Skip to content

Commit f23d2f6

Browse files
authored
docs(misconf): simplify misconfiguration docs (#9030)
1 parent a58c36d commit f23d2f6

3 files changed

Lines changed: 193 additions & 337 deletions

File tree

docs/docs/coverage/iac/index.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,4 +22,4 @@ Trivy scans Infrastructure as Code (IaC) files for
2222

2323
[misconf]: ../../scanner/misconfiguration/index.md
2424
[secret]: ../../scanner/secret.md
25-
[json-and-yaml]: ../../scanner/misconfiguration/index.md#scan-arbitrary-json-and-yaml-configurations
25+
[json-and-yaml]: ../../scanner/misconfiguration/config/config.md#scan-arbitrary-json-and-yaml-configurations

docs/docs/scanner/misconfiguration/config/config.md

Lines changed: 188 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,71 @@ From the Terraform [docs](https://developer.hashicorp.com/terraform/cli/config/c
6464
6565
If multiple variables evaluate to the same hostname, Trivy will choose the environment variable name where the dashes have not been encoded as double underscores.
6666

67+
### Scan arbitrary JSON and YAML configurations
68+
By default, scanning JSON and YAML configurations is disabled, since Trivy does not contain built-in checks for these configurations. To enable it, pass the `json` or `yaml` to `--misconfig-scanners`. See [Enabling a subset of misconfiguration scanners](#enabling-a-subset-of-misconfiguration-scanners) for more information. Trivy will pass each file as is to the checks input.
69+
70+
71+
!!! example
72+
```bash
73+
$ cat iac/serverless.yaml
74+
service: serverless-rest-api-with-pynamodb
75+
76+
frameworkVersion: ">=2.24.0"
77+
78+
plugins:
79+
- serverless-python-requirements
80+
...
81+
82+
$ cat serverless.rego
83+
# METADATA
84+
# title: Serverless Framework service name not starting with "aws-"
85+
# description: Ensure that Serverless Framework service names start with "aws-"
86+
# schemas:
87+
# - input: schema["serverless-schema"]
88+
# custom:
89+
# avd_id: AVD-SF-0001
90+
# severity: LOW
91+
package user.serverless001
92+
93+
deny[res] {
94+
not startswith(input.service, "aws-")
95+
res := result.new(
96+
sprintf("Service name %q is not allowed", [input.service]),
97+
input.service
98+
)
99+
}
100+
101+
$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user ./iac
102+
serverless.yaml (yaml)
103+
104+
Tests: 4 (SUCCESSES: 3, FAILURES: 1)
105+
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
106+
107+
LOW: Service name "serverless-rest-api-with-pynamodb" is not allowed
108+
═════════════════════════════════════════════════════════════════════════════════════════════════════════
109+
Ensure that Serverless Framework service names start with "aws-"
110+
```
111+
112+
!!! note
113+
In the case above, the custom check specified has a metadata annotation for the input schema `input: schema["serverless-schema"]`. This allows Trivy to type check the input IaC files provided.
114+
115+
Optionally, you can also pass schemas using the `config-file-schemas` flag. Trivy will use these schemas for file filtering and type checking in Rego checks.
116+
117+
!!! example
118+
```bash
119+
$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user --config-file-schemas ./serverless-schema.json ./iac
120+
```
121+
122+
If the `--config-file-schemas` flag is specified Trivy ensures that each input IaC config file being scanned is type-checked against the schema. If the input file does not match any of the passed schemas, it will be ignored.
123+
124+
If the schema is specified in the check metadata and is in the directory specified in the `--config-check` argument, it will be automatically loaded as specified [here](../custom/schema.md#custom-checks-with-custom-schemas), and will only be used for type checking in Rego.
125+
126+
!!! note
127+
If a user specifies the `--config-file-schemas` flag, all input IaC config files are ensured that they pass type-checking. It is not required to pass an input schema in case type checking is not required. This is helpful for scenarios where you simply want to write a Rego check and pass in IaC input for it. Such a use case could include scanning for a new service which Trivy might not support just yet.
128+
129+
!!! tip
130+
It is also possible to specify multiple input schemas with `--config-file-schema` flag as it can accept a comma separated list of file paths or a directory as input. In the case of multiple schemas being specified, all of them will be evaluated against all the input files.
131+
67132

68133
### Filtering resources by inline comments
69134

@@ -105,7 +170,6 @@ As an example, consider the following check metadata:
105170
# severity: LOW
106171
# short_code: enable-logging
107172
```
108-
109173
Long ID would look like the following: `aws-s3-enable-logging`.
110174

111175
Example for CloudFromation:
@@ -257,3 +321,126 @@ You can use wildcards in the `ws` (workspace) and `ignore` sections of the ignor
257321

258322
This example ignores all checks starting with `aws-s3-` for workspaces matching the pattern `dev-*`.
259323

324+
### Expiration Date
325+
326+
You can specify the expiration date of the ignore rule in `yyyy-mm-dd` format. This is a useful feature when you want to make sure that an ignored issue is not forgotten and worth revisiting in the future. For example:
327+
```tf
328+
#trivy:ignore:aws-s3-enable-logging:exp:2024-03-10
329+
resource "aws_s3_bucket" "example" {
330+
bucket = "test"
331+
}
332+
```
333+
334+
The `aws-s3-enable-logging` check will be ignored until `2024-03-10` until the ignore rule expires.
335+
336+
#### Ignoring by attributes
337+
338+
You can ignore a resource by its attribute value. This is useful when using the `for-each` meta-argument. For example:
339+
340+
```tf
341+
locals {
342+
ports = ["3306", "5432"]
343+
}
344+
345+
#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=3306]
346+
resource "aws_security_group_rule" "example" {
347+
for_each = toset(local.ports)
348+
type = "ingress"
349+
from_port = each.key
350+
to_port = each.key
351+
protocol = "TCP"
352+
cidr_blocks = ["0.0.0.0/0"]
353+
security_group_id = aws_security_group.example.id
354+
source_security_group_id = aws_security_group.example.id
355+
}
356+
```
357+
358+
The `aws-ec2-no-public-ingress-sgr` check will be ignored only for the `aws_security_group_rule` resource with port number `5432`. It is important to note that the ignore rule should not enclose the attribute value in quotes, despite the fact that the port is represented as a string.
359+
360+
If you want to ignore multiple resources on different attributes, you can specify multiple ignore rules:
361+
362+
```tf
363+
#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=3306]
364+
#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=5432]
365+
```
366+
367+
You can also ignore a resource on multiple attributes in the same rule:
368+
```tf
369+
locals {
370+
rules = {
371+
first = {
372+
port = 1000
373+
type = "ingress"
374+
},
375+
second = {
376+
port = 1000
377+
type = "egress"
378+
}
379+
}
380+
}
381+
382+
#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=1000,type=egress]
383+
resource "aws_security_group_rule" "example" {
384+
for_each = { for k, v in local.rules : k => v }
385+
386+
type = each.value.type
387+
from_port = each.value.port
388+
to_port = each.value.port
389+
protocol = "TCP"
390+
cidr_blocks = ["0.0.0.0/0"]
391+
security_group_id = aws_security_group.example.id
392+
source_security_group_id = aws_security_group.example.id
393+
}
394+
```
395+
396+
Checks can also be ignored by nested attributes:
397+
398+
```tf
399+
#trivy:ignore:*[logging_config.prefix=myprefix]
400+
resource "aws_cloudfront_distribution" "example" {
401+
logging_config {
402+
include_cookies = false
403+
bucket = "mylogs.s3.amazonaws.com"
404+
prefix = "myprefix"
405+
}
406+
}
407+
```
408+
409+
#### Ignoring module issues
410+
411+
Issues in third-party modules cannot be ignored using the method described above, because you may not have access to modify the module source code. In such a situation you can add ignore rules above the module block, for example:
412+
413+
```tf
414+
#trivy:ignore:aws-s3-enable-logging
415+
module "s3_bucket" {
416+
source = "terraform-aws-modules/s3-bucket/aws"
417+
418+
bucket = "my-s3-bucket"
419+
}
420+
```
421+
422+
An example of ignoring checks for a specific bucket in a module:
423+
```tf
424+
locals {
425+
bucket = ["test1", "test2"]
426+
}
427+
428+
#trivy:ignore:*[bucket=test1]
429+
module "s3_bucket" {
430+
for_each = toset(local.bucket)
431+
source = "terraform-aws-modules/s3-bucket/aws"
432+
bucket = each.value
433+
}
434+
```
435+
436+
#### Support for Wildcards
437+
438+
You can use wildcards in the `ws` (workspace) and `ignore` sections of the ignore rules.
439+
440+
```tf
441+
# trivy:ignore:aws-s3-*:ws:dev-*
442+
```
443+
444+
This example ignores all checks starting with `aws-s3-` for workspaces matching the pattern `dev-*`.
445+
446+
[custom]: custom/index.md

0 commit comments

Comments
 (0)