feat: add a flag for selectively enabling config types

[nikpivkin]

Description

• add tests
• update doc

Related issues

• Close feat(misconf): Selectively enable misconfiguration scanners #4901

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[simar7]

hi @nikpivkin please hold off on this as we have not planned it for this milestone.

[knqyf263]

This enhancement is similar to this proposal. Do we want to provide a consolidated flag across all scanners, like --sub-scanners ruby,terraform? Or we can expand the existing flag --scanners vuln:ruby config:terraform. Also, we need to think about enabling or disabling. What if people just want to disable Azure ARM scanning with --config-type?

[simar7]

This enhancement is similar to this proposal. Do we want to provide a consolidated flag across all scanners, like --sub-scanners ruby,terraform? Or we can expand the existing flag --scanners vuln:ruby config:terraform. Also, we need to think about enabling or disabling. What if people just want to disable Azure ARM scanning with --config-type?

This issue only focuses only misconfiguration scanning. Today it's a single target with no way to disable/enable different kinds of IaC.

As for consolidation across other scanners, yes I think making them more granular makes sense. Ideally, this control knob should exist at every scan type level. So for e.g. misconf can enable/disable: terraform, cloudformation, ARM etc. and vulnerability scanning can enable/disable: packages, library etc.

[github-actions]

This PR is stale because it has been labeled with inactivity.

[knqyf263]

@itaysk Do you have any thoughts? We renamed --security-checks to --scanners according to your suggestion. Do you prefer --config-scanners rather than --config-type?

If we also want to provide a capability of disabling config types, we may need --enable-config-type and --disable-config-type.

[itaysk]

Do you prefer --config-scanners rather than --config-type

Between these I'd go with --scanner-config
But I'm not sure we have to make it generic like that, as opposed to every scanner can have scanner-specific flags. I'm afraid in the future it would evolve to more than a list of scanner "components" to enable/disable, but how to configure them, and then we end up with crazy syntaxes like --scanner-config vulnerability:ruby:some-ruby-thing=something. If we are not sure, it's better to start with specific flags and later consolidate.

[knqyf263]

Hmm, the name is probably confusing. I think --config-scanners and --config-type means misconfiguration scanners/types like terraform. @simar7 Am I correct?

@itaysk You suggested --scanner-config because you thought the flag was for all scanners, right? We can forget about it. Another flag looks better now.

We might want to replace --scanner config with --scanner misconfig so that we will not be confused with the word config. Then, the new flag should be --misconfig-scanners or --misconfig-types. What do you think?

[simar7]

Hmm, the name is probably confusing. I think --config-scanners and --config-type means misconfiguration scanners/types like terraform. @simar7 Am I correct?

That's right. I had proposed trivy config --config-type=dockerfile,helm.

We might want to replace --scanner config with --scanner misconfig so that we will not be confused with the word config. Then, the new flag should be --misconfig-scanners or --misconfig-types. What do you think?

Yeah this is good, I think it will reduce confusion as we call reference misconfig mostly everywhere.

[itaysk]

yes. sorry I read this too fast. SGTM

[knqyf263]

@simar7 I opened a PR.
#5558

[knqyf263]

#5558 got merged. We can now use something like --misconfig-type. I'd vote for --misconfig-scanner terraform,dockerfile as --vuln-type os is more higher-level. We will probably add --vuln-scanners php,python, so --misconfig-scanners is more aligned with that. What do you think?

[simar7]

#5558 got merged. We can now use something like --misconfig-type. I'd vote for --misconfig-scanner terraform,dockerfile as --vuln-type os is more higher-level. We will probably add --vuln-scanners php,python, so --misconfig-scanners is more aligned with that. What do you think?

Yeah --misconfig-scanners=dockerfile,terraform makes sense to me. We can close this PR for now and start afresh. I can take care of it.