gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 15:50:15 -08:00
Code Issues Packages Projects Releases Wiki Activity

docs(misconf): add comparison with Conftest and tfsec (#1111)

Browse Source
This commit is contained in:
Teppei Fukuda
2021-07-12 13:43:39 +03:00
committed by GitHub
parent 47d600a9b4
commit dea3428804
5 changed files with 74 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/mkdocs-dev.yaml vendored
View File

@@ -4,8 +4,8 @@ on:
paths:
- 'docs/**'
- mkdocs.yml
# branches:
# - main
branches:
- main
jobs:
deploy:
name: Deploy the dev documentation

43
docs/misconfiguration/comparison/conftest.md Normal file
View File

@@ -0,0 +1,43 @@
# vs Conftest
[Conftest][conftest] is a really nice tool to help you write tests against structured configuration data.
Misconfiguration detection in Trivy is heavily inspired by Conftest and provides similar features Conftest has.
This section describes the differences between Trivy and Conftest.
| Feature | Trivy | Conftest |
| --------------------------- | -------------------- | -------------------- |
| Support Rego Language | :material-check: | :material-check: |
| Built-in Policies | :material-check: | :material-close: |
| Custom Policies | :material-check: | :material-check: |
| Custom Data | :material-check: | :material-check: |
| Combine | :material-check: | :material-check: |
| Combine per Policy | :material-check: | :material-close: |
| Policy Input Selector[^1] | :material-check: | :material-close: |
| Policy Metadata[^2] | :material-check: | :material-close:[^3] |
| Filtering by Severity | :material-check: | :material-close: |
| Rule-based Exceptions | :material-check: | :material-check: |
| Namespace-based Exceptions | :material-check: | :material-close: |
| Sharing Policies | :material-close: | :material-check: |
| Show Successes | :material-check: | :material-close: |
| Flexible Exit Code | :material-check: | :material-close: |
| Rego Unit Tests | :material-close:[^4] | :material-check: |
| Go Testing | :material-check: | :material-close: |
| Verbose Trace | :material-check: | :material-check: |
| Supported Formats | 6 formats[^5] | 14 formats[^6] |
Trivy offers built-in policies and a variety of options, while Conftest only supports custom policies.
In other words, Conftest is simpler and lighter.
Conftest is a general testing tool for configuration files, and Trivy is more security-focused.
People who need an out-of-the-box misconfiguration scanner should use Trivy.
People who don't need built-in policies and write your policies should use Conftest.
[^1]: Pass only the types of configuration file as input, specified in selector
[^2]: To enrich the results such as ID, Title, Description, etc.
[^3]: Conftest supports [structured errors in rules][conftest-structured], but they are free format and not natively supported by Conftest.
[^4]: Trivy is not able to run `*_test.rego` like `conftest verify`.
[^5]: Dockerfile, HCL, HCL2, JSON, TOML, and YAML
[^6]: CUE, Dockerfile, EDN, HCL, HCL2, HOCON, Ignore files, INI, JSON, Jsonnet, TOML, VCL, XML, and YAML
[conftest-structured]: https://github.com/open-policy-agent/conftest/pull/243
[conftest]: https://github.com/open-policy-agent/conftest

26
docs/misconfiguration/comparison/tfsec.md Normal file
View File

@@ -0,0 +1,26 @@
# vs tfsec
[tfsec][tfsec] uses static analysis of your Terraform templates to spot potential security issues.
Trivy uses tfsec internally to scan Terraform HCL files, but Trivy doesn't support some features provided by tfsec.
This section describes the differences between Trivy and tfsec.
| Feature | Trivy | tfsec |
| --------------------------- | --------------------------------------- | -------------------- |
| Built-in Policies | :material-check: | :material-check: |
| Custom Policies | Rego[^1] | JSON and YAML |
| Policy Metadata[^2] | :material-check: | :material-check: |
| Show Successes | :material-check: | :material-check: |
| Disable Policies | :material-check: | :material-check: |
| Show Issue Lines | :material-close: | :material-check: |
| Support .tfvars | :material-close: | :material-check: |
| View Statistics | :material-close: | :material-check: |
| Filtering by Severity | :material-check: | :material-close: |
| Supported Formats | Dockerfile, JSON, YAML, Terraform, etc. | Terraform |
[^1]: Terraform HCL files are not supported.
[^2]: To enrich the results such as ID, Title, Description, Severity, etc.
tfsec is designed for Terraform.
People who use only Terraform should use tfsec.
People who want to scan a wide range of configuration files should use Trivy.
[tfsec]: https://github.com/tfsec/tfsec

3
docs/misconfiguration/policy/builtin.md
View File

@@ -12,9 +12,6 @@ Only Terraform's policies are currently powered by [tfsec][tfsec].
| Dockerfile | [AppShield][docker] |
| Terraform | [tfsec][tfsec-checks] |
Most of policies are from [Best practices for writing Dockerfiles][dockerfile-bestpractice], [Pod Security Standards][pss], and best practices from cloud providers such as [Azure best practices for network security][azure].
Also, some policies are powered by [KICS][kics].
For suggestions or issues regarding policy content, please open an issue under [AppShield][appshield] or [tfsec][tfsec] repository.
CloudFormation and Ansible are coming soon.

3
mkdocs.yml
View File

@@ -61,6 +61,9 @@ nav:
- Filtering: misconfiguration/options/filter.md
- Report Formats: misconfiguration/options/report.md
- Others: misconfiguration/options/others.md
- Comparison:
- vs Conftest: misconfiguration/comparison/conftest.md
- vs tfsec: misconfiguration/comparison/tfsec.md
- Advanced:
- Overview: advanced/index.md
- Plugins: advanced/plugins.md