Skip to content

Commit

Permalink
feat: add aliases to '--scanners' (#5558)
Browse files Browse the repository at this point in the history
Signed-off-by: knqyf263 <[email protected]>
  • Loading branch information
knqyf263 authored Nov 15, 2023
1 parent 950e431 commit a96ec35
Show file tree
Hide file tree
Showing 27 changed files with 80 additions and 53 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-a
</details>

```bash
trivy fs --scanners vuln,secret,config myproject/
trivy fs --scanners vuln,secret,misconfig myproject/
```

<details>
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/configuration/others.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ You can enable/disable scanners with the `--scanners` flag.
Supported values:

- vuln
- config
- misconfig
- secret
- license

Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_aws.md
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ trivy aws [flags]
-h, --help help for aws
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes and exceptions, available with '--scanners config'
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--max-cache-age duration The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s)
-o, --output string output file name
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_config.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ trivy config [flags] DIR
-h, --help help for config
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes and exceptions, available with '--scanners config'
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
-o, --output string output file name
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_filesystem.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ trivy filesystem [flags] PATH
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-dev-deps include development dependencies in the report (supported: npm, yarn)
--include-non-failures include successes and exceptions, available with '--scanners config'
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
Expand All @@ -67,7 +67,7 @@ trivy filesystem [flags] PATH
--reset remove all caches and database
--reset-policy-bundle remove policy bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
Expand Down
6 changes: 3 additions & 3 deletions docs/docs/references/configuration/cli/trivy_image.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,9 +61,9 @@ trivy image [flags] IMAGE_NAME
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--image-config-scanners strings comma-separated list of what security issues to detect on container image configurations (config,secret)
--image-config-scanners strings comma-separated list of what security issues to detect on container image configurations (misconfig,secret)
--image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
--include-non-failures include successes and exceptions, available with '--scanners config'
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--input string input file path instead of image name
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--license-confidence-level float specify license classifier's confidence level (default 0.9)
Expand All @@ -88,7 +88,7 @@ trivy image [flags] IMAGE_NAME
--reset remove all caches and database
--reset-policy-bundle remove policy bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_kubernetes.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
--ignore-unfixed display only fixed vulnerabilities
--ignorefile string specify .trivyignore file (default ".trivyignore")
--image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
--include-non-failures include successes and exceptions, available with '--scanners config'
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)
--kubeconfig string specify the kubeconfig file path to use
Expand All @@ -79,7 +79,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
--reset remove all caches and database
--reset-policy-bundle remove policy bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,rbac) (default [vuln,config,secret,rbac])
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--skip-db-update skip updating vulnerability database
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_repository.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-dev-deps include development dependencies in the report (supported: npm, yarn)
--include-non-failures include successes and exceptions, available with '--scanners config'
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
Expand All @@ -66,7 +66,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--reset remove all caches and database
--reset-policy-bundle remove policy bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_rootfs.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ trivy rootfs [flags] ROOTDIR
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes and exceptions, available with '--scanners config'
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
Expand All @@ -68,7 +68,7 @@ trivy rootfs [flags] ROOTDIR
--reset remove all caches and database
--reset-policy-bundle remove policy bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_vm.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ trivy vm [flags] VM_IMAGE
--ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
--ignore-unfixed display only fixed vulnerabilities
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes and exceptions, available with '--scanners config'
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
Expand All @@ -60,7 +60,7 @@ trivy vm [flags] VM_IMAGE
--reset remove all caches and database
--reset-policy-bundle remove policy bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
Expand Down
3 changes: 2 additions & 1 deletion docs/docs/references/configuration/config-file.md
Original file line number Diff line number Diff line change
Expand Up @@ -112,8 +112,9 @@ scan:
# Default depends on subcommand
scanners:
- vuln
- config
- misconfig
- secret
- license
```
## Cache Options
Expand Down
10 changes: 5 additions & 5 deletions docs/docs/scanner/misconfiguration/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,28 +35,28 @@ $ trivy config [YOUR_IaC_DIRECTORY]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
```

You can also enable misconfiguration detection in container image, filesystem and git repository scanning via `--scanners config`.
You can also enable misconfiguration detection in container image, filesystem and git repository scanning via `--scanners misconfig`.

```bash
$ trivy image --scanners config IMAGE_NAME
$ trivy image --scanners misconfig IMAGE_NAME
```

```bash
$ trivy fs --scanners config /path/to/dir
$ trivy fs --scanners misconfig /path/to/dir
```

!!! note
Misconfiguration detection is not enabled by default in `image`, `fs` and `repo` subcommands.

Unlike the `config` subcommand, `image`, `fs` and `repo` subcommands can also scan for vulnerabilities and secrets at the same time.
You can specify `--scanners vuln,config,secret` to enable vulnerability and secret detection as well as misconfiguration detection.
You can specify `--scanners vuln,misconfig,secret` to enable vulnerability and secret detection as well as misconfiguration detection.


!!! example
``` bash
$ ls myapp/
Dockerfile Pipfile.lock
$ trivy fs --scanners vuln,config,secret --severity HIGH,CRITICAL myapp/
$ trivy fs --scanners vuln,misconfig,secret --severity HIGH,CRITICAL myapp/
2022-05-16T13:42:21.440+0100 INFO Number of language-specific files: 1
2022-05-16T13:42:21.440+0100 INFO Detecting pipenv vulnerabilities...
2022-05-16T13:42:21.440+0100 INFO Detected config files: 1
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/target/container_image.md
Original file line number Diff line number Diff line change
Expand Up @@ -64,10 +64,10 @@ $ trivy image --scanners vuln [YOUR_IMAGE_NAME]
### Misconfigurations
It is supported, but it is not useful in most cases.
As mentioned [here](../scanner/misconfiguration/index.md), Trivy mainly supports Infrastructure as Code (IaC) files for misconfigurations.
If your container image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with `--scanners config`.
If your container image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with `--scanners misconfig`.

```
$ trivy image --scanners config [YOUR_IMAGE_NAME]
$ trivy image --scanners misconfig [YOUR_IMAGE_NAME]
```

### Secrets
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/target/filesystem.md
Original file line number Diff line number Diff line change
Expand Up @@ -65,11 +65,11 @@ Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
</details>

### Misconfigurations
It is disabled by default and can be enabled with `--scanners config`.
It is disabled by default and can be enabled with `--scanners misconfig`.
See [here](../scanner/misconfiguration/index.md) for the detail.

```shell
$ trivy fs --scanners config /path/to/project
$ trivy fs --scanners misconfig /path/to/project
```

### Secrets
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/target/repository.md
Original file line number Diff line number Diff line change
Expand Up @@ -82,11 +82,11 @@ Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
</details>

### Misconfigurations
It is disabled by default and can be enabled with `--scanners config`.
It is disabled by default and can be enabled with `--scanners misconfig`.
See [here](../scanner/misconfiguration/index.md) for the detail.

```shell
$ trivy repo --scanners config (REPO_PATH | REPO_URL)
$ trivy repo --scanners misconfig (REPO_PATH | REPO_URL)
```

### Secrets
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/target/vm.md
Original file line number Diff line number Diff line change
Expand Up @@ -153,10 +153,10 @@ $ trivy vm [YOUR_VM_IMAGE]
### Misconfigurations
It is supported, but it is not useful in most cases.
As mentioned [here](../scanner/misconfiguration/index.md), Trivy mainly supports Infrastructure as Code (IaC) files for misconfigurations.
If your VM image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with `--scanners config`.
If your VM image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with `--scanners misconfig`.

```
$ trivy vm --scanners config [YOUR_VM_IMAGE]
$ trivy vm --scanners misconfig [YOUR_VM_IMAGE]
```

### Secrets
Expand Down
2 changes: 1 addition & 1 deletion docs/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ trivy image python:3.4-alpine
</details>

```bash
trivy fs --scanners vuln,secret,config myproject/
trivy fs --scanners vuln,secret,misconfig myproject/
```

<details>
Expand Down
2 changes: 1 addition & 1 deletion docs/tutorials/integrations/gitlab-ci.md
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,7 @@ trivy:
# Image report
- ./trivy image --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-image.json $IMAGE
# Filesystem report
- ./trivy filesystem --scanners config,vuln --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json .
- ./trivy filesystem --scanners misconfig,vuln --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json .
# Combine report
- apk update && apk add jq
- jq -s 'add' gl-codeclimate-image.json gl-codeclimate-fs.json > gl-codeclimate.json
Expand Down
2 changes: 1 addition & 1 deletion docs/tutorials/misconfiguration/terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ We have lots of examples in the [documentation](https://aquasecurity.github.io/t
The `trivy config` command does not perform secrete and vulnerability checks out of the box. However, you can specify as part of your `trivy fs` scan that you would like to scan you terraform files for exposed secrets and misconfiguraction through the following flags:

```
trivy fs --scanners secret,config ./
trivy fs --scanners secret,misconfig ./
```

The `trivy config` command is a sub-command of the `trivy fs` command. You can learn more about this command in the [documentation.](https://aquasecurity.github.io/trivy/latest/docs/target/filesystem/)
Expand Down
4 changes: 2 additions & 2 deletions integration/repo_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -360,10 +360,10 @@ func TestRepository(t *testing.T) {
},
},
{
name: "dockerfile with fs subcommand",
name: "dockerfile with fs subcommand and an alias scanner",
args: args{
command: "fs",
scanner: types.MisconfigScanner,
scanner: "config", // for backward compatibility
policyPaths: []string{"testdata/fixtures/repo/custom-policy/policy"},
namespaces: []string{"user"},
input: "testdata/fixtures/repo/custom-policy",
Expand Down
Loading

0 comments on commit a96ec35

Please sign in to comment.