From c14e0d7476d1ca34725eb2e6fd62eee51f641874 Mon Sep 17 00:00:00 2001 From: Simar Date: Mon, 27 Nov 2023 19:57:25 -0700 Subject: [PATCH 1/6] feat(misconf): Add `--misconfig-scanners` option Fixes: https://github.com/aquasecurity/trivy/issues/4901 --- pkg/commands/artifact/run.go | 19 +++++++++++++++++++ pkg/flag/misconf_flags.go | 13 +++++++++++++ 2 files changed, 32 insertions(+) diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go index 0d935f86e016..5cc4cef91336 100644 --- a/pkg/commands/artifact/run.go +++ b/pkg/commands/artifact/run.go @@ -6,6 +6,7 @@ import ( "fmt" "github.com/hashicorp/go-multierror" + "github.com/samber/lo" "github.com/spf13/viper" "golang.org/x/exp/slices" "golang.org/x/xerrors" @@ -480,6 +481,14 @@ func disabledAnalyzers(opts flag.Options) []analyzer.Type { analyzers = append(analyzers, analyzer.TypeSecret) } + // Filter only enabled misconfiguration scanners + ma, err := filterMisconfigAnalyzers(opts.MisconfigScanners, analyzer.TypeConfigFiles) + if err != nil { + log.Logger.Errorf("Invalid misconfig scanners specified: %s defaulting to use all misconfig scanners", opts.MisconfigScanners) + } else { + analyzers = append(analyzers, ma...) + } + // Do not perform misconfiguration scanning when it is not specified. if !opts.Scanners.AnyEnabled(types.MisconfigScanner, types.RBACScanner) { analyzers = append(analyzers, analyzer.TypeConfigFiles...) @@ -512,6 +521,16 @@ func disabledAnalyzers(opts flag.Options) []analyzer.Type { return analyzers } +func filterMisconfigAnalyzers(included []analyzer.Type, all []analyzer.Type) ([]analyzer.Type, error) { + _, missing := lo.Difference(all, included) + if len(missing) > 0 { + return nil, xerrors.Errorf("invalid misconfiguration scanner specified %s valid scanners: %s", missing, all) + } + + log.Logger.Debugf("Enabling misconfiguration scanners: %s", included) + return lo.Without(all, included...), nil +} + func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfig, types.ScanOptions, error) { target := opts.Target if opts.Input != "" { diff --git a/pkg/flag/misconf_flags.go b/pkg/flag/misconf_flags.go index 38f8c837fa4a..10db4bb81421 100644 --- a/pkg/flag/misconf_flags.go +++ b/pkg/flag/misconf_flags.go @@ -3,7 +3,9 @@ package flag import ( "fmt" + "github.com/aquasecurity/trivy/pkg/fanal/analyzer" "github.com/aquasecurity/trivy/pkg/policy" + xstrings "github.com/aquasecurity/trivy/pkg/x/strings" ) // e.g. config yaml: @@ -73,6 +75,12 @@ var ( Default: fmt.Sprintf("%s:%d", policy.BundleRepository, policy.BundleVersion), Usage: "OCI registry URL to retrieve policy bundle from", } + MisconfigScannersFlag = Flag{ + Name: "misconfig-scanners", + ConfigName: "misconfiguration.scanners", + Default: xstrings.ToStringSlice(analyzer.TypeConfigFiles), + Usage: "comma-separated list of misconfig scanners to use for misconfiguration scanning", + } ) // MisconfFlagGroup composes common printer flag structs used for commands providing misconfiguration scanning. @@ -89,6 +97,7 @@ type MisconfFlagGroup struct { TerraformTFVars *Flag CloudformationParamVars *Flag TerraformExcludeDownloaded *Flag + MisconfigScanners *Flag } type MisconfOptions struct { @@ -104,6 +113,7 @@ type MisconfOptions struct { TerraformTFVars []string CloudFormationParamVars []string TfExcludeDownloaded bool + MisconfigScanners []analyzer.Type } func NewMisconfFlagGroup() *MisconfFlagGroup { @@ -119,6 +129,7 @@ func NewMisconfFlagGroup() *MisconfFlagGroup { TerraformTFVars: &TfVarsFlag, CloudformationParamVars: &CfParamsFlag, TerraformExcludeDownloaded: &TerraformExcludeDownloaded, + MisconfigScanners: &MisconfigScannersFlag, } } @@ -138,6 +149,7 @@ func (f *MisconfFlagGroup) Flags() []*Flag { f.TerraformTFVars, f.TerraformExcludeDownloaded, f.CloudformationParamVars, + f.MisconfigScanners, } } @@ -153,5 +165,6 @@ func (f *MisconfFlagGroup) ToOptions() (MisconfOptions, error) { TerraformTFVars: getStringSlice(f.TerraformTFVars), CloudFormationParamVars: getStringSlice(f.CloudformationParamVars), TfExcludeDownloaded: getBool(f.TerraformExcludeDownloaded), + MisconfigScanners: getUnderlyingStringSlice[analyzer.Type](f.MisconfigScanners), }, nil } From b395c22989ad77f784814cf546ea891dadd040fe Mon Sep 17 00:00:00 2001 From: Simar Date: Mon, 27 Nov 2023 20:02:39 -0700 Subject: [PATCH 2/6] add docs --- docs/docs/references/configuration/cli/trivy_aws.md | 1 + docs/docs/references/configuration/cli/trivy_config.md | 1 + .../references/configuration/cli/trivy_filesystem.md | 1 + docs/docs/references/configuration/cli/trivy_image.md | 1 + .../references/configuration/cli/trivy_kubernetes.md | 1 + .../references/configuration/cli/trivy_repository.md | 1 + docs/docs/references/configuration/cli/trivy_rootfs.md | 1 + docs/docs/references/configuration/cli/trivy_vm.md | 1 + docs/docs/references/configuration/config-file.md | 6 ++++++ docs/docs/scanner/misconfiguration/index.md | 9 +++++++++ 10 files changed, 23 insertions(+) diff --git a/docs/docs/references/configuration/cli/trivy_aws.md b/docs/docs/references/configuration/cli/trivy_aws.md index 590162972b39..46a8296dbb80 100644 --- a/docs/docs/references/configuration/cli/trivy_aws.md +++ b/docs/docs/references/configuration/cli/trivy_aws.md @@ -86,6 +86,7 @@ trivy aws [flags] --include-non-failures include successes and exceptions, available with '--scanners misconfig' --list-all-pkgs enabling the option will output all packages regardless of vulnerability --max-cache-age duration The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s) + --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan]) -o, --output string output file name --policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0") --policy-namespaces strings Rego namespaces diff --git a/docs/docs/references/configuration/cli/trivy_config.md b/docs/docs/references/configuration/cli/trivy_config.md index 0d26452a10b1..19a8983c1784 100644 --- a/docs/docs/references/configuration/cli/trivy_config.md +++ b/docs/docs/references/configuration/cli/trivy_config.md @@ -29,6 +29,7 @@ trivy config [flags] DIR --ignorefile string specify .trivyignore file (default ".trivyignore") --include-non-failures include successes and exceptions, available with '--scanners misconfig' --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0) + --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan]) --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") -o, --output string output file name --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. diff --git a/docs/docs/references/configuration/cli/trivy_filesystem.md b/docs/docs/references/configuration/cli/trivy_filesystem.md index 89d034caaa4d..ccc12a1475a8 100644 --- a/docs/docs/references/configuration/cli/trivy_filesystem.md +++ b/docs/docs/references/configuration/cli/trivy_filesystem.md @@ -51,6 +51,7 @@ trivy filesystem [flags] PATH --license-confidence-level float specify license classifier's confidence level (default 0.9) --license-full eagerly look for licenses in source code headers and license files --list-all-pkgs enabling the option will output all packages regardless of vulnerability + --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan]) --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") --no-progress suppress progress bar --offline-scan do not issue API requests to identify dependencies diff --git a/docs/docs/references/configuration/cli/trivy_image.md b/docs/docs/references/configuration/cli/trivy_image.md index 10ac0518944b..27264628eac0 100644 --- a/docs/docs/references/configuration/cli/trivy_image.md +++ b/docs/docs/references/configuration/cli/trivy_image.md @@ -69,6 +69,7 @@ trivy image [flags] IMAGE_NAME --license-confidence-level float specify license classifier's confidence level (default 0.9) --license-full eagerly look for licenses in source code headers and license files --list-all-pkgs enabling the option will output all packages regardless of vulnerability + --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan]) --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") --no-progress suppress progress bar --offline-scan do not issue API requests to identify dependencies diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md index 93d44ad04c3e..5ba76eb26d7d 100644 --- a/docs/docs/references/configuration/cli/trivy_kubernetes.md +++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md @@ -60,6 +60,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0) --kubeconfig string specify the kubeconfig file path to use --list-all-pkgs enabling the option will output all packages regardless of vulnerability + --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan]) -n, --namespace string specify a namespace to scan --no-progress suppress progress bar --node-collector-namespace string specify the namespace in which the node-collector job should be deployed (default "trivy-temp") diff --git a/docs/docs/references/configuration/cli/trivy_repository.md b/docs/docs/references/configuration/cli/trivy_repository.md index a88e9be5bf30..339064883224 100644 --- a/docs/docs/references/configuration/cli/trivy_repository.md +++ b/docs/docs/references/configuration/cli/trivy_repository.md @@ -51,6 +51,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL) --license-confidence-level float specify license classifier's confidence level (default 0.9) --license-full eagerly look for licenses in source code headers and license files --list-all-pkgs enabling the option will output all packages regardless of vulnerability + --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan]) --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") --no-progress suppress progress bar --offline-scan do not issue API requests to identify dependencies diff --git a/docs/docs/references/configuration/cli/trivy_rootfs.md b/docs/docs/references/configuration/cli/trivy_rootfs.md index d04ee44ba113..5d5f88451afd 100644 --- a/docs/docs/references/configuration/cli/trivy_rootfs.md +++ b/docs/docs/references/configuration/cli/trivy_rootfs.md @@ -53,6 +53,7 @@ trivy rootfs [flags] ROOTDIR --license-confidence-level float specify license classifier's confidence level (default 0.9) --license-full eagerly look for licenses in source code headers and license files --list-all-pkgs enabling the option will output all packages regardless of vulnerability + --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan]) --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") --no-progress suppress progress bar --offline-scan do not issue API requests to identify dependencies diff --git a/docs/docs/references/configuration/cli/trivy_vm.md b/docs/docs/references/configuration/cli/trivy_vm.md index eb6506c7585d..0fc813ade0ca 100644 --- a/docs/docs/references/configuration/cli/trivy_vm.md +++ b/docs/docs/references/configuration/cli/trivy_vm.md @@ -47,6 +47,7 @@ trivy vm [flags] VM_IMAGE --include-non-failures include successes and exceptions, available with '--scanners misconfig' --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") --list-all-pkgs enabling the option will output all packages regardless of vulnerability + --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan]) --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") --no-progress suppress progress bar --offline-scan do not issue API requests to identify dependencies diff --git a/docs/docs/references/configuration/config-file.md b/docs/docs/references/configuration/config-file.md index b85cfded4667..80ce56ccf4e2 100644 --- a/docs/docs/references/configuration/config-file.md +++ b/docs/docs/references/configuration/config-file.md @@ -266,6 +266,12 @@ misconfiguration: # Same as '--include-non-failures' # Default is false include-non-failures: false + + # Same as '--miconfig-scanners' + # Default is all scanners + type: + - dockerfile + - terraform # helm value override configurations # set individual values diff --git a/docs/docs/scanner/misconfiguration/index.md b/docs/docs/scanner/misconfiguration/index.md index 8a2606a31a4e..23c883a70ab1 100644 --- a/docs/docs/scanner/misconfiguration/index.md +++ b/docs/docs/scanner/misconfiguration/index.md @@ -315,6 +315,15 @@ Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0) This section describes misconfiguration-specific configuration. Other common options are documented [here](../../configuration/index.md). +### Enabling a subset of misconfiguration scanners +It's possible to only enable certain misconfiguration scanners if you prefer. You can do so by passing the `--misconfig-scanners` option. +This flag takes a comma-separated list of configuration scanner types. +```bash +trivy config --misconfig-scanners=terraform,dockerfile . +``` + +Will only scan for misconfigurations that pertain to Terraform and Dockerfiles. + ### Pass custom policies You can pass policy files or directories including your custom policies through `--policy` option. This can be repeated for specifying multiple files or directories. From 06cb6897b5b9538c04e414839cd25871f17c4cd3 Mon Sep 17 00:00:00 2001 From: Simar Date: Mon, 27 Nov 2023 20:20:00 -0700 Subject: [PATCH 3/6] fix lint --- pkg/commands/artifact/run.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go index 5cc4cef91336..2370cc6c1de9 100644 --- a/pkg/commands/artifact/run.go +++ b/pkg/commands/artifact/run.go @@ -521,7 +521,7 @@ func disabledAnalyzers(opts flag.Options) []analyzer.Type { return analyzers } -func filterMisconfigAnalyzers(included []analyzer.Type, all []analyzer.Type) ([]analyzer.Type, error) { +func filterMisconfigAnalyzers(included, all []analyzer.Type) ([]analyzer.Type, error) { _, missing := lo.Difference(all, included) if len(missing) > 0 { return nil, xerrors.Errorf("invalid misconfiguration scanner specified %s valid scanners: %s", missing, all) From 69f6b5272a589267092826ca19d0154d524523ca Mon Sep 17 00:00:00 2001 From: Simar Date: Mon, 27 Nov 2023 20:25:41 -0700 Subject: [PATCH 4/6] disable image,vm,k8s --- docs/docs/references/configuration/cli/trivy_image.md | 1 - docs/docs/references/configuration/cli/trivy_kubernetes.md | 1 - docs/docs/references/configuration/cli/trivy_vm.md | 1 - pkg/commands/app.go | 3 +++ 4 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/docs/references/configuration/cli/trivy_image.md b/docs/docs/references/configuration/cli/trivy_image.md index 27264628eac0..10ac0518944b 100644 --- a/docs/docs/references/configuration/cli/trivy_image.md +++ b/docs/docs/references/configuration/cli/trivy_image.md @@ -69,7 +69,6 @@ trivy image [flags] IMAGE_NAME --license-confidence-level float specify license classifier's confidence level (default 0.9) --license-full eagerly look for licenses in source code headers and license files --list-all-pkgs enabling the option will output all packages regardless of vulnerability - --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan]) --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") --no-progress suppress progress bar --offline-scan do not issue API requests to identify dependencies diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md index 5ba76eb26d7d..93d44ad04c3e 100644 --- a/docs/docs/references/configuration/cli/trivy_kubernetes.md +++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md @@ -60,7 +60,6 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0) --kubeconfig string specify the kubeconfig file path to use --list-all-pkgs enabling the option will output all packages regardless of vulnerability - --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan]) -n, --namespace string specify a namespace to scan --no-progress suppress progress bar --node-collector-namespace string specify the namespace in which the node-collector job should be deployed (default "trivy-temp") diff --git a/docs/docs/references/configuration/cli/trivy_vm.md b/docs/docs/references/configuration/cli/trivy_vm.md index 0fc813ade0ca..eb6506c7585d 100644 --- a/docs/docs/references/configuration/cli/trivy_vm.md +++ b/docs/docs/references/configuration/cli/trivy_vm.md @@ -47,7 +47,6 @@ trivy vm [flags] VM_IMAGE --include-non-failures include successes and exceptions, available with '--scanners misconfig' --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") --list-all-pkgs enabling the option will output all packages regardless of vulnerability - --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan]) --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") --no-progress suppress progress bar --offline-scan do not issue API requests to identify dependencies diff --git a/pkg/commands/app.go b/pkg/commands/app.go index fe39fb57925c..fa79866513b5 100644 --- a/pkg/commands/app.go +++ b/pkg/commands/app.go @@ -235,6 +235,7 @@ func NewImageCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { misconfFlagGroup := flag.NewMisconfFlagGroup() misconfFlagGroup.CloudformationParamVars = nil // disable '--cf-params' misconfFlagGroup.TerraformTFVars = nil // disable '--tf-vars' + misconfFlagGroup.MisconfigScanners = nil // disable '--misconfig-scanners' imageFlags := &flag.Flags{ CacheFlagGroup: flag.NewCacheFlagGroup(), @@ -903,6 +904,7 @@ func NewKubernetesCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { misconfFlagGroup := flag.NewMisconfFlagGroup() misconfFlagGroup.CloudformationParamVars = nil // disable '--cf-params' misconfFlagGroup.TerraformTFVars = nil // disable '--tf-vars' + misconfFlagGroup.MisconfigScanners = nil // disable '--misconfig-scanners' k8sFlags := &flag.Flags{ CacheFlagGroup: flag.NewCacheFlagGroup(), @@ -1058,6 +1060,7 @@ func NewVMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { vmFlags.ScanFlagGroup.IncludeDevDeps = nil // disable '--include-dev-deps' vmFlags.MisconfFlagGroup.CloudformationParamVars = nil // disable '--cf-params' vmFlags.MisconfFlagGroup.TerraformTFVars = nil // disable '--tf-vars' + vmFlags.MisconfFlagGroup.MisconfigScanners = nil // disable '--misconfig-scanners' cmd := &cobra.Command{ Use: "vm [flags] VM_IMAGE", From 9ab0515e8a7cc1c5403619959b3cd484bfbe2b06 Mon Sep 17 00:00:00 2001 From: Simar Date: Mon, 27 Nov 2023 23:51:16 -0700 Subject: [PATCH 5/6] Revert "disable image,vm,k8s" This reverts commit 69f6b5272a589267092826ca19d0154d524523ca. --- docs/docs/references/configuration/cli/trivy_image.md | 1 + docs/docs/references/configuration/cli/trivy_kubernetes.md | 1 + docs/docs/references/configuration/cli/trivy_vm.md | 1 + pkg/commands/app.go | 3 --- 4 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/docs/references/configuration/cli/trivy_image.md b/docs/docs/references/configuration/cli/trivy_image.md index 10ac0518944b..27264628eac0 100644 --- a/docs/docs/references/configuration/cli/trivy_image.md +++ b/docs/docs/references/configuration/cli/trivy_image.md @@ -69,6 +69,7 @@ trivy image [flags] IMAGE_NAME --license-confidence-level float specify license classifier's confidence level (default 0.9) --license-full eagerly look for licenses in source code headers and license files --list-all-pkgs enabling the option will output all packages regardless of vulnerability + --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan]) --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") --no-progress suppress progress bar --offline-scan do not issue API requests to identify dependencies diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md index 93d44ad04c3e..5ba76eb26d7d 100644 --- a/docs/docs/references/configuration/cli/trivy_kubernetes.md +++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md @@ -60,6 +60,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0) --kubeconfig string specify the kubeconfig file path to use --list-all-pkgs enabling the option will output all packages regardless of vulnerability + --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan]) -n, --namespace string specify a namespace to scan --no-progress suppress progress bar --node-collector-namespace string specify the namespace in which the node-collector job should be deployed (default "trivy-temp") diff --git a/docs/docs/references/configuration/cli/trivy_vm.md b/docs/docs/references/configuration/cli/trivy_vm.md index eb6506c7585d..0fc813ade0ca 100644 --- a/docs/docs/references/configuration/cli/trivy_vm.md +++ b/docs/docs/references/configuration/cli/trivy_vm.md @@ -47,6 +47,7 @@ trivy vm [flags] VM_IMAGE --include-non-failures include successes and exceptions, available with '--scanners misconfig' --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") --list-all-pkgs enabling the option will output all packages regardless of vulnerability + --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan]) --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") --no-progress suppress progress bar --offline-scan do not issue API requests to identify dependencies diff --git a/pkg/commands/app.go b/pkg/commands/app.go index fa79866513b5..fe39fb57925c 100644 --- a/pkg/commands/app.go +++ b/pkg/commands/app.go @@ -235,7 +235,6 @@ func NewImageCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { misconfFlagGroup := flag.NewMisconfFlagGroup() misconfFlagGroup.CloudformationParamVars = nil // disable '--cf-params' misconfFlagGroup.TerraformTFVars = nil // disable '--tf-vars' - misconfFlagGroup.MisconfigScanners = nil // disable '--misconfig-scanners' imageFlags := &flag.Flags{ CacheFlagGroup: flag.NewCacheFlagGroup(), @@ -904,7 +903,6 @@ func NewKubernetesCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { misconfFlagGroup := flag.NewMisconfFlagGroup() misconfFlagGroup.CloudformationParamVars = nil // disable '--cf-params' misconfFlagGroup.TerraformTFVars = nil // disable '--tf-vars' - misconfFlagGroup.MisconfigScanners = nil // disable '--misconfig-scanners' k8sFlags := &flag.Flags{ CacheFlagGroup: flag.NewCacheFlagGroup(), @@ -1060,7 +1058,6 @@ func NewVMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { vmFlags.ScanFlagGroup.IncludeDevDeps = nil // disable '--include-dev-deps' vmFlags.MisconfFlagGroup.CloudformationParamVars = nil // disable '--cf-params' vmFlags.MisconfFlagGroup.TerraformTFVars = nil // disable '--tf-vars' - vmFlags.MisconfFlagGroup.MisconfigScanners = nil // disable '--misconfig-scanners' cmd := &cobra.Command{ Use: "vm [flags] VM_IMAGE", From 099332b5edb6a6e3f56ff218fad9ba1ffd445085 Mon Sep 17 00:00:00 2001 From: Simar Date: Tue, 28 Nov 2023 14:21:26 -0700 Subject: [PATCH 6/6] fix docs ref --- docs/docs/references/configuration/config-file.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/references/configuration/config-file.md b/docs/docs/references/configuration/config-file.md index 80ce56ccf4e2..23b5a3778345 100644 --- a/docs/docs/references/configuration/config-file.md +++ b/docs/docs/references/configuration/config-file.md @@ -269,7 +269,7 @@ misconfiguration: # Same as '--miconfig-scanners' # Default is all scanners - type: + scanners: - dockerfile - terraform