You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/docs/scanner/misconfiguration/config/config.md
+188-1Lines changed: 188 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -64,6 +64,71 @@ From the Terraform [docs](https://developer.hashicorp.com/terraform/cli/config/c
64
64
65
65
If multiple variables evaluate to the same hostname, Trivy will choose the environment variable name where the dashes have not been encoded as double underscores.
66
66
67
+
### Scan arbitrary JSON and YAML configurations
68
+
By default, scanning JSON and YAML configurations is disabled, since Trivy does not contain built-in checks for these configurations. To enable it, pass the `json` or `yaml` to `--misconfig-scanners`. See [Enabling a subset of misconfiguration scanners](#enabling-a-subset-of-misconfiguration-scanners) for more information. Trivy will pass each file as is to the checks input.
69
+
70
+
71
+
!!! example
72
+
```bash
73
+
$ cat iac/serverless.yaml
74
+
service: serverless-rest-api-with-pynamodb
75
+
76
+
frameworkVersion: ">=2.24.0"
77
+
78
+
plugins:
79
+
- serverless-python-requirements
80
+
...
81
+
82
+
$ cat serverless.rego
83
+
# METADATA
84
+
# title: Serverless Framework service name not starting with "aws-"
85
+
# description: Ensure that Serverless Framework service names start with "aws-"
86
+
# schemas:
87
+
# - input: schema["serverless-schema"]
88
+
# custom:
89
+
# avd_id: AVD-SF-0001
90
+
# severity: LOW
91
+
package user.serverless001
92
+
93
+
deny[res] {
94
+
not startswith(input.service, "aws-")
95
+
res := result.new(
96
+
sprintf("Service name %q is not allowed", [input.service]),
97
+
input.service
98
+
)
99
+
}
100
+
101
+
$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user ./iac
Ensure that Serverless Framework service names start with "aws-"
110
+
```
111
+
112
+
!!! note
113
+
In the case above, the custom check specified has a metadata annotation for the input schema `input: schema["serverless-schema"]`. This allows Trivy to type check the input IaC files provided.
114
+
115
+
Optionally, you can also pass schemas using the `config-file-schemas` flag. Trivy will use these schemas for file filtering and type checking in Rego checks.
If the `--config-file-schemas` flag is specified Trivy ensures that each input IaC config file being scanned is type-checked against the schema. If the input file does not match any of the passed schemas, it will be ignored.
123
+
124
+
If the schema is specified in the check metadata and is in the directory specified in the `--config-check` argument, it will be automatically loaded as specified [here](../custom/schema.md#custom-checks-with-custom-schemas), and will only be used for type checking in Rego.
125
+
126
+
!!! note
127
+
If a user specifies the `--config-file-schemas` flag, all input IaC config files are ensured that they pass type-checking. It is not required to pass an input schema in case type checking is not required. This is helpful for scenarios where you simply want to write a Rego check and pass in IaC input for it. Such a use case could include scanning for a new service which Trivy might not support just yet.
128
+
129
+
!!! tip
130
+
It is also possible to specify multiple input schemas with `--config-file-schema` flag as it can accept a comma separated list of file paths or a directory as input. In the case of multiple schemas being specified, all of them will be evaluated against all the input files.
131
+
67
132
68
133
### Filtering resources by inline comments
69
134
@@ -105,7 +170,6 @@ As an example, consider the following check metadata:
105
170
# severity: LOW
106
171
# short_code: enable-logging
107
172
```
108
-
109
173
Long ID would look like the following: `aws-s3-enable-logging`.
110
174
111
175
Example for CloudFromation:
@@ -257,3 +321,126 @@ You can use wildcards in the `ws` (workspace) and `ignore` sections of the ignor
257
321
258
322
This example ignores all checks starting with `aws-s3-` for workspaces matching the pattern `dev-*`.
259
323
324
+
### Expiration Date
325
+
326
+
You can specify the expiration date of the ignore rule in `yyyy-mm-dd` format. This is a useful feature when you want to make sure that an ignored issue is not forgotten and worth revisiting in the future. For example:
The `aws-ec2-no-public-ingress-sgr` check will be ignored only for the `aws_security_group_rule` resource with port number `5432`. It is important to note that the ignore rule should not enclose the attribute value in quotes, despite the fact that the port is represented as a string.
359
+
360
+
If you want to ignore multiple resources on different attributes, you can specify multiple ignore rules:
Issues in third-party modules cannot be ignored using the method described above, because you may not have access to modify the module source code. In such a situation you can add ignore rules above the module block, for example:
412
+
413
+
```tf
414
+
#trivy:ignore:aws-s3-enable-logging
415
+
module "s3_bucket" {
416
+
source = "terraform-aws-modules/s3-bucket/aws"
417
+
418
+
bucket = "my-s3-bucket"
419
+
}
420
+
```
421
+
422
+
An example of ignoring checks for a specific bucket in a module:
423
+
```tf
424
+
locals {
425
+
bucket = ["test1", "test2"]
426
+
}
427
+
428
+
#trivy:ignore:*[bucket=test1]
429
+
module "s3_bucket" {
430
+
for_each = toset(local.bucket)
431
+
source = "terraform-aws-modules/s3-bucket/aws"
432
+
bucket = each.value
433
+
}
434
+
```
435
+
436
+
#### Support for Wildcards
437
+
438
+
You can use wildcards in the `ws` (workspace) and `ignore` sections of the ignore rules.
439
+
440
+
```tf
441
+
# trivy:ignore:aws-s3-*:ws:dev-*
442
+
```
443
+
444
+
This example ignores all checks starting with `aws-s3-` for workspaces matching the pattern `dev-*`.
0 commit comments