From 88702cfd5918b093defc5b5580f7cbf16f5f2417 Mon Sep 17 00:00:00 2001 From: simar7 <1254783+simar7@users.noreply.github.com> Date: Wed, 15 May 2024 19:14:51 -0600 Subject: [PATCH] feat(misconf): Add support for deprecating a check (#6664) Signed-off-by: Simar --- docs/docs/advanced/air-gap.md | 4 +- docs/docs/configuration/cache.md | 4 +- docs/docs/configuration/filtering.md | 2 +- docs/docs/coverage/iac/helm.md | 2 +- .../references/configuration/cli/trivy_aws.md | 1 + .../configuration/cli/trivy_config.md | 1 + .../configuration/cli/trivy_filesystem.md | 1 + .../configuration/cli/trivy_image.md | 1 + .../configuration/cli/trivy_kubernetes.md | 1 + .../configuration/cli/trivy_repository.md | 1 + .../configuration/cli/trivy_rootfs.md | 1 + .../references/configuration/config-file.md | 8 +- .../misconfiguration/check/exceptions.md | 8 +- .../scanner/misconfiguration/custom/data.md | 2 +- .../scanner/misconfiguration/custom/debug.md | 4 +- .../scanner/misconfiguration/custom/index.md | 9 +- .../scanner/misconfiguration/custom/schema.md | 12 +-- .../misconfiguration/custom/testing.md | 12 +-- docs/docs/scanner/misconfiguration/index.md | 16 +-- docs/docs/target/aws.md | 12 +-- .../additional-resources/community.md | 2 +- docs/tutorials/misconfiguration/terraform.md | 2 +- go.mod | 2 +- go.sum | 4 +- mkdocs.yml | 2 +- pkg/commands/artifact/run.go | 1 + pkg/flag/rego_flags.go | 50 +++++---- pkg/iac/rego/embed_test.go | 100 ++++++++++++++++++ pkg/iac/rego/load.go | 4 +- pkg/iac/rego/metadata.go | 8 ++ pkg/iac/rego/metadata_test.go | 17 +++ pkg/iac/rego/scanner.go | 43 +++++--- pkg/iac/rego/scanner_test.go | 75 +++++++++++++ pkg/iac/scan/flat.go | 2 + pkg/iac/scan/rule.go | 5 + pkg/iac/scanners/azure/arm/scanner.go | 2 + pkg/iac/scanners/cloudformation/scanner.go | 2 + pkg/iac/scanners/dockerfile/scanner.go | 2 + pkg/iac/scanners/helm/scanner.go | 2 + pkg/iac/scanners/json/scanner.go | 2 + pkg/iac/scanners/kubernetes/scanner.go | 2 + pkg/iac/scanners/options/scanner.go | 7 ++ pkg/iac/scanners/terraform/scanner.go | 2 + .../scanners/terraformplan/tfjson/scanner.go | 2 + pkg/iac/scanners/toml/scanner.go | 2 + pkg/iac/scanners/yaml/scanner.go | 2 + pkg/misconf/scanner.go | 2 + 47 files changed, 358 insertions(+), 90 deletions(-) diff --git a/docs/docs/advanced/air-gap.md b/docs/docs/advanced/air-gap.md index 3cb7eff65c9f..171b80249eac 100644 --- a/docs/docs/advanced/air-gap.md +++ b/docs/docs/advanced/air-gap.md @@ -129,8 +129,8 @@ $ trivy image --skip-db-update --skip-java-db-update --offline-scan alpine:3.12 No special measures are required to detect misconfigurations in an air-gapped environment. -### Run Trivy with `--skip-policy-update` option -In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies. +### Run Trivy with `--skip-check-update` option +In an air-gapped environment, specify `--skip-check-update` so that Trivy doesn't attempt to download the latest misconfiguration checks. ``` $ trivy conf --skip-policy-update /path/to/conf diff --git a/docs/docs/configuration/cache.md b/docs/docs/configuration/cache.md index d8149f16ccab..ff3a373c22ce 100644 --- a/docs/docs/configuration/cache.md +++ b/docs/docs/configuration/cache.md @@ -3,7 +3,7 @@ The cache directory includes - [Vulnerability Database][trivy-db][^1] - [Java Index Database][trivy-java-db][^2] -- [Misconfiguration Policies][misconf-policies][^3] +- [Misconfiguration Checks][misconf-checks][^3] - Cache of previous scans. The cache option is common to all scanners. @@ -70,7 +70,7 @@ $ trivy server --cache-backend redis://localhost:6379 \ [trivy-db]: ./db.md#vulnerability-database [trivy-java-db]: ./db.md#java-index-database -[misconf-policies]: ../scanner/misconfiguration/check/builtin.md +[misconf-checks]: ../scanner/misconfiguration/check/builtin.md [^1]: Downloaded when scanning for vulnerabilities [^2]: Downloaded when scanning `jar/war/par/ear` files diff --git a/docs/docs/configuration/filtering.md b/docs/docs/configuration/filtering.md index 965c2873c25e..e3d38f3cdc15 100644 --- a/docs/docs/configuration/filtering.md +++ b/docs/docs/configuration/filtering.md @@ -483,7 +483,7 @@ trivy image --ignore-policy contrib/example_policy/basic.rego centos:7 For more advanced use cases, there is a built-in Rego library with helper functions that you can import into your policy using: `import data.lib.trivy`. More info about the helper functions are in the library [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go). -You can find more example policies [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go) +You can find more example checks [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go) ### By Vulnerability Exploitability Exchange (VEX) | Scanner | Supported | diff --git a/docs/docs/coverage/iac/helm.md b/docs/docs/coverage/iac/helm.md index cc8ddc0656a4..8d0352fc42f1 100644 --- a/docs/docs/coverage/iac/helm.md +++ b/docs/docs/coverage/iac/helm.md @@ -11,7 +11,7 @@ The following scanners are supported. Trivy recursively searches directories and scans all found Helm files. It evaluates variables, functions, and other elements within Helm templates and resolve the chart to Kubernetes manifests then run the Kubernetes checks. -See [here](../../scanner/misconfiguration/check/builtin.md) for more details on the built-in policies. +See [here](../../scanner/misconfiguration/check/builtin.md) for more details on the built-in checks. ### Value overrides There are a number of options for overriding values in Helm charts. diff --git a/docs/docs/references/configuration/cli/trivy_aws.md b/docs/docs/references/configuration/cli/trivy_aws.md index 44774dffcd16..aa0255a7ebcd 100644 --- a/docs/docs/references/configuration/cli/trivy_aws.md +++ b/docs/docs/references/configuration/cli/trivy_aws.md @@ -87,6 +87,7 @@ trivy aws [flags] -h, --help help for aws --ignore-policy string specify the Rego file path to evaluate each vulnerability --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-deprecated-checks include deprecated checks --include-non-failures include successes and exceptions, available with '--scanners misconfig' --list-all-pkgs enabling the option will output all packages regardless of vulnerability --max-cache-age duration The maximum age of the cloud cache. Cached data will be required from the cloud provider if it is older than this. (default 24h0m0s) diff --git a/docs/docs/references/configuration/cli/trivy_config.md b/docs/docs/references/configuration/cli/trivy_config.md index 73bf450244e0..993570f1587b 100644 --- a/docs/docs/references/configuration/cli/trivy_config.md +++ b/docs/docs/references/configuration/cli/trivy_config.md @@ -31,6 +31,7 @@ trivy config [flags] DIR -h, --help help for config --ignore-policy string specify the Rego file path to evaluate each vulnerability --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-deprecated-checks include deprecated checks --include-non-failures include successes and exceptions, available with '--scanners misconfig' --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0) --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) diff --git a/docs/docs/references/configuration/cli/trivy_filesystem.md b/docs/docs/references/configuration/cli/trivy_filesystem.md index 79601ddc05e3..e79b923e3786 100644 --- a/docs/docs/references/configuration/cli/trivy_filesystem.md +++ b/docs/docs/references/configuration/cli/trivy_filesystem.md @@ -49,6 +49,7 @@ trivy filesystem [flags] PATH --ignore-unfixed display only fixed vulnerabilities --ignored-licenses strings specify a list of license to ignore --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-deprecated-checks include deprecated checks --include-dev-deps include development dependencies in the report (supported: npm, yarn) --include-non-failures include successes and exceptions, available with '--scanners misconfig' --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1") diff --git a/docs/docs/references/configuration/cli/trivy_image.md b/docs/docs/references/configuration/cli/trivy_image.md index ab7951fa8d5e..980cf68a795f 100644 --- a/docs/docs/references/configuration/cli/trivy_image.md +++ b/docs/docs/references/configuration/cli/trivy_image.md @@ -67,6 +67,7 @@ trivy image [flags] IMAGE_NAME --ignorefile string specify .trivyignore file (default ".trivyignore") --image-config-scanners strings comma-separated list of what security issues to detect on container image configurations (misconfig,secret) --image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote]) + --include-deprecated-checks include deprecated checks --include-non-failures include successes and exceptions, available with '--scanners misconfig' --input string input file path instead of image name --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1") diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md index 62ee6cd3b422..cdc50f9f5451 100644 --- a/docs/docs/references/configuration/cli/trivy_kubernetes.md +++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md @@ -62,6 +62,7 @@ trivy kubernetes [flags] [CONTEXT] --ignore-unfixed display only fixed vulnerabilities --ignorefile string specify .trivyignore file (default ".trivyignore") --image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote]) + --include-deprecated-checks include deprecated checks --include-kinds strings indicate the kinds included in scanning (example: node) --include-namespaces strings indicate the namespaces included in scanning (example: kube-system) --include-non-failures include successes and exceptions, available with '--scanners misconfig' diff --git a/docs/docs/references/configuration/cli/trivy_repository.md b/docs/docs/references/configuration/cli/trivy_repository.md index e3daa569d9f4..7efde1657cc7 100644 --- a/docs/docs/references/configuration/cli/trivy_repository.md +++ b/docs/docs/references/configuration/cli/trivy_repository.md @@ -49,6 +49,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL) --ignore-unfixed display only fixed vulnerabilities --ignored-licenses strings specify a list of license to ignore --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-deprecated-checks include deprecated checks --include-dev-deps include development dependencies in the report (supported: npm, yarn) --include-non-failures include successes and exceptions, available with '--scanners misconfig' --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1") diff --git a/docs/docs/references/configuration/cli/trivy_rootfs.md b/docs/docs/references/configuration/cli/trivy_rootfs.md index 4bc3fc61d2af..ea6a3093802f 100644 --- a/docs/docs/references/configuration/cli/trivy_rootfs.md +++ b/docs/docs/references/configuration/cli/trivy_rootfs.md @@ -52,6 +52,7 @@ trivy rootfs [flags] ROOTDIR --ignore-unfixed display only fixed vulnerabilities --ignored-licenses strings specify a list of license to ignore --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-deprecated-checks include deprecated checks --include-non-failures include successes and exceptions, available with '--scanners misconfig' --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1") --license-confidence-level float specify license classifier's confidence level (default 0.9) diff --git a/docs/docs/references/configuration/config-file.md b/docs/docs/references/configuration/config-file.md index 755913a0bf20..1a7020d94fe4 100644 --- a/docs/docs/references/configuration/config-file.md +++ b/docs/docs/references/configuration/config-file.md @@ -382,10 +382,14 @@ misconfiguration: # Same as '--include-non-failures' # Default is false include-non-failures: false + + # Same as '--include-deprecated-checks' + # Default is false + include-deprecated-checks: false - # Same as '--policy-bundle-repository' + # Same as '--check-bundle-repository' and '--policy-bundle-repository' # Default is 'ghcr.io/aquasecurity/trivy-checks:0' - policy-bundle-repository: ghcr.io/aquasecurity/trivy-checks:0 + check-bundle-repository: ghcr.io/aquasecurity/trivy-checks:0 # Same as '--miconfig-scanners' # Default is all scanners diff --git a/docs/docs/scanner/misconfiguration/check/exceptions.md b/docs/docs/scanner/misconfiguration/check/exceptions.md index e4020c029908..70ef974a4b74 100644 --- a/docs/docs/scanner/misconfiguration/check/exceptions.md +++ b/docs/docs/scanner/misconfiguration/check/exceptions.md @@ -3,10 +3,10 @@ Exceptions let you specify cases where you allow policy violations. Trivy supports two types of exceptions. !!! info - Exceptions can be applied to built-in policies as well as custom policies. + Exceptions can be applied to built-in checks as well as custom checks. ## Namespace-based exceptions -There are some cases where you need to disable built-in policies partially or fully. +There are some cases where you need to disable built-in checks partially or fully. Namespace-based exceptions lets you rough choose which individual packages to exempt. To use namespace-based exceptions, create a Rego rule with the name `exception` that returns the package names to exempt. @@ -26,7 +26,7 @@ The `exception` rule must be defined under `namespace.exceptions`. } ``` -This example exempts all built-in policies for Kubernetes. +This example exempts all built-in checks for Kubernetes. ## Rule-based exceptions There are some cases where you need more flexibility and granularity in defining which cases to exempt. @@ -73,7 +73,7 @@ The above would provide an exception from `deny_foo` and `deny_bar`. } ``` -If you want to apply rule-based exceptions to built-in policies, you have to define the exception under the same package. +If you want to apply rule-based exceptions to built-in checks, you have to define the exception under the same package. !!! example ``` rego diff --git a/docs/docs/scanner/misconfiguration/custom/data.md b/docs/docs/scanner/misconfiguration/custom/data.md index 6e858d86ed6f..51af206b4c63 100644 --- a/docs/docs/scanner/misconfiguration/custom/data.md +++ b/docs/docs/scanner/misconfiguration/custom/data.md @@ -1,6 +1,6 @@ # Custom Data -Custom policies may require additional data in order to determine an answer. +Custom checks may require additional data in order to determine an answer. For example, an allowed list of resources that can be created. Instead of hardcoding this information inside your policy, Trivy allows passing paths to data files with the `--data` flag. diff --git a/docs/docs/scanner/misconfiguration/custom/debug.md b/docs/docs/scanner/misconfiguration/custom/debug.md index 8ea0cc5e0e71..751e43633efc 100644 --- a/docs/docs/scanner/misconfiguration/custom/debug.md +++ b/docs/docs/scanner/misconfiguration/custom/debug.md @@ -1,10 +1,10 @@ -# Debugging policies +# Debugging checks When working on more complex queries (or when learning Rego), it's useful to see exactly how the policy is applied. For this purpose you can use the `--trace` flag. This will output a large trace from Open Policy Agent like the following: !!! tip - Only failed policies show traces. If you want to debug a passed policy, you need to make it fail on purpose. + Only failed checks show traces. If you want to debug a passed check, you need to make it fail on purpose. ```shell $ trivy conf --trace configs/ diff --git a/docs/docs/scanner/misconfiguration/custom/index.md b/docs/docs/scanner/misconfiguration/custom/index.md index 8b08c5e41292..9ce6250552bf 100644 --- a/docs/docs/scanner/misconfiguration/custom/index.md +++ b/docs/docs/scanner/misconfiguration/custom/index.md @@ -1,8 +1,8 @@ -# Custom Policies +# Custom Checks ## Overview -You can write custom policies in [Rego][rego]. -Once you finish writing custom policies, you can pass the policy files or the directory where those policies are stored with `--policy` option. +You can write custom checks in [Rego][rego]. +Once you finish writing custom checks, you can pass the policy files or the directory where those policies are stored with `--policy` option. ``` bash trivy conf --policy /path/to/policy.rego --policy /path/to/custom_policies --namespaces user /path/to/config_dir @@ -120,7 +120,7 @@ Trivy supports extra fields in the `custom` section as described below. ``` All fields are optional. The `schemas` field should be used to enable policy validation using a built-in schema. The -schema that will be used is based on the input document type. It is recommended to use this to ensure your policies are +schema that will be used is based on the input document type. It is recommended to use this to ensure your checks are correct and do not reference incorrect properties/values. | Field name | Allowed values | Default value | In table | In JSON | @@ -131,6 +131,7 @@ correct and do not reference incorrect properties/values. | custom.id | Any characters | N/A | :material-check: | :material-check: | | custom.severity | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` | UNKNOWN | :material-check: | :material-check: | | custom.recommended_actions | Any characters | | :material-close: | :material-check: | +| custom.deprecated | `true`, `false` | `false` | :material-close: | :material-check: | | custom.input.selector.type | Any item(s) in [this list][source-types] | | :material-close: | :material-check: | | url | Any characters | | :material-close: | :material-check: | diff --git a/docs/docs/scanner/misconfiguration/custom/schema.md b/docs/docs/scanner/misconfiguration/custom/schema.md index ea5efeb7b3e2..34872997238d 100644 --- a/docs/docs/scanner/misconfiguration/custom/schema.md +++ b/docs/docs/scanner/misconfiguration/custom/schema.md @@ -54,7 +54,7 @@ Currently, out of the box the following schemas are supported natively: 3. [Cloud](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/cloud.json) -## Custom Policies with Custom Schemas +## Custom Checks with Custom Schemas You can also bring a custom policy that defines one or more custom schema. @@ -71,21 +71,21 @@ You can also bring a custom policy that defines one or more custom schema. } ``` -The policies can be placed in a structure as follows +The checks can be placed in a structure as follows !!! example ``` - /Users/user/my-custom-policies + /Users/user/my-custom-checks ├── my_policy.rego └── schemas └── fooschema.json └── barschema.json ``` -To use such a policy with Trivy, use the `--config-policy` flag that points to the policy file or to the directory where the schemas and policies are contained. +To use such a policy with Trivy, use the `--config-policy` flag that points to the policy file or to the directory where the schemas and checks are contained. ```bash -$ trivy --config-policy=/Users/user/my-custom-policies +$ trivy --config-policy=/Users/user/my-custom-checks ``` -For more details on how to define schemas within Rego policies, please see the [OPA guide](https://www.openpolicyagent.org/docs/latest/policy-language/#schema-annotations) that describes it in more detail. \ No newline at end of file +For more details on how to define schemas within Rego checks, please see the [OPA guide](https://www.openpolicyagent.org/docs/latest/policy-language/#schema-annotations) that describes it in more detail. \ No newline at end of file diff --git a/docs/docs/scanner/misconfiguration/custom/testing.md b/docs/docs/scanner/misconfiguration/custom/testing.md index fcda218ff8eb..2db2fa823531 100644 --- a/docs/docs/scanner/misconfiguration/custom/testing.md +++ b/docs/docs/scanner/misconfiguration/custom/testing.md @@ -1,9 +1,9 @@ # Testing -It is highly recommended to write tests for your custom policies. +It is highly recommended to write tests for your custom checks. ## Rego testing -To help you verify the correctness of your custom policies, OPA gives you a framework that you can use to write tests for your policies. -By writing tests for your custom policies you can speed up the development process of new rules and reduce the amount of time it takes to modify rules as requirements evolve. +To help you verify the correctness of your custom checks, OPA gives you a framework that you can use to write tests for your checks. +By writing tests for your custom checks you can speed up the development process of new rules and reduce the amount of time it takes to modify rules as requirements evolve. For more details, see [Policy Testing][opa-testing]. @@ -22,12 +22,12 @@ For more details, see [Policy Testing][opa-testing]. } ``` -To write tests for custom policies, you can refer to existing tests under [trivy-checks][trivy-checks]. +To write tests for custom checks, you can refer to existing tests under [trivy-checks][trivy-checks]. ## Go testing [Fanal][fanal] which is a core library of Trivy can be imported as a Go library. -You can scan config files in Go and test your custom policies using Go's testing methods, such as [table-driven tests][table]. -This allows you to use the actual configuration file as input, making it easy to prepare test data and ensure that your custom policies work in practice. +You can scan config files in Go and test your custom checks using Go's testing methods, such as [table-driven tests][table]. +This allows you to use the actual configuration file as input, making it easy to prepare test data and ensure that your custom checks work in practice. In particular, Dockerfile and HCL need to be converted to structural data as input, which may be different from the expected input format. diff --git a/docs/docs/scanner/misconfiguration/index.md b/docs/docs/scanner/misconfiguration/index.md index b243d3e8dc17..701d469d658f 100644 --- a/docs/docs/scanner/misconfiguration/index.md +++ b/docs/docs/scanner/misconfiguration/index.md @@ -1,6 +1,6 @@ # Misconfiguration Scanning -Trivy provides built-in policies to detect configuration issues in popular Infrastructure as Code files, such as: Docker, Kubernetes, Terraform, CloudFormation, and more. -In addition to built-in policies, you can write your own custom policies, as you can see [here][custom]. +Trivy provides built-in checks to detect configuration issues in popular Infrastructure as Code files, such as: Docker, Kubernetes, Terraform, CloudFormation, and more. +In addition to built-in checks, you can write your own custom checks, as you can see [here][custom]. ## Quick start @@ -94,7 +94,7 @@ In the above example, Trivy detected vulnerabilities of Python dependencies and ## Type detection The specified directory can contain mixed types of IaC files. -Trivy automatically detects config types and applies relevant policies. +Trivy automatically detects config types and applies relevant checks. For example, the following example holds IaC files for Terraform, CloudFormation, Kubernetes, Helm Charts, and Dockerfile in the same directory. @@ -326,8 +326,8 @@ trivy config --misconfig-scanners=terraform,dockerfile . Will only scan for misconfigurations that pertain to Terraform and Dockerfiles. -### Passing custom policies -You can pass policy files or directories including your custom policies through `--policy` option. +### Passing custom checks +You can pass policy files or directories including your custom checks through `--policy` option. This can be repeated for specifying multiple files or directories. ```bash @@ -335,7 +335,7 @@ cd examplex/misconf/ trivy conf --policy custom-policy/policy --policy combine/policy --policy policy.rego --namespaces user misconf/mixed ``` -For more details, see [Custom Policies](./custom/index.md). +For more details, see [Custom Checks](./custom/index.md). !!! tip You also need to specify `--namespaces` option. @@ -352,8 +352,8 @@ trivy conf --policy ./policy --data ./data --namespaces user ./configs For more details, see [Custom Data](./custom/data.md). ### Passing namespaces -By default, Trivy evaluates policies defined in `builtin.*`. -If you want to evaluate custom policies in other packages, you have to specify package prefixes through `--namespaces` option. +By default, Trivy evaluates checks defined in `builtin.*`. +If you want to evaluate custom checks in other packages, you have to specify package prefixes through `--namespaces` option. This can be repeated for specifying multiple packages. ``` bash diff --git a/docs/docs/target/aws.md b/docs/docs/target/aws.md index 78781646b118..ef23825129f9 100644 --- a/docs/docs/target/aws.md +++ b/docs/docs/target/aws.md @@ -99,11 +99,11 @@ If you want to force the cache to be refreshed with the latest data, you can use Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.). Regardless of whether the cache is used or not, rules will be evaluated again with each run of `trivy aws`. -## Custom Policies +## Custom Checks -You can write custom policies for Trivy to evaluate against your AWS account. -These policies are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the same language used by [Open Policy Agent](https://www.openpolicyagent.org/). -See the [Custom Policies](../scanner/misconfiguration/custom/index.md) page for more information on how to write custom policies. +You can write custom checks for Trivy to evaluate against your AWS account. +These checks are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the same language used by [Open Policy Agent](https://www.openpolicyagent.org/). +See the [Custom Checks](../scanner/misconfiguration/custom/index.md) page for more information on how to write custom checks. -Custom policies in cloud scanning also support passing in custom data. This can be useful when you want to selectively enable/disable certain aspects of your cloud policies. -See the [Custom Data](../scanner/misconfiguration/custom/data.md) page for more information on how to provide custom data to custom policies. +Custom checks in cloud scanning also support passing in custom data. This can be useful when you want to selectively enable/disable certain aspects of your cloud checks. +See the [Custom Data](../scanner/misconfiguration/custom/data.md) page for more information on how to provide custom data to custom checks. diff --git a/docs/tutorials/additional-resources/community.md b/docs/tutorials/additional-resources/community.md index c1ab7241e4e5..2f5ab5a15c41 100644 --- a/docs/tutorials/additional-resources/community.md +++ b/docs/tutorials/additional-resources/community.md @@ -16,7 +16,7 @@ Below is a list of additional resources from the community. ## Misconfiguration Scanning - [Identifying Misconfigurations in your Terraform](https://youtu.be/cps1V5fOHtE) -- [How to write custom policies for Trivy](https://blog.ediri.io/how-to-write-custom-policies-for-trivy) +- [How to write custom checks for Trivy](https://blog.ediri.io/how-to-write-custom-policies-for-trivy) ## SBOM, Attestation & related diff --git a/docs/tutorials/misconfiguration/terraform.md b/docs/tutorials/misconfiguration/terraform.md index 8240e1ba53b2..24b8eebfa69a 100644 --- a/docs/tutorials/misconfiguration/terraform.md +++ b/docs/tutorials/misconfiguration/terraform.md @@ -90,7 +90,7 @@ trivy conf --tf-vars terraform.tfvars ./ ``` ### Custom Checks -We have lots of examples in the [documentation](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/custom/) on how you can write and pass custom Rego policies into terraform misconfiguration scans. +We have lots of examples in the [documentation](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/custom/) on how you can write and pass custom Rego checks into terraform misconfiguration scans. ## Secret and vulnerability scans diff --git a/go.mod b/go.mod index 0849da324bc6..d25d339b8a1d 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/aquasecurity/table v1.8.0 github.com/aquasecurity/testdocker v0.0.0-20240419073403-90bd43849334 github.com/aquasecurity/tml v0.6.1 - github.com/aquasecurity/trivy-aws v0.8.0 + github.com/aquasecurity/trivy-aws v0.8.1-0.20240511051125-4393910b056b github.com/aquasecurity/trivy-checks v0.10.5-0.20240514040354-93bcb2f8c233 github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 diff --git a/go.sum b/go.sum index 1ea2d226a903..d62a5fb3c10b 100644 --- a/go.sum +++ b/go.sum @@ -773,8 +773,8 @@ github.com/aquasecurity/testdocker v0.0.0-20240419073403-90bd43849334 h1:MgvbLyL github.com/aquasecurity/testdocker v0.0.0-20240419073403-90bd43849334/go.mod h1:TKXn7bPfMM52ETP4sjjwkTKCZ18CqCs+I/vtFePSdBc= github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo= github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY= -github.com/aquasecurity/trivy-aws v0.8.0 h1:4ij8MiZ2sJUH+vWpSeoGVhPr109ZBcNp7LNLfPuv5Cw= -github.com/aquasecurity/trivy-aws v0.8.0/go.mod h1:Pb9xqOuTKMHVgjsnjvudjqZh3nmzdFqFVfRkXnoIZBM= +github.com/aquasecurity/trivy-aws v0.8.1-0.20240511051125-4393910b056b h1:mBMM6+kLTPaqSxNLO51rL6HiCKL1ElV5RXM+BEAK8fg= +github.com/aquasecurity/trivy-aws v0.8.1-0.20240511051125-4393910b056b/go.mod h1:z638DsULU5CCIk8QZqcj8u2D5IIRzvjq4jI1VDQGda4= github.com/aquasecurity/trivy-checks v0.10.5-0.20240514040354-93bcb2f8c233 h1:7TnJS1JEmrNfznu1Y9Rzbboxl7J4hxjIKQ8tV3k5UQs= github.com/aquasecurity/trivy-checks v0.10.5-0.20240514040354-93bcb2f8c233/go.mod h1:+G8Ft1pJAmsSPzfSQHdSQ5zcWHWPOxVdQHHA+eHP3eU= github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d h1:fjI9mkoTUAkbGqpzt9nJsO24RAdfG+ZSiLFj0G2jO8c= diff --git a/mkdocs.yml b/mkdocs.yml index 0a7947b4d703..4f8a42c9cec3 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -57,7 +57,7 @@ nav: - Policy: - Built-in Checks: docs/scanner/misconfiguration/check/builtin.md - Exceptions: docs/scanner/misconfiguration/check/exceptions.md - - Custom Policies: + - Custom Checks: - Overview: docs/scanner/misconfiguration/custom/index.md - Data: docs/scanner/misconfiguration/custom/data.md - Combine: docs/scanner/misconfiguration/custom/combine.md diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go index 14aae3659cac..f61e84928265 100644 --- a/pkg/commands/artifact/run.go +++ b/pkg/commands/artifact/run.go @@ -587,6 +587,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi K8sVersion: opts.K8sVersion, DisableEmbeddedPolicies: disableEmbedded, DisableEmbeddedLibraries: disableEmbedded, + IncludeDeprecatedChecks: opts.IncludeDeprecatedChecks, TfExcludeDownloaded: opts.TfExcludeDownloaded, } } diff --git a/pkg/flag/rego_flags.go b/pkg/flag/rego_flags.go index e7358e065b33..4b291f0a5eb3 100644 --- a/pkg/flag/rego_flags.go +++ b/pkg/flag/rego_flags.go @@ -7,6 +7,11 @@ package flag // config-policy: "custom-policy/policy" // policy-namespaces: "user" var ( + IncludeDeprecatedChecksFlag = Flag[bool]{ + Name: "include-deprecated-checks", + ConfigName: "rego.include-deprecated-checks", + Usage: "include deprecated checks", + } SkipCheckUpdateFlag = Flag[bool]{ Name: "skip-check-update", ConfigName: "rego.skip-check-update", @@ -53,28 +58,31 @@ var ( // RegoFlagGroup composes common printer flag structs used for commands providing misconfinguration scanning. type RegoFlagGroup struct { - SkipCheckUpdate *Flag[bool] - Trace *Flag[bool] - CheckPaths *Flag[[]string] - DataPaths *Flag[[]string] - CheckNamespaces *Flag[[]string] + IncludeDeprecatedChecks *Flag[bool] + SkipCheckUpdate *Flag[bool] + Trace *Flag[bool] + CheckPaths *Flag[[]string] + DataPaths *Flag[[]string] + CheckNamespaces *Flag[[]string] } type RegoOptions struct { - SkipCheckUpdate bool - Trace bool - CheckPaths []string - DataPaths []string - CheckNamespaces []string + IncludeDeprecatedChecks bool + SkipCheckUpdate bool + Trace bool + CheckPaths []string + DataPaths []string + CheckNamespaces []string } func NewRegoFlagGroup() *RegoFlagGroup { return &RegoFlagGroup{ - SkipCheckUpdate: SkipCheckUpdateFlag.Clone(), - Trace: TraceFlag.Clone(), - CheckPaths: ConfigCheckFlag.Clone(), - DataPaths: ConfigDataFlag.Clone(), - CheckNamespaces: CheckNamespaceFlag.Clone(), + IncludeDeprecatedChecks: IncludeDeprecatedChecksFlag.Clone(), + SkipCheckUpdate: SkipCheckUpdateFlag.Clone(), + Trace: TraceFlag.Clone(), + CheckPaths: ConfigCheckFlag.Clone(), + DataPaths: ConfigDataFlag.Clone(), + CheckNamespaces: CheckNamespaceFlag.Clone(), } } @@ -84,6 +92,7 @@ func (f *RegoFlagGroup) Name() string { func (f *RegoFlagGroup) Flags() []Flagger { return []Flagger{ + f.IncludeDeprecatedChecks, f.SkipCheckUpdate, f.Trace, f.CheckPaths, @@ -98,10 +107,11 @@ func (f *RegoFlagGroup) ToOptions() (RegoOptions, error) { } return RegoOptions{ - SkipCheckUpdate: f.SkipCheckUpdate.Value(), - Trace: f.Trace.Value(), - CheckPaths: f.CheckPaths.Value(), - DataPaths: f.DataPaths.Value(), - CheckNamespaces: f.CheckNamespaces.Value(), + IncludeDeprecatedChecks: f.IncludeDeprecatedChecks.Value(), + SkipCheckUpdate: f.SkipCheckUpdate.Value(), + Trace: f.Trace.Value(), + CheckPaths: f.CheckPaths.Value(), + DataPaths: f.DataPaths.Value(), + CheckNamespaces: f.CheckNamespaces.Value(), }, nil } diff --git a/pkg/iac/rego/embed_test.go b/pkg/iac/rego/embed_test.go index 36d136259a5d..35fd4a667e80 100644 --- a/pkg/iac/rego/embed_test.go +++ b/pkg/iac/rego/embed_test.go @@ -5,6 +5,7 @@ import ( checks "github.com/aquasecurity/trivy-checks" "github.com/aquasecurity/trivy/pkg/iac/rules" + "github.com/aquasecurity/trivy/pkg/iac/scan" "github.com/open-policy-agent/opa/ast" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -103,3 +104,102 @@ deny[res]{ }) } } + +func Test_RegisterDeprecatedRule(t *testing.T) { + var testCases = []struct { + name string + id string + inputPolicy string + expected scan.Rule + }{ + { + name: "deprecated check", + id: "AVD-DEP-0001", + inputPolicy: `# METADATA +# title: "deprecated check" +# description: "some description" +# scope: package +# schemas: +# - input: schema["dockerfile"] +# custom: +# avd_id: AVD-DEP-0001 +# input: +# selector: +# - type: dockerfile +# deprecated: true +package builtin.dockerfile.DS1234 +deny[res]{ + res := true +}`, + expected: scan.Rule{ + Deprecated: true, + }, + }, + { + name: "not a deprecated check", + id: "AVD-NOTDEP-0001", + inputPolicy: `# METADATA +# title: "not a deprecated check" +# description: "some description" +# scope: package +# schemas: +# - input: schema["dockerfile"] +# custom: +# avd_id: AVD-NOTDEP-0001 +# input: +# selector: +# - type: dockerfile +package builtin.dockerfile.DS1234 +deny[res]{ + res := true +}`, + expected: scan.Rule{ + Deprecated: false, + }, + }, + { + name: "invalid deprecation value", + id: "AVD-BADDEP-0001", + inputPolicy: `# METADATA +# title: "badly deprecated check" +# description: "some description" +# scope: package +# schemas: +# - input: schema["dockerfile"] +# custom: +# avd_id: AVD-BADDEP-0001 +# input: +# selector: +# - type: dockerfile +# deprecated: "this is bad, deprecation is a bool value not a string" +package builtin.dockerfile.DS1234 +deny[res]{ + res := true +}`, + expected: scan.Rule{ + Deprecated: false, + }, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + policies := make(map[string]*ast.Module) + newRule, err := ast.ParseModuleWithOpts("/rules/newrule.rego", tc.inputPolicy, ast.ParserOptions{ + ProcessAnnotation: true, + }) + require.NoError(t, err) + + policies["/rules/newrule.rego"] = newRule + assert.NotPanics(t, func() { + RegisterRegoRules(policies) + }) + + for _, rule := range rules.GetRegistered() { + if rule.AVDID == tc.id { + assert.Equal(t, tc.expected.Deprecated, rule.GetRule().Deprecated, tc.name) + } + } + }) + } +} diff --git a/pkg/iac/rego/load.go b/pkg/iac/rego/load.go index 2fd3955ce38f..f2e4c0645c4f 100644 --- a/pkg/iac/rego/load.go +++ b/pkg/iac/rego/load.go @@ -100,12 +100,12 @@ func (s *Scanner) LoadPolicies(enableEmbeddedLibraries, enableEmbeddedPolicies b if len(paths) > 0 { loaded, err := LoadPoliciesFromDirs(srcFS, paths...) if err != nil { - return fmt.Errorf("failed to load rego policies from %s: %w", paths, err) + return fmt.Errorf("failed to load rego checks from %s: %w", paths, err) } for name, policy := range loaded { s.policies[name] = policy } - s.debug.Log("Loaded %d policies from disk.", len(loaded)) + s.debug.Log("Loaded %d checks from disk.", len(loaded)) } if len(readers) > 0 { diff --git a/pkg/iac/rego/metadata.go b/pkg/iac/rego/metadata.go index 6d6996dd6828..5699276ad054 100644 --- a/pkg/iac/rego/metadata.go +++ b/pkg/iac/rego/metadata.go @@ -20,6 +20,7 @@ import ( const annotationScopePackage = "package" type StaticMetadata struct { + Deprecated bool ID string AVDID string Title string @@ -70,6 +71,12 @@ func (sm *StaticMetadata) Update(meta map[string]any) error { upd(&sm.RecommendedActions, "recommended_actions") upd(&sm.RecommendedActions, "recommended_action") + if raw, ok := meta["deprecated"]; ok { + if dep, ok := raw.(bool); ok { + sm.Deprecated = dep + } + } + if raw, ok := meta["severity"]; ok { sm.Severity = strings.ToUpper(fmt.Sprintf("%s", raw)) } @@ -208,6 +215,7 @@ func (m StaticMetadata) ToRule() scan.Rule { } return scan.Rule{ + Deprecated: m.Deprecated, AVDID: m.AVDID, Aliases: append(m.Aliases, m.ID), ShortCode: m.ShortCode, diff --git a/pkg/iac/rego/metadata_test.go b/pkg/iac/rego/metadata_test.go index d12b2d5d55f6..423ddc1a20d7 100644 --- a/pkg/iac/rego/metadata_test.go +++ b/pkg/iac/rego/metadata_test.go @@ -117,6 +117,23 @@ func Test_UpdateStaticMetadata(t *testing.T) { assert.Equal(t, expected, sm) }) + + t.Run("check is deprecated", func(t *testing.T) { + sm := StaticMetadata{ + Deprecated: false, + } + require.NoError(t, sm.Update(map[string]any{ + "deprecated": true, + })) + + expected := StaticMetadata{ + Deprecated: true, + CloudFormation: &scan.EngineMetadata{}, + Terraform: &scan.EngineMetadata{}, + } + + assert.Equal(t, expected, sm) + }) } func Test_getEngineMetadata(t *testing.T) { diff --git a/pkg/iac/rego/scanner.go b/pkg/iac/rego/scanner.go index f2b9fff0fdf9..ceed9bd7ae6f 100644 --- a/pkg/iac/rego/scanner.go +++ b/pkg/iac/rego/scanner.go @@ -26,28 +26,33 @@ import ( var _ options.ConfigurableScanner = (*Scanner)(nil) type Scanner struct { - ruleNamespaces map[string]struct{} - policies map[string]*ast.Module - store storage.Store - dataDirs []string - runtimeValues *ast.Term - compiler *ast.Compiler - regoErrorLimit int - debug debug.Logger - traceWriter io.Writer - tracePerResult bool - retriever *MetadataRetriever - policyFS fs.FS - dataFS fs.FS - frameworks []framework.Framework - spec string - inputSchema interface{} // unmarshalled into this from a json schema document - sourceType types.Source + ruleNamespaces map[string]struct{} + policies map[string]*ast.Module + store storage.Store + dataDirs []string + runtimeValues *ast.Term + compiler *ast.Compiler + regoErrorLimit int + debug debug.Logger + traceWriter io.Writer + tracePerResult bool + retriever *MetadataRetriever + policyFS fs.FS + dataFS fs.FS + frameworks []framework.Framework + spec string + inputSchema interface{} // unmarshalled into this from a json schema document + sourceType types.Source + includeDeprecatedChecks bool embeddedLibs map[string]*ast.Module embeddedChecks map[string]*ast.Module } +func (s *Scanner) SetIncludeDeprecatedChecks(b bool) { + s.includeDeprecatedChecks = b +} + func (s *Scanner) SetUseEmbeddedLibraries(b bool) { // handled externally } @@ -248,6 +253,10 @@ func (s *Scanner) ScanInput(ctx context.Context, inputs ...Input) (scan.Results, continue } + if !s.includeDeprecatedChecks && staticMeta.Deprecated { + continue // skip deprecated checks + } + if isPolicyWithSubtype(s.sourceType) { // skip if check isn't relevant to what is being scanned if !isPolicyApplicable(staticMeta, inputs...) { diff --git a/pkg/iac/rego/scanner_test.go b/pkg/iac/rego/scanner_test.go index d2868764eda8..f2d115ba0582 100644 --- a/pkg/iac/rego/scanner_test.go +++ b/pkg/iac/rego/scanner_test.go @@ -1011,3 +1011,78 @@ deny { assert.Contains(t, buf.String(), `Error occurred while applying rule "deny" from check "checks/bad.rego"`) } + +func Test_RegoScanning_WithDeprecatedCheck(t *testing.T) { + var testCases = []struct { + name string + policy string + expectedResults int + }{ + { + name: "happy path check is deprecated", + policy: `# METADATA +# title: i am a deprecated check +# description: i am a description +# related_resources: +# - https://google.com +# custom: +# id: EG123 +# avd_id: AVD-EG-0123 +# severity: LOW +# recommended_action: have a cup of tea +# deprecated: true +package defsec.test + +deny { + input.text +} + +`, + expectedResults: 0, + }, + { + name: "happy path check is not deprecated", + policy: `# METADATA +# title: i am a deprecated check +# description: i am a description +# related_resources: +# - https://google.com +# custom: +# id: EG123 +# avd_id: AVD-EG-0123 +# severity: LOW +# recommended_action: have a cup of tea +package defsec.test + +deny { + input.text +} + +`, + expectedResults: 1, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + srcFS := CreateFS(t, map[string]string{ + "policies/test.rego": tc.policy, + }) + + scanner := NewScanner(types.SourceJSON) + require.NoError( + t, + scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), + ) + + results, err := scanner.ScanInput(context.TODO(), Input{ + Path: "/evil.lol", + Contents: map[string]interface{}{ + "text": "test", + }, + }) + require.NoError(t, err) + require.Len(t, results, tc.expectedResults, tc.name) + }) + } +} diff --git a/pkg/iac/scan/flat.go b/pkg/iac/scan/flat.go index c640b5fc14ac..a3abc143d273 100755 --- a/pkg/iac/scan/flat.go +++ b/pkg/iac/scan/flat.go @@ -6,6 +6,7 @@ import ( ) type FlatResult struct { + Deprecated bool `json:"deprecated,omitempty"` RuleID string `json:"rule_id"` LongID string `json:"long_id"` RuleSummary string `json:"rule_description"` @@ -48,6 +49,7 @@ func (r *Result) Flatten() FlatResult { } return FlatResult{ + Deprecated: r.rule.Deprecated, RuleID: r.rule.AVDID, LongID: r.Rule().LongID(), RuleSummary: r.rule.Summary, diff --git a/pkg/iac/scan/rule.go b/pkg/iac/scan/rule.go index a1a3ada18e99..c4318b7aad35 100755 --- a/pkg/iac/scan/rule.go +++ b/pkg/iac/scan/rule.go @@ -36,6 +36,7 @@ type TerraformCustomCheck struct { } type Rule struct { + Deprecated bool `json:"deprecated"` AVDID string `json:"avd_id"` Aliases []string `json:"aliases"` ShortCode string `json:"short_code"` @@ -55,6 +56,10 @@ type Rule struct { Check CheckFunc `json:"-"` } +func (r Rule) IsDeprecated() bool { + return r.Deprecated +} + func (r Rule) HasID(id string) bool { if r.AVDID == id || r.LongID() == id { return true diff --git a/pkg/iac/scanners/azure/arm/scanner.go b/pkg/iac/scanners/azure/arm/scanner.go index d9ae227a0992..b4bcfc539486 100644 --- a/pkg/iac/scanners/azure/arm/scanner.go +++ b/pkg/iac/scanners/azure/arm/scanner.go @@ -40,6 +40,8 @@ type Scanner struct { // nolint: gocritic sync.Mutex } +func (s *Scanner) SetIncludeDeprecatedChecks(b bool) {} + func (s *Scanner) SetSpec(spec string) { s.spec = spec } diff --git a/pkg/iac/scanners/cloudformation/scanner.go b/pkg/iac/scanners/cloudformation/scanner.go index 0920f4425fdb..1bbbe39f2117 100644 --- a/pkg/iac/scanners/cloudformation/scanner.go +++ b/pkg/iac/scanners/cloudformation/scanner.go @@ -64,6 +64,8 @@ type Scanner struct { // nolint: gocritic sync.Mutex } +func (s *Scanner) SetIncludeDeprecatedChecks(bool) {} + func (s *Scanner) addParserOptions(opt options.ParserOption) { s.parserOptions = append(s.parserOptions, opt) } diff --git a/pkg/iac/scanners/dockerfile/scanner.go b/pkg/iac/scanners/dockerfile/scanner.go index 88a18e35ed1a..29df54634d58 100644 --- a/pkg/iac/scanners/dockerfile/scanner.go +++ b/pkg/iac/scanners/dockerfile/scanner.go @@ -34,6 +34,8 @@ type Scanner struct { // nolint: gocritic loadEmbeddedPolicies bool } +func (s *Scanner) SetIncludeDeprecatedChecks(bool) {} + func (s *Scanner) SetSpec(spec string) { s.spec = spec } diff --git a/pkg/iac/scanners/helm/scanner.go b/pkg/iac/scanners/helm/scanner.go index e2b666082c97..fc54af44781f 100644 --- a/pkg/iac/scanners/helm/scanner.go +++ b/pkg/iac/scanners/helm/scanner.go @@ -43,6 +43,8 @@ type Scanner struct { mu sync.Mutex } +func (s *Scanner) SetIncludeDeprecatedChecks(bool) {} + func (s *Scanner) SetSpec(spec string) { s.spec = spec } diff --git a/pkg/iac/scanners/json/scanner.go b/pkg/iac/scanners/json/scanner.go index 5c53d0a10896..3d563c34c790 100644 --- a/pkg/iac/scanners/json/scanner.go +++ b/pkg/iac/scanners/json/scanner.go @@ -34,6 +34,8 @@ type Scanner struct { // nolint: gocritic loadEmbeddedLibraries bool } +func (s *Scanner) SetIncludeDeprecatedChecks(bool) {} + func (s *Scanner) SetRegoOnly(bool) { } diff --git a/pkg/iac/scanners/kubernetes/scanner.go b/pkg/iac/scanners/kubernetes/scanner.go index 121c954990a3..44f13ce5b003 100644 --- a/pkg/iac/scanners/kubernetes/scanner.go +++ b/pkg/iac/scanners/kubernetes/scanner.go @@ -38,6 +38,8 @@ type Scanner struct { // nolint: gocritic loadEmbeddedLibraries bool } +func (s *Scanner) SetIncludeDeprecatedChecks(bool) {} + func (s *Scanner) SetSpec(spec string) { s.spec = spec } diff --git a/pkg/iac/scanners/options/scanner.go b/pkg/iac/scanners/options/scanner.go index 02c01be5c95a..8e79b0c4a185 100644 --- a/pkg/iac/scanners/options/scanner.go +++ b/pkg/iac/scanners/options/scanner.go @@ -24,6 +24,7 @@ type ConfigurableScanner interface { SetRegoOnly(regoOnly bool) SetRegoErrorLimit(limit int) SetUseEmbeddedLibraries(bool) + SetIncludeDeprecatedChecks(bool) } type ScannerOption func(s ConfigurableScanner) @@ -65,6 +66,12 @@ func ScannerWithEmbeddedLibraries(enabled bool) ScannerOption { } } +func ScannerWithIncludeDeprecatedChecks(enabled bool) ScannerOption { + return func(s ConfigurableScanner) { + s.SetIncludeDeprecatedChecks(enabled) + } +} + // ScannerWithTrace specifies an io.Writer for trace logs (mainly rego tracing) - if not set, they are discarded func ScannerWithTrace(w io.Writer) ScannerOption { return func(s ConfigurableScanner) { diff --git a/pkg/iac/scanners/terraform/scanner.go b/pkg/iac/scanners/terraform/scanner.go index 1f051a166595..c999acf337f5 100644 --- a/pkg/iac/scanners/terraform/scanner.go +++ b/pkg/iac/scanners/terraform/scanner.go @@ -45,6 +45,8 @@ type Scanner struct { // nolint: gocritic loadEmbeddedPolicies bool } +func (s *Scanner) SetIncludeDeprecatedChecks(b bool) {} + func (s *Scanner) SetSpec(spec string) { s.spec = spec } diff --git a/pkg/iac/scanners/terraformplan/tfjson/scanner.go b/pkg/iac/scanners/terraformplan/tfjson/scanner.go index 1a73bd6af0cd..6f62d822177f 100644 --- a/pkg/iac/scanners/terraformplan/tfjson/scanner.go +++ b/pkg/iac/scanners/terraformplan/tfjson/scanner.go @@ -38,6 +38,8 @@ type Scanner struct { policyReaders []io.Reader } +func (s *Scanner) SetIncludeDeprecatedChecks(bool) {} + func (s *Scanner) SetUseEmbeddedLibraries(b bool) { s.loadEmbeddedLibraries = b } diff --git a/pkg/iac/scanners/toml/scanner.go b/pkg/iac/scanners/toml/scanner.go index 57f27df92db6..0a05fdbac18f 100644 --- a/pkg/iac/scanners/toml/scanner.go +++ b/pkg/iac/scanners/toml/scanner.go @@ -32,6 +32,8 @@ type Scanner struct { // nolint: gocritic loadEmbeddedLibraries bool } +func (s *Scanner) SetIncludeDeprecatedChecks(bool) {} + func (s *Scanner) SetRegoOnly(bool) {} func (s *Scanner) SetFrameworks(frameworks []framework.Framework) { diff --git a/pkg/iac/scanners/yaml/scanner.go b/pkg/iac/scanners/yaml/scanner.go index 02a68f0d5566..0adc43bbd4cf 100644 --- a/pkg/iac/scanners/yaml/scanner.go +++ b/pkg/iac/scanners/yaml/scanner.go @@ -32,6 +32,8 @@ type Scanner struct { // nolint: gocritic loadEmbeddedPolicies bool } +func (s *Scanner) SetIncludeDeprecatedChecks(bool) {} + func (s *Scanner) SetRegoOnly(bool) {} func (s *Scanner) SetFrameworks(frameworks []framework.Framework) { diff --git a/pkg/misconf/scanner.go b/pkg/misconf/scanner.go index 9d81851b844f..90ee90cb4216 100644 --- a/pkg/misconf/scanner.go +++ b/pkg/misconf/scanner.go @@ -54,6 +54,7 @@ type ScannerOption struct { DataPaths []string DisableEmbeddedPolicies bool DisableEmbeddedLibraries bool + IncludeDeprecatedChecks bool HelmValues []string HelmValueFiles []string @@ -217,6 +218,7 @@ func scannerOptions(t detection.FileType, opt ScannerOption) ([]options.ScannerO options.ScannerWithSkipRequiredCheck(true), options.ScannerWithEmbeddedPolicies(!opt.DisableEmbeddedPolicies), options.ScannerWithEmbeddedLibraries(!opt.DisableEmbeddedLibraries), + options.ScannerWithIncludeDeprecatedChecks(opt.IncludeDeprecatedChecks), } policyFS, policyPaths, err := CreatePolicyFS(opt.PolicyPaths)