feat(plugin): trivy-aws as a plugin for Trivy (#153)

* feat(plugin): trivy-aws as a plugin for Trivy * add new workflow and make cmds * update gitignore * match ci config to trivy * update golangci-lint to 1.54.2 * fix lint * update review comments * remove un-needed params * update docs * refactor code from trivy pkgs * fix linter issues * consolidate pkg/cloud
aquasecurity · Jun 6, 2024 · c92585c · c92585c
1 parent 1304c27
commit c92585c
Show file tree

Hide file tree

Showing 30 changed files with 5,903 additions and 9 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,24 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Build
+        run: make build
+      - name: Bundle
+        run: make bundle
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        with:
+          files: |
+            trivy-aws.tar.gz
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -10,3 +10,5 @@ vendor/
 *.iml
 .vscode/
 .DS_Store
+
+trivy-aws*
diff --git a/.golangci.yml b/.golangci.yml
@@ -19,7 +19,7 @@ linters:
 
 linters-settings:
   cyclop:
-    max-complexity: 18
+    max-complexity: 20
   gocritic:
     disabled-checks:
       - singleCaseSwitch

diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md
@@ -1,15 +1,17 @@
 # Architecture
 
-This document aims to answer the question *Where is the code that does X?*
+This document aims to answer the question of *Where is the code that does X?*
 
 ## Project Layout
 
 The directory structure is broken down as follows:
 
+- `cmd` - Contains the setup to bootstrap as a Trivy plugin
 - `internal/adapters` - Adapters take input - such as a Terraform file or an AWS account - and _adapt_ it to a common format that can be used by the rules engine. This is where the bulk of the code is for supporting new cloud providers.
 - `pkg/scanners` - Scanners for various inputs. For example, the `terraform` scanner will scan a Terraform directory and return a list of resources.
 - `pkg/state` - The overall state object for Cloud providers is defined here. You should add to the `State` struct if you want to add a new cloud provider.
 - `pkg/terraform` - Data structures for describing Terraform resources and modules.
 - `pkg/types` - Useful types. Our types wrap a simple data type (e.g. `bool`) and add various metadata to it, such as file name and line number where it was defined.
 - `pkg/concurrency` - Data structures used to concurrently adapt resources
+- `pkg/cloud` - Helper libraries for AWS cloud scanning
 - `test` - Integration tests and other high-level tests that require a full build of the project.
diff --git a/Makefile b/Makefile
@@ -2,16 +2,24 @@
 test:
 	go test -race ./...
 
+.PHONY: build
+build:
+	CGO_ENABLED=0 go build -ldflags "-s -w" -o trivy-aws ./cmd/trivy-aws/main.go
+
 .PHONY: test-no-localstack
 test-no-localstack:
 	go test $$(go list ./... | grep -v internal/adapters | awk -F'github.com/aquasecurity/trivy-aws' '{print "./"$$2}')
 
 .PHONY: quality
 quality:
-	which golangci-lint || go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.52.2
+	which golangci-lint || go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.54.2
 	golangci-lint run --timeout 3m --verbose
 
 .PHONY: update-aws-deps
 update-aws-deps:
 	@grep aws-sdk-go-v2 go.mod | grep -v '// indirect' | sed 's/^[ [[:blank:]]]*//g' | sed 's/[[:space:]]v.*//g' | xargs go get
-	@go mod tidy
+	@go mod tidy
+
+.PHONY: bundle
+bundle:
+	tar -cvzf trivy-aws.tar.gz plugin.yaml trivy-aws LICENSE
diff --git a/README.md b/README.md
@@ -1,5 +1,68 @@
 # trivy-aws
 
+## Installing Trivy AWS Plugin
+
+```shell
+$ trivy plugin install github.com/aquasecurity/trivy-aws
+```
+
+## Usage
+
+Scan an AWS account for misconfigurations. Trivy uses the same authentication methods as the AWS CLI. See https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html
+
+The following services are supported:
+
+- accessanalyzer
+- api-gateway
+- athena
+- cloudfront
+- cloudtrail
+- cloudwatch
+- codebuild
+- documentdb
+- dynamodb
+- ec2
+- ecr
+- ecs
+- efs
+- eks
+- elasticache
+- elasticsearch
+- elb
+- emr
+- iam
+- kinesis
+- kms
+- lambda
+- mq
+- msk
+- neptune
+- rds
+- redshift
+- s3
+- sns
+- sqs
+- ssm
+- workspaces
+
+```shell
+Usage:
+  trivy aws-scan [flags]
+
+Examples:
+  # basic scanning
+  $ trivy aws-scan --region us-east-1
+
+  # limit scan to a single service:
+  $ trivy aws-scan --region us-east-1 --service s3
+
+  # limit scan to multiple services:
+  $ trivy aws-scan --region us-east-1 --service s3 --service ec2
+
+  # force refresh of cache for fresh results
+  $ trivy aws-scan --region us-east-1 --update-cache
+```
+
 _trivy-aws_ is the AWS misconfiguration scanning logic for Trivy
 
 Please see [ARCHITECTURE.md](ARCHITECTURE.md) for more information.

diff --git a/cmd/trivy-aws/main.go b/cmd/trivy-aws/main.go
@@ -0,0 +1,17 @@
+package main
+
+import (
+	"github.com/aquasecurity/trivy-aws/pkg/commands"
+	"github.com/aquasecurity/trivy/pkg/log"
+)
+
+func main() {
+	if err := run(); err != nil {
+		log.Fatal(err.Error())
+	}
+}
+
+func run() error {
+	cmd := commands.NewCmd()
+	return cmd.Execute()
+}