feat(vm): add region option to vm scan to be able to scan any regio…

…n's ami and ebs snapshots (#3284) Co-authored-by: Teppei Fukuda <[email protected]>
aquasecurity · Dec 15, 2022 · e92266f · e92266f
1 parent 01c7fb1
commit e92266f
Show file tree

Hide file tree

Showing 7 changed files with 34 additions and 6 deletions.
diff --git a/docs/docs/vm/aws.md b/docs/docs/vm/aws.md
@@ -25,6 +25,12 @@ $ trivy vm --security-checks vuln ami:ami-0123456789abcdefg
 !!! tip
     The scanning could be faster if you enable only vulnerability scanning (`--security-checks vuln`) because Trivy tries to download only necessary blocks for vulnerability detection.
 
+If you want to scan a AMI of non-default setting region, you can set any region via `--aws-region` option.
+
+```shell
+$ trivy vm --aws-region ap-northeast-1 ami:ami-0123456789abcdefg
+```
+
 
 ### Required Actions
 Some actions on EBS are also necessary since Trivy scans an EBS snapshot tied to the specified AMI under the hood.
@@ -52,6 +58,13 @@ $ trivy vm --security-checks vuln ebs:snap-0123456789abcdefg
 !!! tip
 The scanning could be faster if you enable only vulnerability scanning (`--security-checks vuln`) because Trivy tries to download only necessary blocks for vulnerability detection.
 
+If you want to scan an EBS Snapshot of non-default setting region, you can set any region via `--aws-region` option.
+
+```shell
+$ trivy vm --aws-region ap-northeast-1 ebs:ebs-0123456789abcdefg
+```
+
+
 The above command takes a while as it calls EBS API and fetches the EBS blocks.
 If you want to scan the same snapshot several times, you can download the snapshot locally by using [coldsnap][coldsnap] maintained by AWS.
 Then, Trivy can scan the local VM image file.

diff --git a/pkg/commands/app.go b/pkg/commands/app.go
@@ -893,6 +893,14 @@ func NewVMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 		ScanFlagGroup:          flag.NewScanFlagGroup(),
 		SecretFlagGroup:        flag.NewSecretFlagGroup(),
 		VulnerabilityFlagGroup: flag.NewVulnerabilityFlagGroup(),
+		AWSFlagGroup: &flag.AWSFlagGroup{
+			Region: &flag.Flag{
+				Name:       "aws-region",
+				ConfigName: "aws.region",
+				Value:      "",
+				Usage:      "AWS region to scan",
+			},
+		},
 	}
 
 	cmd := &cobra.Command{

diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go
@@ -551,6 +551,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 			RekorURL:          opts.RekorURL,
 			Platform:          opts.Platform,
 			Slow:              opts.Slow,
+			AWSRegion:         opts.Region,
 
 			// For misconfiguration scanning
 			MisconfScannerOption: configScannerOptions,

diff --git a/pkg/fanal/artifact/artifact.go b/pkg/fanal/artifact/artifact.go
@@ -27,6 +27,7 @@ type Option struct {
 	RekorURL          string
 	Platform          string
 	Slow              bool // Lower CPU and memory
+	AWSRegion         string
 
 	MisconfScannerOption misconf.ScannerOption
 	SecretScannerOption  analyzer.SecretScannerOption

diff --git a/pkg/fanal/artifact/vm/ami.go b/pkg/fanal/artifact/vm/ami.go
@@ -19,13 +19,16 @@ type AMI struct {
 	imageID string
 }
 
-func newAMI(imageID string, storage Storage) (*AMI, error) {
+func newAMI(imageID string, storage Storage, region string) (*AMI, error) {
 	// TODO: propagate context
 	ctx := context.TODO()
 	cfg, err := config.LoadDefaultConfig(ctx)
 	if err != nil {
 		return nil, xerrors.Errorf("aws config load error: %w", err)
 	}
+	if region != "" {
+		cfg.Region = region
+	}
 	client := ec2.NewFromConfig(cfg)
 	output, err := client.DescribeImages(ctx, &ec2.DescribeImagesInput{
 		ImageIds: []string{imageID},
@@ -43,7 +46,7 @@ func newAMI(imageID string, storage Storage) (*AMI, error) {
 			continue
 		}
 		log.Logger.Infof("Snapshot %s found", snapshotID)
-		ebs, err := newEBS(snapshotID, storage)
+		ebs, err := newEBS(snapshotID, storage, region)
 		if err != nil {
 			return nil, xerrors.Errorf("new EBS error: %w", err)
 		}

diff --git a/pkg/fanal/artifact/vm/ebs.go b/pkg/fanal/artifact/vm/ebs.go
@@ -24,8 +24,10 @@ type EBS struct {
 	ebs        ebsfile.EBSAPI
 }
 
-func newEBS(snapshotID string, vm Storage) (*EBS, error) {
-	ebs, err := ebsfile.New(ebsfile.Option{})
+func newEBS(snapshotID string, vm Storage, region string) (*EBS, error) {
+	ebs, err := ebsfile.New(ebsfile.Option{
+		AwsRegion: region,
+	})
 	if err != nil {
 		return nil, xerrors.Errorf("new ebsfile error: %w", err)
 	}

diff --git a/pkg/fanal/artifact/vm/vm.go b/pkg/fanal/artifact/vm/vm.go
@@ -109,10 +109,10 @@ func NewArtifact(target string, c cache.ArtifactCache, opt artifact.Option) (art
 	switch targetType {
 	case TypeAMI:
 		target = strings.TrimPrefix(target, TypeAMI.Prefix())
-		return newAMI(target, storage)
+		return newAMI(target, storage, opt.AWSRegion)
 	case TypeEBS:
 		target = strings.TrimPrefix(target, TypeEBS.Prefix())
-		e, err := newEBS(target, storage)
+		e, err := newEBS(target, storage, opt.AWSRegion)
 		if err != nil {
 			return nil, xerrors.Errorf("new EBS error: %w", err)
 		}