &compliance // override usage as the accepted values differ for each subcommand.
k8sFlags := &flag.Flags{

684
pkg/fanal/artifact/local/fs_test.go
View File

@@ -391,6 +391,24 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
Code: types.Code{Lines: []types.Line(nil)},
}, Traces: []string(nil),
},
{
Namespace: "builtin.aws.rds.aws0180",
Query: "data.builtin.aws.rds.aws0180.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0180",
Type: "Terraform Security Check",
Title: "RDS Publicly Accessible",
Description: "Ensures RDS instances are not launched into the public cloud.",
Severity: "HIGH",
RecommendedActions: "Remove the public endpoint from the RDS instance'",
References: []string{"http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html"},
},
CauseMetadata: types.CauseMetadata{
Resource: "", Provider: "AWS", Service: "rds", StartLine: 0, EndLine: 0,
Code: types.Code{Lines: []types.Line(nil)},
}, Traces: []string(nil),
},
},
},
{
@@ -429,9 +447,9 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
want: types.ArtifactReference{
Name: "testdata/misconfig/terraform/single-failure/src",
Type: types.ArtifactFilesystem,
ID: "sha256:c489d24f0bf3e58d86c9d5d9fadfe5a78826a7cc98235a4519c97ad3565eee17",
ID: "sha256:7695efb9660d47bc53851aea5ca7d7e1bb1c90c22a18e8fd37b6d0634a03b69d",
BlobIDs: []string{
"sha256:c489d24f0bf3e58d86c9d5d9fadfe5a78826a7cc98235a4519c97ad3565eee17",
"sha256:7695efb9660d47bc53851aea5ca7d7e1bb1c90c22a18e8fd37b6d0634a03b69d",
},
},
},
@@ -493,6 +511,24 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
Service: "rds",
},
},
{
Namespace: "builtin.aws.rds.aws0180",
Query: "data.builtin.aws.rds.aws0180.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0180",
Type: "Terraform Security Check",
Title: "RDS Publicly Accessible",
Description: "Ensures RDS instances are not launched into the public cloud.",
Severity: "HIGH",
RecommendedActions: "Remove the public endpoint from the RDS instance'",
References: []string{"http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html"},
},
CauseMetadata: types.CauseMetadata{
Resource: "", Provider: "AWS", Service: "rds", StartLine: 0, EndLine: 0,
Code: types.Code{Lines: []types.Line(nil)},
}, Traces: []string(nil),
},
},
},
{
@@ -580,9 +616,9 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
want: types.ArtifactReference{
Name: "testdata/misconfig/terraform/multiple-failures/src",
Type: types.ArtifactFilesystem,
ID: "sha256:b5a4f680b5b7fbf9125f9d2209015e39c8eb30acc5daad9423b44089a5b48f5f",
ID: "sha256:61728a22aeefbe2b0f30bdb01ee623cb16b64488eaa6e0b1d488a47b2bd4c3fb",
BlobIDs: []string{
"sha256:b5a4f680b5b7fbf9125f9d2209015e39c8eb30acc5daad9423b44089a5b48f5f",
"sha256:61728a22aeefbe2b0f30bdb01ee623cb16b64488eaa6e0b1d488a47b2bd4c3fb",
},
},
},
@@ -674,6 +710,24 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
Service: "rds",
},
},
{
Namespace: "builtin.aws.rds.aws0180",
Query: "data.builtin.aws.rds.aws0180.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0180",
Type: "Terraform Security Check",
Title: "RDS Publicly Accessible",
Description: "Ensures RDS instances are not launched into the public cloud.",
Severity: "HIGH",
RecommendedActions: "Remove the public endpoint from the RDS instance'",
References: []string{"http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html"},
},
CauseMetadata: types.CauseMetadata{
Resource: "", Provider: "AWS", Service: "rds", StartLine: 0, EndLine: 0,
Code: types.Code{Lines: []types.Line(nil)},
}, Traces: []string(nil),
},
{
Namespace: "user.something",
Query: "data.user.something.deny",
@@ -702,9 +756,9 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
want: types.ArtifactReference{
Name: "testdata/misconfig/terraform/passed/src",
Type: types.ArtifactFilesystem,
ID: "sha256:8b0f0a9c59edc58b713bab8b7e28b56c7fcc9879dab6914df8fc7fd5d38822c5",
ID: "sha256:0e792318cb431f2306399f28038a09f7ccbe3cb46d77f13b9f4c5da74fd03c61",
BlobIDs: []string{
"sha256:8b0f0a9c59edc58b713bab8b7e28b56c7fcc9879dab6914df8fc7fd5d38822c5",
"sha256:0e792318cb431f2306399f28038a09f7ccbe3cb46d77f13b9f4c5da74fd03c61",
},
},
},
@@ -739,253 +793,289 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) {
want types.ArtifactReference
}{
{
name: "single failure",
fields: fields{
dir: "./testdata/misconfig/cloudformation/single-failure/src",
},
artifactOpt: artifact.Option{
MisconfScannerOption: config.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/single-failure/rego"},
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{
BlobIDAnything: true,
BlobInfo: types.BlobInfo{
SchemaVersion: 2,
Misconfigurations: []types.Misconfiguration{
{
FileType: "cloudformation",
FilePath: "main.yaml",
Successes: types.MisconfResults{
{
Namespace: "builtin.aws.rds.aws0176",
Query: "data.builtin.aws.rds.aws0176.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0176",
Type: "CloudFormation Security Check",
Title: "RDS IAM Database Authentication Disabled",
Description: "Ensure IAM Database Authentication is enabled for RDS database instances to manage database access",
Severity: "MEDIUM",
RecommendedActions: "Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication.",
References: []string{"https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html"},
},
CauseMetadata: types.CauseMetadata{
Provider: "AWS",
Service: "rds",
},
},
{
Namespace: "builtin.aws.rds.aws0177",
Query: "data.builtin.aws.rds.aws0177.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0177",
Type: "CloudFormation Security Check",
Title: "RDS Deletion Protection Disabled",
Description: "Ensure deletion protection is enabled for RDS database instances.",
Severity: "MEDIUM",
RecommendedActions: "Modify the RDS instances to enable deletion protection.",
References: []string{"https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/"},
},
CauseMetadata: types.CauseMetadata{
Provider: "AWS",
Service: "rds",
},
},
},
Failures: types.MisconfResults{
{
Namespace: "user.something",
Query: "data.user.something.deny",
Message: "No buckets allowed!",
PolicyMetadata: types.PolicyMetadata{
ID: "TEST001",
AVDID: "AVD-TEST-0001",
Type: "CloudFormation Security Check",
Title: "Test policy",
Description: "This is a test policy.",
Severity: "LOW",
RecommendedActions: "Have a cup of tea.",
References: []string{"https://trivy.dev/"},
},
CauseMetadata: types.CauseMetadata{
Resource: "main.yaml:3-6",
Provider: "Generic",
Service: "general",
StartLine: 3,
EndLine: 6,
},
},
},
},
},
},
},
Returns: cache.ArtifactCachePutBlobReturns{},
},
want: types.ArtifactReference{
Name: "testdata/misconfig/cloudformation/single-failure/src",
Type: types.ArtifactFilesystem,
ID: "sha256:6504ec9ca79c48ec9e993d0cff076c4954843b95f1b1664ec0be2d8c986cbe8d",
BlobIDs: []string{
"sha256:6504ec9ca79c48ec9e993d0cff076c4954843b95f1b1664ec0be2d8c986cbe8d",
},
},
},
{
name: "multiple failures",
fields: fields{
dir: "./testdata/misconfig/cloudformation/multiple-failures/src",
},
artifactOpt: artifact.Option{
MisconfScannerOption: config.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/multiple-failures/rego"},
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{
BlobIDAnything: true,
BlobInfo: types.BlobInfo{
SchemaVersion: 2,
Misconfigurations: []types.Misconfiguration{
{
FileType: "cloudformation",
FilePath: "main.yaml",
Successes: types.MisconfResults{
{
Namespace: "builtin.aws.rds.aws0176",
Query: "data.builtin.aws.rds.aws0176.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0176",
Type: "CloudFormation Security Check",
Title: "RDS IAM Database Authentication Disabled",
Description: "Ensure IAM Database Authentication is enabled for RDS database instances to manage database access",
Severity: "MEDIUM",
RecommendedActions: "Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication.",
References: []string{"https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html"},
},
CauseMetadata: types.CauseMetadata{
Provider: "AWS",
Service: "rds",
},
},
{
Namespace: "builtin.aws.rds.aws0177",
Query: "data.builtin.aws.rds.aws0177.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0177",
Type: "CloudFormation Security Check",
Title: "RDS Deletion Protection Disabled",
Description: "Ensure deletion protection is enabled for RDS database instances.",
Severity: "MEDIUM",
RecommendedActions: "Modify the RDS instances to enable deletion protection.",
References: []string{"https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/"},
},
CauseMetadata: types.CauseMetadata{
Provider: "AWS",
Service: "rds",
},
},
},
Failures: types.MisconfResults{
types.MisconfResult{
Namespace: "user.something",
Query: "data.user.something.deny",
Message: "No buckets allowed!",
PolicyMetadata: types.PolicyMetadata{
ID: "TEST001",
AVDID: "AVD-TEST-0001",
Type: "CloudFormation Security Check",
Title: "Test policy",
Description: "This is a test policy.",
Severity: "LOW",
RecommendedActions: "Have a cup of tea.",
References: []string{"https://trivy.dev/"},
},
CauseMetadata: types.CauseMetadata{
Resource: "main.yaml:2-5",
Provider: "Generic",
Service: "general",
StartLine: 2,
EndLine: 5,
},
},
{
Namespace: "user.something",
Query: "data.user.something.deny",
Message: "No buckets allowed!",
PolicyMetadata: types.PolicyMetadata{
ID: "TEST001",
AVDID: "AVD-TEST-0001",
Type: "CloudFormation Security Check",
Title: "Test policy",
Description: "This is a test policy.",
Severity: "LOW",
RecommendedActions: "Have a cup of tea.",
References: []string{"https://trivy.dev/"},
},
CauseMetadata: types.CauseMetadata{
Resource: "main.yaml:6-9",
Provider: "Generic",
Service: "general",
StartLine: 6,
EndLine: 9,
},
},
},
},
},
},
},
Returns: cache.ArtifactCachePutBlobReturns{},
},
want: types.ArtifactReference{
Name: "testdata/misconfig/cloudformation/multiple-failures/src",
Type: types.ArtifactFilesystem,
ID: "sha256:6da37a417407a0fe4116da5992809aaf58ce933cec84262acb1eae2411fb3115",
BlobIDs: []string{
"sha256:6da37a417407a0fe4116da5992809aaf58ce933cec84262acb1eae2411fb3115",
},
},
},
{
name: "no results",
fields: fields{
dir: "./testdata/misconfig/cloudformation/no-results/src",
},
artifactOpt: artifact.Option{
MisconfScannerOption: config.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/no-results/rego"},
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{
BlobIDAnything: true,
BlobInfo: types.BlobInfo{
SchemaVersion: types.BlobJSONSchemaVersion,
},
},
Returns: cache.ArtifactCachePutBlobReturns{},
},
want: types.ArtifactReference{
Name: "testdata/misconfig/cloudformation/no-results/src",
Type: types.ArtifactFilesystem,
ID: "sha256:6612c1db6d6c52c11de53447264b552ee96bf9cc317de37b3374687a8fc4c4ac",
BlobIDs: []string{
"sha256:6612c1db6d6c52c11de53447264b552ee96bf9cc317de37b3374687a8fc4c4ac",
},
},
},
name: "single failure",
fields: fields{
dir: "./testdata/misconfig/cloudformation/single-failure/src",
},
artifactOpt: artifact.Option{
MisconfScannerOption: config.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/single-failure/rego"},
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{
BlobIDAnything: true,
BlobInfo: types.BlobInfo{
SchemaVersion: 2,
Misconfigurations: []types.Misconfiguration{
{
FileType: "cloudformation",
FilePath: "main.yaml",
Successes: types.MisconfResults{
{
Namespace: "builtin.aws.rds.aws0176",
Query: "data.builtin.aws.rds.aws0176.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0176",
Type: "CloudFormation Security Check",
Title: "RDS IAM Database Authentication Disabled",
Description: "Ensure IAM Database Authentication is enabled for RDS database instances to manage database access",
Severity: "MEDIUM",
RecommendedActions: "Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication.",
References: []string{"https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html"},
},
CauseMetadata: types.CauseMetadata{
Provider: "AWS",
Service: "rds",
},
},
{
Namespace: "builtin.aws.rds.aws0177",
Query: "data.builtin.aws.rds.aws0177.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0177",
Type: "CloudFormation Security Check",
Title: "RDS Deletion Protection Disabled",
Description: "Ensure deletion protection is enabled for RDS database instances.",
Severity: "MEDIUM",
RecommendedActions: "Modify the RDS instances to enable deletion protection.",
References: []string{"https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/"},
},
CauseMetadata: types.CauseMetadata{
Provider: "AWS",
Service: "rds",
},
},
{
Namespace: "builtin.aws.rds.aws0180",
Query: "data.builtin.aws.rds.aws0180.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0180",
Type: "CloudFormation Security Check",
Title: "RDS Publicly Accessible",
Description: "Ensures RDS instances are not launched into the public cloud.",
Severity: "HIGH",
RecommendedActions: "Remove the public endpoint from the RDS instance'",
References: []string{"http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html"},
},
CauseMetadata: types.CauseMetadata{
Resource: "", Provider: "AWS", Service: "rds", StartLine: 0, EndLine: 0,
Code: types.Code{Lines: []types.Line(nil)},
}, Traces: []string(nil),
},
},
Failures: types.MisconfResults{
{
Namespace: "user.something",
Query: "data.user.something.deny",
Message: "No buckets allowed!",
PolicyMetadata: types.PolicyMetadata{
ID: "TEST001",
AVDID: "AVD-TEST-0001",
Type: "CloudFormation Security Check",
Title: "Test policy",
Description: "This is a test policy.",
Severity: "LOW",
RecommendedActions: "Have a cup of tea.",
References: []string{"https://trivy.dev/"},
},
CauseMetadata: types.CauseMetadata{
Resource: "main.yaml:3-6",
Provider: "Generic",
Service: "general",
StartLine: 3,
EndLine: 6,
},
},
},
},
},
},
},
Returns: cache.ArtifactCachePutBlobReturns{},
},
want: types.ArtifactReference{
Name: "testdata/misconfig/cloudformation/single-failure/src",
Type: types.ArtifactFilesystem,
ID: "sha256:793d3e4cb82fa4d73e62267c358bd038b453fca36297064e5d240d5809ad241e",
BlobIDs: []string{
"sha256:793d3e4cb82fa4d73e62267c358bd038b453fca36297064e5d240d5809ad241e",
},
},
},
{
name: "multiple failures",
fields: fields{
dir: "./testdata/misconfig/cloudformation/multiple-failures/src",
},
artifactOpt: artifact.Option{
MisconfScannerOption: config.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/multiple-failures/rego"},
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{
BlobIDAnything: true,
BlobInfo: types.BlobInfo{
SchemaVersion: 2,
Misconfigurations: []types.Misconfiguration{
{
FileType: "cloudformation",
FilePath: "main.yaml",
Successes: types.MisconfResults{
{
Namespace: "builtin.aws.rds.aws0176",
Query: "data.builtin.aws.rds.aws0176.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0176",
Type: "CloudFormation Security Check",
Title: "RDS IAM Database Authentication Disabled",
Description: "Ensure IAM Database Authentication is enabled for RDS database instances to manage database access",
Severity: "MEDIUM",
RecommendedActions: "Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication.",
References: []string{"https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html"},
},
CauseMetadata: types.CauseMetadata{
Provider: "AWS",
Service: "rds",
},
},
{
Namespace: "builtin.aws.rds.aws0177",
Query: "data.builtin.aws.rds.aws0177.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0177",
Type: "CloudFormation Security Check",
Title: "RDS Deletion Protection Disabled",
Description: "Ensure deletion protection is enabled for RDS database instances.",
Severity: "MEDIUM",
RecommendedActions: "Modify the RDS instances to enable deletion protection.",
References: []string{"https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/"},
},
CauseMetadata: types.CauseMetadata{
Provider: "AWS",
Service: "rds",
},
},
{
Namespace: "builtin.aws.rds.aws0180",
Query: "data.builtin.aws.rds.aws0180.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0180",
Type: "CloudFormation Security Check",
Title: "RDS Publicly Accessible",
Description: "Ensures RDS instances are not launched into the public cloud.",
Severity: "HIGH",
RecommendedActions: "Remove the public endpoint from the RDS instance'",
References: []string{"http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html"},
},
CauseMetadata: types.CauseMetadata{
Resource: "", Provider: "AWS", Service: "rds", StartLine: 0, EndLine: 0,
Code: types.Code{Lines: []types.Line(nil)},
}, Traces: []string(nil),
},
},
Failures: types.MisconfResults{
types.MisconfResult{
Namespace: "user.something",
Query: "data.user.something.deny",
Message: "No buckets allowed!",
PolicyMetadata: types.PolicyMetadata{
ID: "TEST001",
AVDID: "AVD-TEST-0001",
Type: "CloudFormation Security Check",
Title: "Test policy",
Description: "This is a test policy.",
Severity: "LOW",
RecommendedActions: "Have a cup of tea.",
References: []string{"https://trivy.dev/"},
},
CauseMetadata: types.CauseMetadata{
Resource: "main.yaml:2-5",
Provider: "Generic",
Service: "general",
StartLine: 2,
EndLine: 5,
},
},
{
Namespace: "user.something",
Query: "data.user.something.deny",
Message: "No buckets allowed!",
PolicyMetadata: types.PolicyMetadata{
ID: "TEST001",
AVDID: "AVD-TEST-0001",
Type: "CloudFormation Security Check",
Title: "Test policy",
Description: "This is a test policy.",
Severity: "LOW",
RecommendedActions: "Have a cup of tea.",
References: []string{"https://trivy.dev/"},
},
CauseMetadata: types.CauseMetadata{
Resource: "main.yaml:6-9",
Provider: "Generic",
Service: "general",
StartLine: 6,
EndLine: 9,
},
},
},
},
},
},
},
Returns: cache.ArtifactCachePutBlobReturns{},
},
want: types.ArtifactReference{
Name: "testdata/misconfig/cloudformation/multiple-failures/src",
Type: types.ArtifactFilesystem,
ID: "sha256:49edf1eecd461fd56eccb1221aaff26c0c5939f2d8128e9cb867cc8e7552b8aa",
BlobIDs: []string{
"sha256:49edf1eecd461fd56eccb1221aaff26c0c5939f2d8128e9cb867cc8e7552b8aa",
},
},
},
{
name: "no results",
fields: fields{
dir: "./testdata/misconfig/cloudformation/no-results/src",
},
artifactOpt: artifact.Option{
MisconfScannerOption: config.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/no-results/rego"},
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{
BlobIDAnything: true,
BlobInfo: types.BlobInfo{
SchemaVersion: types.BlobJSONSchemaVersion,
},
},
Returns: cache.ArtifactCachePutBlobReturns{},
},
want: types.ArtifactReference{
Name: "testdata/misconfig/cloudformation/no-results/src",
Type: types.ArtifactFilesystem,
ID: "sha256:6612c1db6d6c52c11de53447264b552ee96bf9cc317de37b3374687a8fc4c4ac",
BlobIDs: []string{
"sha256:6612c1db6d6c52c11de53447264b552ee96bf9cc317de37b3374687a8fc4c4ac",
},
},
},
{
name: "passed",
fields: fields{
@@ -1044,6 +1134,24 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) {
Service: "rds",
},
},
{
Namespace: "builtin.aws.rds.aws0180",
Query: "data.builtin.aws.rds.aws0180.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0180",
Type: "CloudFormation Security Check",
Title: "RDS Publicly Accessible",
Description: "Ensures RDS instances are not launched into the public cloud.",
Severity: "HIGH",
RecommendedActions: "Remove the public endpoint from the RDS instance'",
References: []string{"http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html"},
},
CauseMetadata: types.CauseMetadata{
Resource: "", Provider: "AWS", Service: "rds", StartLine: 0, EndLine: 0,
Code: types.Code{Lines: []types.Line(nil)},
}, Traces: []string(nil),
},
{
Namespace: "user.something",
Query: "data.user.something.deny",
@@ -1072,9 +1180,9 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) {
want: types.ArtifactReference{
Name: "testdata/misconfig/cloudformation/passed/src",
Type: types.ArtifactFilesystem,
ID: "sha256:3b0a4c2f8cd71e7d3a81fe535e89b3524710c47ea219575ce3f6d1d6a87595a2",
ID: "sha256:a923fba51d802d1634246662e2e674b4abbce3ed796c8cfd4839f287dfd9033e",
BlobIDs: []string{
"sha256:3b0a4c2f8cd71e7d3a81fe535e89b3524710c47ea219575ce3f6d1d6a87595a2",
"sha256:a923fba51d802d1634246662e2e674b4abbce3ed796c8cfd4839f287dfd9033e",
},
},
},
@@ -1665,6 +1773,24 @@ func TestAzureARMMisconfigurationScan(t *testing.T) {
Service: "rds",
},
},
{
Namespace: "builtin.aws.rds.aws0180",
Query: "data.builtin.aws.rds.aws0180.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0180",
Type: "Azure ARM Security Check",
Title: "RDS Publicly Accessible",
Description: "Ensures RDS instances are not launched into the public cloud.",
Severity: "HIGH",
RecommendedActions: "Remove the public endpoint from the RDS instance'",
References: []string{"http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html"},
},
CauseMetadata: types.CauseMetadata{
Resource: "", Provider: "AWS", Service: "rds", StartLine: 0, EndLine: 0,
Code: types.Code{Lines: []types.Line(nil)},
}, Traces: []string(nil),
},
},
Failures: types.MisconfResults{
{
@@ -1699,9 +1825,9 @@ func TestAzureARMMisconfigurationScan(t *testing.T) {
want: types.ArtifactReference{
Name: "testdata/misconfig/azurearm/single-failure/src",
Type: types.ArtifactFilesystem,
ID: "sha256:22fc5cecab78634bc975b601ea5df0018f850b92702db94cecd13c09c9854a86",
ID: "sha256:50155d7398d717aac20a616af8ac17964d20a24f5423b868871005dfa2cf4a61",
BlobIDs: []string{
"sha256:22fc5cecab78634bc975b601ea5df0018f850b92702db94cecd13c09c9854a86",
"sha256:50155d7398d717aac20a616af8ac17964d20a24f5423b868871005dfa2cf4a61",
},
},
},
@@ -1763,6 +1889,24 @@ func TestAzureARMMisconfigurationScan(t *testing.T) {
Service: "rds",
},
},
{
Namespace: "builtin.aws.rds.aws0180",
Query: "data.builtin.aws.rds.aws0180.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0180",
Type: "Azure ARM Security Check",
Title: "RDS Publicly Accessible",
Description: "Ensures RDS instances are not launched into the public cloud.",
Severity: "HIGH",
RecommendedActions: "Remove the public endpoint from the RDS instance'",
References: []string{"http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html"},
},
CauseMetadata: types.CauseMetadata{
Resource: "", Provider: "AWS", Service: "rds", StartLine: 0, EndLine: 0,
Code: types.Code{Lines: []types.Line(nil)},
}, Traces: []string(nil),
},
},
Failures: types.MisconfResults{
{
@@ -1819,9 +1963,9 @@ func TestAzureARMMisconfigurationScan(t *testing.T) {
want: types.ArtifactReference{
Name: "testdata/misconfig/azurearm/multiple-failures/src",
Type: types.ArtifactFilesystem,
ID: "sha256:3e7aacf9f4fd44c0ff9df212da350ef74283114baf823b677ffdecd11a4d5ed0",
ID: "sha256:e31c260a87a099d00acc76b7afe5d6a88e18c5e0fd26153d15e1b4f491b7c42c",
BlobIDs: []string{
"sha256:3e7aacf9f4fd44c0ff9df212da350ef74283114baf823b677ffdecd11a4d5ed0",
"sha256:e31c260a87a099d00acc76b7afe5d6a88e18c5e0fd26153d15e1b4f491b7c42c",
},
},
},
@@ -1912,6 +2056,24 @@ func TestAzureARMMisconfigurationScan(t *testing.T) {
Service: "rds",
},
},
{
Namespace: "builtin.aws.rds.aws0180",
Query: "data.builtin.aws.rds.aws0180.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0180",
Type: "Azure ARM Security Check",
Title: "RDS Publicly Accessible",
Description: "Ensures RDS instances are not launched into the public cloud.",
Severity: "HIGH",
RecommendedActions: "Remove the public endpoint from the RDS instance'",
References: []string{"http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html"},
},
CauseMetadata: types.CauseMetadata{
Resource: "", Provider: "AWS", Service: "rds", StartLine: 0, EndLine: 0,
Code: types.Code{Lines: []types.Line(nil)},
}, Traces: []string(nil),
},
{
Namespace: "user.something",
Query: "data.user.something.deny",
@@ -1940,9 +2102,9 @@ func TestAzureARMMisconfigurationScan(t *testing.T) {
want: types.ArtifactReference{
Name: "testdata/misconfig/azurearm/passed/src",
Type: types.ArtifactFilesystem,
ID: "sha256:90db6162959dae5bf9a06e03aac98dd2f5e0fe5a5be68984e1b895b646419b82",
ID: "sha256:e9289e2efc545895a2199fab4583d5f3ef52c20eda1afcf4b0505bb2014ba3e4",
BlobIDs: []string{
"sha256:90db6162959dae5bf9a06e03aac98dd2f5e0fe5a5be68984e1b895b646419b82",
"sha256:e9289e2efc545895a2199fab4583d5f3ef52c20eda1afcf4b0505bb2014ba3e4",
},
},
},

3
pkg/types/report.go
View File

@@ -8,7 +8,7 @@ import (
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
)
var Compliances = []string{ComplianceNsa, ComplianceAWSCIS12, ComplianceAWSCIS14}
var Compliances = []string{ComplianceNsa, ComplianceCIS, ComplianceAWSCIS12, ComplianceAWSCIS14}
// Report represents a scan result
type Report struct {
@@ -52,6 +52,7 @@ const (
// ComplianceNsa is the compliance checks for nsa
ComplianceNsa = Compliance("nsa")
ComplianceCIS = Compliance("cis")
ComplianceAWSCIS12 = Compliance("awscis1.2")
ComplianceAWSCIS14 = Compliance("awscis1.4")
)