Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: update air-gapped docs #7160

Merged
merged 10 commits into from
Aug 9, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions docs/docs/advanced/air-gap.md
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have an idea about re-structuring this page, but we can do that in another PR.

Original file line number Diff line number Diff line change
Expand Up @@ -119,10 +119,13 @@ cp /path/to/trivy.db /path/to/metadata.json ${TRIVY_CACHE_DIR}/db/
### Java DB

For Java DB the process is the same, except for the following:

1. Image location is `ghcr.io/aquasecurity/trivy-java-db:1`
2. Archive file name is `javadb.tar.gz`
3. DB file name is `trivy-java.db`

## Misconfigurations scanning

Note that the misconfigurations database is also embedded in the Trivy binary (at build time), and will be used as a fallback if the external database is not available. This means that you can still scan for misconfigurations in an air-gapped environment using the Checks from the time of the Trivy release you are using.
itaysk marked this conversation as resolved.
Show resolved Hide resolved

The misconfiguration can be configured to load checks from a local directory, using the `--config-check` flag. In an air-gapped scenario you can copy the checks library from [Trivy checks repository](https://github.com/aquasecurity/trivy-checks) into a local directory, and load it with this flag. See more in the [Misconfiguration scanner documentation](../scanner/misconfiguration/index.md).
2 changes: 1 addition & 1 deletion docs/docs/compliance/contrib-compliance.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ Additional information is provided below.

#### 1. Referencing a check that is already part of Trivy

Trivy has a comprehensive list of checks as part of its misconfiguration scanning. These can be found in the `trivy-policies/checks` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). If the check is present, the `AVD_ID` and other information from the check has to be used.
Trivy has a comprehensive list of checks as part of its misconfiguration scanning. These can be found in the `trivy-checks/checks` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). If the check is present, the `AVD_ID` and other information from the check has to be used.

Note: Take a look at the more generic compliance specs that are already available in Trivy. If you are adding new compliance spec to Kubernetes e.g. AWS EKS CIS Benchmarks, chances are high that the check you would like to add to the new spec has already been defined in the general `k8s-ci-v.000.yaml` compliance spec. The same applies for creating specific Cloud Provider Compliance Specs and the [generic compliance specs](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance) available.

Expand Down
2 changes: 1 addition & 1 deletion docs/docs/scanner/misconfiguration/check/builtin.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ Trivy checks are mainly written in [Rego][rego], while some checks are written i
See [here](../../../coverage/iac/index.md) for the list of supported config types.

## Checks Bundle
When performing a misconfiguration scan, Trivy will automatically downloads the relevant Checks bundle. The bundle is cached locally and Trivy will reuse it for subsequent scans on the same machine. Trivy takes care of updating the cache automatically so normally can be oblivious to it.
When performing a misconfiguration scan, Trivy will automatically download the relevant Checks bundle. The bundle is cached locally and Trivy will reuse it for subsequent scans on the same machine. Trivy takes care of updating the cache automatically, so normally users can be oblivious to it.

For CLI flags related to the database, please refer to [this page](../configuration/db.md).
itaysk marked this conversation as resolved.
Show resolved Hide resolved

Expand Down
2 changes: 1 addition & 1 deletion docs/docs/scanner/misconfiguration/custom/data.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,5 @@ Then, you need to pass data paths through `--data` option.
Trivy recursively searches the specified paths for JSON (`*.json`) and YAML (`*.yaml`) files.

```bash
$ trivy conf --policy ./policy --data data --namespaces user ./configs
$ trivy conf --config-check ./checks --data ./data --namespaces user ./configs
itaysk marked this conversation as resolved.
Show resolved Hide resolved
```
8 changes: 4 additions & 4 deletions docs/docs/scanner/misconfiguration/custom/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@

## Overview
You can write custom checks in [Rego][rego].
Once you finish writing custom checks, you can pass the policy files or the directory where those policies are stored with `--policy` option.
Once you finish writing custom checks, you can pass the policy files or the directory where those checks are stored with --config-check` option.
itaysk marked this conversation as resolved.
Show resolved Hide resolved

``` bash
trivy conf --policy /path/to/policy.rego --policy /path/to/custom_policies --namespaces user /path/to/config_dir
trivy conf --config-check /path/to/policy.rego --config-check /path/to/custom_checks --namespaces user /path/to/config_dir
```

As for `--namespaces` option, the detail is described as below.
Expand Down Expand Up @@ -93,7 +93,7 @@ By default, only `builtin.*` packages will be evaluated.
If you define custom packages, you have to specify the package prefix via `--namespaces` option. By default, Trivy only runs in its own namespace, unless specified by the user. Note that the custom namespace does not have to be `user` as in this example. It could be anything user-defined.

``` bash
trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir
trivy conf --config-check /path/to/custom_checks --namespaces user /path/to/config_dir
```

In this case, `user.*` will be evaluated.
Expand Down Expand Up @@ -135,7 +135,7 @@ correct and do not reference incorrect properties/values.

#### custom.avd_id and custom.id

The AVD_ID can be used to link the check to the Aqua Vulnerability Database (AVD) entry. For example, the `avd_id` `AVD-AWS-0176` is the ID of the check in the [AWS Vulnerability Database](https://avd.aquasec.com/). If you are [contributing your check to trivy-policies](../../../../community/contribute/checks/overview.md), you need to generate an ID using `make id` in the [trivy-checks](https://github.com/aquasecurity/trivy-checks) repository. The output of the command will provide you the next free IDs for the different providers in Trivy.
The AVD_ID can be used to link the check to the Aqua Vulnerability Database (AVD) entry. For example, the `avd_id` `AVD-AWS-0176` is the ID of the check in the [AWS Vulnerability Database](https://avd.aquasec.com/). If you are [contributing your check to trivy-checks](../../../../community/contribute/checks/overview.md), you need to generate an ID using `make id` in the [trivy-checks](https://github.com/aquasecurity/trivy-checks) repository. The output of the command will provide you the next free IDs for the different providers in Trivy.

The ID is based on the AVD_ID. For instance if the `avd_id` is `AVD-AWS-0176`, the ID is `ID0176`.

Expand Down
2 changes: 1 addition & 1 deletion docs/docs/scanner/misconfiguration/custom/schema.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Input Schema

## Overview
Policies can be defined with custom schemas that allow inputs to be verified against them. Adding a policy schema
Checks can be defined with custom schemas that allow inputs to be verified against them. Adding a policy schema
enables Trivy to show more detailed error messages when an invalid input is encountered.

In Trivy we have been able to define a schema for a [Dockerfile](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/rego/schemas)
Expand Down
10 changes: 5 additions & 5 deletions docs/docs/scanner/misconfiguration/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -326,13 +326,13 @@ trivy config --misconfig-scanners=terraform,dockerfile .

Will only scan for misconfigurations that pertain to Terraform and Dockerfiles.

### Passing custom checks
You can pass policy files or directories including your custom checks through `--policy` option.
### Loading custom checks
You can load policy files or directories including your custom checks through `--config-check` flag.
itaysk marked this conversation as resolved.
Show resolved Hide resolved
This can be repeated for specifying multiple files or directories.

```bash
cd examplex/misconf/
trivy conf --policy custom-policy/policy --policy combine/policy --policy policy.rego --namespaces user misconf/mixed
trivy conf --config-check custom-policy/policy --config-check combine/policy --config-check policy.rego --namespaces user misconf/mixed
```

For more details, see [Custom Checks](./custom/index.md).
Expand All @@ -346,7 +346,7 @@ This can be repeated for specifying multiple directories.

```bash
cd examples/misconf/custom-data
trivy conf --policy ./policy --data ./data --namespaces user ./configs
trivy conf --config-check ./policy --data ./data --namespaces user ./configs
```

For more details, see [Custom Data](./custom/data.md).
Expand All @@ -357,7 +357,7 @@ If you want to evaluate custom checks in other packages, you have to specify pac
This can be repeated for specifying multiple packages.

``` bash
trivy conf --policy ./policy --namespaces main --namespaces user ./configs
trivy conf --config-check ./policy --namespaces main --namespaces user ./configs
```

### Private terraform registries
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/scanner/vulnerability.md
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,7 @@ Trivy can detect vulnerabilities in Kubernetes clusters and components by scanni

## Databases
Trivy utilizes several databases containing information relevant for vulnerability scanning.
When performing a vulnerability scan, Trivy will automatically downloads the relevant databases. The databases are cached locally and Trivy will reuse them for subsequent scans on the same machine. Trivy takes care of updating the databases cache automatically so normally can be oblivious to it.
When performing a vulnerability scan, Trivy will automatically downloads the relevant databases. The databases are cached locally and Trivy will reuse them for subsequent scans on the same machine. Trivy takes care of updating the databases cache automatically, so normally users can be oblivious to it.

For CLI flags related to the database, please refer to [this page](../configuration/db.md).

Expand Down
2 changes: 1 addition & 1 deletion docs/tutorials/misconfiguration/custom-checks.md
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ Note that Rego
Ensure that you have Trivy installed and run the following command:

```bash
trivy fs --scanners misconf --policy ./docker-check.rego --namespaces custom ./Dockerfile
trivy fs --scanners misconf --config-check ./docker-check.rego --namespaces custom ./Dockerfile
```

Please replace:
Expand Down