feat(vm): add region option to vm scan to be able to scan any region's ami and ebs snapshots

[tockn]

Description

Hi. Thank you for such a wonderful product!

VM scanning is performed in the current implementation using default region settings read from environment variables, etc. The only way to scan for EBS snapshots (or AMIs) in any region was probably to dynamically change the AWS_REGION environment variable.
Therefore, in this pr, I have implemented the --region option so that EBS snapshots and AMIs can be fetched by specifying any region.

This is just a personal usage that I implemented on my own, so if you have a different idea, please close this pr!

Related issues

N/A

before

❯ trivy vm ebs:snap-xxxxxxxxxxxx
2022-12-10T16:07:11.899+0900    INFO    Vulnerability scanning is enabled
2022-12-10T16:07:11.901+0900    INFO    Secret scanning is enabled
2022-12-10T16:07:11.901+0900    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-12-10T16:07:11.901+0900    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-12-10T16:07:12.098+0900    FATAL   vm scan error: scan error: scan failed: failed analysis: EBS open error: EBS error: operation error EBS: ListSnapshotBlocks, https response error StatusCode: 404, RequestID: ---------------, ResourceNotFoundException: The snapshot 'snap-xxxxxxxxxxxx' does not exist.

after

❯ trivy vm --region us-west-2 ebs:snap-xxxxxxxxxxxx
2022-12-10T16:26:03.407+0900    INFO    Vulnerability scanning is enabled
2022-12-10T16:26:03.409+0900    INFO    Secret scanning is enabled
2022-12-10T16:26:03.409+0900    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-12-10T16:26:03.409+0900    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
....

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[knqyf263]

Could you use AWSFlagGroup instead?

trivy/pkg/flag/aws_flags.go

Lines 36 to 42 in f369bd3

	type AWSFlagGroup struct {
	Region *Flag
	Endpoint *Flag
	Services *Flag
	Account *Flag
	ARN *Flag
	}

[knqyf263]

VM scanning is not dedicated to AWS. We will probably add support for GCP and Azure.

Suggested change

	$ trivy vm --region ap-northeast-1 ami:ami-0123456789abcdefg
	$ trivy vm --aws-region ap-northeast-1 ami:ami-0123456789abcdefg

[knqyf263]

ditto

[knqyf263]

You can define a custom flag as below.

awsFlagGroup := flag.AWSFlagGroup{
	Region: flag.Flag{
		Name:       "aws-region",
		ConfigName: "aws.region",
		Value:      "",
		Usage:      "AWS region to scan",
	}
}

The following variable should be exported so it could be reused. I'll refactor that later.

trivy/pkg/flag/aws_flags.go

Lines 4 to 9 in f369bd3

	awsRegionFlag = Flag{
	Name: "region",
	ConfigName: "cloud.aws.region",
	Value: "",
	Usage: "AWS Region to scan",
	}

[tockn]

@knqyf263 Thank you for reviewing! I've fixed those points.

[knqyf263]

Thanks for your contribution!