Skip to content

feat(misconf): Adds CloudFront standard logging v2 support to AVD-AWS-0010#10848

Merged
nikpivkin merged 14 commits into
aquasecurity:mainfrom
Aakarsh133:main
Jun 18, 2026
Merged

feat(misconf): Adds CloudFront standard logging v2 support to AVD-AWS-0010#10848
nikpivkin merged 14 commits into
aquasecurity:mainfrom
Aakarsh133:main

Conversation

@Aakarsh133

@Aakarsh133 Aakarsh133 commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Description

This PR adds v2 logging support to AVD-AWS-0010.

  • Modified data model to include v2 logging struct

  • V2 delivery chains detection added to cloudformation and terraform

    1. Implemented hasV2Logging as discussed as a helper to ensure smooth integration with original adapter.
    2. types.BoolValue used instead of iacTypes.BoolValue in Terraform to follow the previous implementations in the file.
    3. Different hasV2Logging helper at cloudformation as well s a clean solution to ensure minimal disruption to other implementations.
    4. Directly integrated V2 logging struct with Logging at getDistributions
  • Added respective tests

Additional Notes

Lint fixed a few other lint related issues in the repo as well.

Related issues

Related PRs

feat(misconf): Adds CloudFront standard logging v2 support to AVD-AWS-0010

Checklist

Signed-off-by: Aakarsh Maurya <mauryaaakarsh11@gmail.com>
Signed-off-by: Aakarsh Maurya <mauryaaakarsh11@gmail.com>
Signed-off-by: Aakarsh Maurya <mauryaaakarsh11@gmail.com>
Signed-off-by: Aakarsh Maurya <mauryaaakarsh11@gmail.com>
Signed-off-by: Aakarsh Maurya <mauryaaakarsh11@gmail.com>
Signed-off-by: Aakarsh Maurya <mauryaaakarsh11@gmail.com>
Signed-off-by: Aakarsh Maurya <mauryaaakarsh11@gmail.com>
@CLAassistant

CLAassistant commented Jun 15, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@nikpivkin nikpivkin left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, the implementation matches what we agreed on in #10622.

Comment thread pkg/fanal/test/integration/containerd_test.go Outdated
Comment on lines +93 to +94
logType := source.GetAttribute("log_type").AsStringValueOrDefault("", source)
if logType.Value() != "ACCESS_LOGS" {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be simplified to:

Suggested change
logType := source.GetAttribute("log_type").AsStringValueOrDefault("", source)
if logType.Value() != "ACCESS_LOGS" {
if !source.GetAttribute("log_type").Equals("ACCESS_LOGS") {

}
}

func Test_adaptDistributionV2(t *testing.T) {

@nikpivkin nikpivkin Jun 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a negative case where the delivery source references the distribution and a delivery exists, but log_type is not ACCESS_LOGS (e.g. ERROR_LOGS) → expect false? Right now the log_type filter branch isn't covered, so a regression there would go unnoticed.

},
},
},
},

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two cases missing here:

  1. LogType other than ACCESS_LOGS → expect false (covers the LogType filter).
  2. DeliverySourceName given as !Ref CloudFrontAccessLogsDeliverySource (logical ID) instead of the literal name → expect true.

for _, delivery := range deliveries {
deliverySourceName := delivery.GetStringProperty("DeliverySourceName")
if deliverySourceName.Value() == sourceName.Value() || deliverySourceName.Value() == source.ID() {
return iacTypes.Bool(true, distribution.Metadata())

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The metadata for LoggingV2.Enabled points at the distribution. When the chain is detected it would be more accurate to point it at the aws_cloudwatch_log_delivery resource (the AWS::Logs::Delivery on the CF side), since that's the link that actually completes the chain - a source on its own does not enable logging.

"$ref": "#/definitions/github.qkg1.top.aquasecurity.trivy.pkg.iac.providers.azure.appservice.Identity"
},
"platform": {
"resource": {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just flagging that this schema diff in azure.appservice.Service is unrelated to CloudFront. It's correct though — the Service model already uses Resource, so the committed schema was out of sync and the regeneration fixed it. Worth mentioning in the PR description so it doesn't look accidental.

@nikpivkin

Copy link
Copy Markdown
Contributor

Before this is merged, we should verify the updated check works end to end with these model changes by running the integration tests. Since the Rego check lives in trivy-checks and relies on the new logging.v2.enabled field, please confirm the integration tests pass against the regenerated schema so we know the rule actually consumes the field correctly.

Comment thread pkg/iac/adapters/cloudformation/aws/cloudfront/distribution.go Outdated
Aakarsh133 and others added 6 commits June 16, 2026 22:05
Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
Signed-off-by: Aakarsh Maurya <mauryaaakarsh11@gmail.com>
Signed-off-by: Aakarsh Maurya <mauryaaakarsh11@gmail.com>
Signed-off-by: Aakarsh Maurya <mauryaaakarsh11@gmail.com>
Signed-off-by: Aakarsh Maurya <mauryaaakarsh11@gmail.com>
Signed-off-by: Aakarsh Maurya <mauryaaakarsh11@gmail.com>

deliveries := modules.GetReferencingResources(source, "aws_cloudwatch_log_delivery", "delivery_source_name")
if len(deliveries) > 0 {
return types.Bool(true, metadata)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just as in CF, it's best to return the aws_cloudwatch_log_delivery metadata.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Until now it was under assumption that merely an existence of a aws_cloudwatch_log_delivery would confirm the V2 to be true, here it didn't reference the specific resource explicitly, so in case at least one resource exists(usual case) should i do return types.Bool(true, deliveries[0].GetMetadata()). Is this the correct approach?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that's fine, since there's supposed to be at least one delivery resource here.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also just a note for both CF and Terraform in case of false, distribution metadata is returned

…eturns true

Signed-off-by: Aakarsh Maurya <mauryaaakarsh11@gmail.com>
@Aakarsh133

Copy link
Copy Markdown
Contributor Author

I believe at Trivy-checks certain integration tests are bound to fail if they are checked as intended for now atleast, until the PRs are not merged. I have manually imported schemas, rego is working fine with them.
For the both repos I have done most of the tests I could find relevant if there is anything relevant left please let me know.

@nikpivkin nikpivkin left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I reviewed the adapter changes and verified them e2e together with the corresponding trivy-checks PR aquasecurity/trivy-checks#580.

While testing this I simplified local development of the integration test so unreleased trivy changes can be validated against a locally built binary without building and pushing an image. That is in aquasecurity/trivy-checks#581.

@nikpivkin nikpivkin added this pull request to the merge queue Jun 18, 2026
Merged via the queue into aquasecurity:main with commit a848925 Jun 18, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(misconf): add CloudFront standard logging v2 support to AVD-AWS-0010

3 participants