diff --git a/docs/community/contribute/discussion.md b/docs/community/contribute/discussion.md index b7e1a2d7294d..4e9e059a1a30 100644 --- a/docs/community/contribute/discussion.md +++ b/docs/community/contribute/discussion.md @@ -38,12 +38,12 @@ If the data source is correct and Trivy shows wrong results, please raise an iss Visit [here](https://github.com/advisories) and search CVE-ID. If you find a problem, it'll be nice to fix it: [How to contribute to a GitHub security advisory](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/) - + ### GitLab Advisory Database Visit [here](https://advisories.gitlab.com/) and search CVE-ID. -If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/new) - +If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues) + ### Red Hat CVE Database Visit [here](https://access.redhat.com/security/security-updates/?cwe=476#/cve) and search CVE-ID. diff --git a/docs/docs/compliance/contrib-compliance.md b/docs/docs/compliance/contrib-compliance.md index 0b83b688b664..653fb28467a2 100644 --- a/docs/docs/compliance/contrib-compliance.md +++ b/docs/docs/compliance/contrib-compliance.md @@ -1,7 +1,7 @@ # Custom Compliance Spec Trivy supports several different compliance specs. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../docs/compliance/compliance.md). -All of the Compliance Specs currently available in Trivy can be found in the `trivy-checks/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance)). +All of the Compliance Specs currently available in Trivy can be found in the `trivy-checks/pkg/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/pkg/specs/compliance)). New checks are based on the custom compliance report detailed in the [main documentation.](../../docs/compliance/compliance/#custom-compliance) If you would like to create your custom compliance report, please reference the information in the main documentation. This section details how community members can contribute new Compliance Specs to Trivy. @@ -10,17 +10,17 @@ All compliance specs in Trivy are based on formal compliance reports such as CIS ## Contributing new Compliance Specs -Compliance specs can be based on new compliance reports becoming available e.g. a new CIS Benchmark version, or identifying missing compliance specs that Trivy users would like to access. +Compliance specs can be based on new compliance reports becoming available e.g. a new CIS Benchmark version, or identifying missing compliance specs that Trivy users would like to access. ### Create a new Compliance Spec -The existing compliance specs in Trivy are located under the `trivy-checks/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance)). +The existing compliance specs in Trivy are located under the `trivy-checks/pkg/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/pkg/specs/compliance)). Create a new file under `trivy-checks/specs/compliance/` and name the file in the format of "provider-resource-spectype-version.yaml". For example, the file name for AWS CIS Benchmarks for EKS version 1.4 is: `aws-eks-cis-1.4.yaml`. Note that if the compliance spec is not specific to a provider, the `provider` field can be ignored. ### Minimum spec structure -The structure of the compliance spec is detailed in the [main documentation](./compliance/#custom-compliance). +The structure of the compliance spec is detailed in the [main documentation](./compliance/#custom-compliance). The first section in the spec is focused on the metadata of the spec. Replace all the fields of the metadata with the information relevant to the compliance spec that will be added. This information can be taken from the official report e.g. the CIS Benchmark report. @@ -37,7 +37,7 @@ Additional information is provided below. Trivy has a comprehensive list of checks as part of its misconfiguration scanning. These can be found in the `trivy-checks/checks` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). If the check is present, the `AVD_ID` and other information from the check has to be used. -Note: Take a look at the more generic compliance specs that are already available in Trivy. If you are adding new compliance spec to Kubernetes e.g. AWS EKS CIS Benchmarks, chances are high that the check you would like to add to the new spec has already been defined in the general `k8s-ci-v.000.yaml` compliance spec. The same applies for creating specific Cloud Provider Compliance Specs and the [generic compliance specs](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance) available. +Note: Take a look at the more generic compliance specs that are already available in Trivy. If you are adding new compliance spec to Kubernetes e.g. AWS EKS CIS Benchmarks, chances are high that the check you would like to add to the new spec has already been defined in the general `k8s-ci-v.000.yaml` compliance spec. The same applies for creating specific Cloud Provider Compliance Specs and the [generic compliance specs](https://github.com/aquasecurity/trivy-checks/tree/main/pkg/specs/compliance) available. For example, the following check is detailed in the AWS EKS CIS v1.4 Benchmark: `3.1.2 Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual)` diff --git a/docs/docs/supply-chain/attestation/sbom.md b/docs/docs/supply-chain/attestation/sbom.md index 5d2667d0e100..50493016b677 100644 --- a/docs/docs/supply-chain/attestation/sbom.md +++ b/docs/docs/supply-chain/attestation/sbom.md @@ -9,7 +9,7 @@ And, Trivy can take an SBOM attestation as input and scan for vulnerabilities ## Sign with a local key pair -Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation). +Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key_management/signing_with_self-managed_keys). ```bash $ cosign generate-key-pair diff --git a/docs/docs/supply-chain/attestation/vuln.md b/docs/docs/supply-chain/attestation/vuln.md index b1484387266a..812601190679 100644 --- a/docs/docs/supply-chain/attestation/vuln.md +++ b/docs/docs/supply-chain/attestation/vuln.md @@ -154,7 +154,7 @@ $ trivy image --format cosign-vuln --output vuln.json alpine:3.10 ### Sign with a local key pair -Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation). +Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key_management/signing_with_self-managed_keys). ```bash $ cosign generate-key-pair diff --git a/docs/docs/supply-chain/sbom.md b/docs/docs/supply-chain/sbom.md index f2f2d55c79a5..7b48fb1a59d5 100644 --- a/docs/docs/supply-chain/sbom.md +++ b/docs/docs/supply-chain/sbom.md @@ -762,7 +762,7 @@ It is enabled in the following targets. When scanning container images, Trivy can discover SBOM for those images. [See here](../target/container_image.md) for more details. -[spdx]: https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf +[spdx]: https://spdx.github.io/spdx-spec/v2.2.2/ [cyclonedx]: https://cyclonedx.org/ [sbom]: https://cyclonedx.org/capabilities/sbom/ diff --git a/docs/docs/supply-chain/vex/oci.md b/docs/docs/supply-chain/vex/oci.md index a8b33bfe45cb..d50c210a97c1 100644 --- a/docs/docs/supply-chain/vex/oci.md +++ b/docs/docs/supply-chain/vex/oci.md @@ -87,7 +87,7 @@ You can also refer to [Trivy's example](https://github.com/aquasecurity/trivy/bl ### Step 2: Generate and Upload a VEX Attestation to an OCI Registry -You can use the [Cosign command](https://docs.sigstore.dev/verifying/attestation/) to generate and upload the VEX attestation. +You can use the [Cosign command](https://docs.sigstore.dev/cosign/verifying/attestation/) to generate and upload the VEX attestation. Cosign offers methods both with and without keys. For detailed instructions, please refer to the Cosign documentation. diff --git a/docs/docs/target/vm.md b/docs/docs/target/vm.md index e2c2cac74467..44ab945ce35d 100644 --- a/docs/docs/target/vm.md +++ b/docs/docs/target/vm.md @@ -12,7 +12,7 @@ The following targets are currently supported: - AWS EC2 - Amazon Machine Image (AMI) - Amazon Elastic Block Store (EBS) Snapshot - + ### Local file Pass the path to your local VM image file. @@ -58,7 +58,7 @@ Total: 802 (UNKNOWN: 0, LOW: 17, MEDIUM: 554, HIGH: 221, CRITICAL: 10) │ │ │ │ │ │ cause named to terminate... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25214 │ ├────────────────────────────┼────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤ -... +... ``` @@ -234,7 +234,7 @@ Reference: [VMware Virtual Disk Format 1.1.pdf][vmdk] | ZFS | | -[vmdk]: https://www.vmware.com/app/vmdk/?src=vmdk +[vmdk]: https://github.com/libyal/libvmdk/blob/main/documentation/VMWare%20Virtual%20Disk%20Format%20(VMDK).asciidoc [ebsapi-elements]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-accessing-snapshot.html#ebsapi-elements [coldsnap]: https://github.com/awslabs/coldsnap diff --git a/docs/ecosystem/ide.md b/docs/ecosystem/ide.md index fb902b2d0809..142433c45b65 100644 --- a/docs/ecosystem/ide.md +++ b/docs/ecosystem/ide.md @@ -42,7 +42,7 @@ Trivy Docker Desktop extension for scanning container images for vulnerabilities [Rancher Desktop](https://rancherdesktop.io/) is an easy way to use containers and Kubernetes on your development machine, and manage it in a GUI. -Trivy is natively integrated with Rancher, no installation is needed. More info in Rancher documentation: +Trivy is natively integrated with Rancher, no installation is needed. More info in Rancher documentation: ## LazyTrivy (Community) diff --git a/docs/getting-started/signature-verification.md b/docs/getting-started/signature-verification.md index 411bad24c3fe..9a28ab28fd91 100644 --- a/docs/getting-started/signature-verification.md +++ b/docs/getting-started/signature-verification.md @@ -11,7 +11,7 @@ cosign verify aquasec/trivy: \ --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" ``` - + You should get the following output ``` @@ -52,10 +52,10 @@ RPM and Deb packages are also signed by GPG. The public key is available at . -First, download and import the key: +First, download and import the key: ```shell -curl https://aquasecurity.github.io/trivy-repo/rpm/public.key \ +curl https://aquasecurity.github.io/trivy-repo/rpm/public.key \ --output pub.key rpm --import pub.key rpm -q --queryformat "%{SUMMARY}\n" $(rpm -q gpg-pubkey) @@ -66,7 +66,7 @@ You should get the following output: ``` gpg(trivy) ``` - + Then you can verify the signature: ```shell @@ -79,4 +79,4 @@ You should get the following output ``` trivy.rpm: digests signatures OK -``` \ No newline at end of file +``` diff --git a/docs/tutorials/integrations/gitlab-ci.md b/docs/tutorials/integrations/gitlab-ci.md index 8b4e8c34e7bb..afef98f3681b 100644 --- a/docs/tutorials/integrations/gitlab-ci.md +++ b/docs/tutorials/integrations/gitlab-ci.md @@ -114,7 +114,7 @@ container_scanning: Depending on the edition of gitlab you have or your desired workflow, the container scanning template may not meet your needs. As an addition to the above container scanning template, a template for -[code climate](https://docs.gitlab.com/ee/user/project/merge_requests/code_quality.html) +[code climate](https://docs.gitlab.com/ee/ci/testing/code_quality.html) has been included. The key things to update from the above examples are the `template` and `report` type. An updated example is below. diff --git a/docs/tutorials/signing/vuln-attestation.md b/docs/tutorials/signing/vuln-attestation.md index 2e4b487306c6..7cd85e2052da 100644 --- a/docs/tutorials/signing/vuln-attestation.md +++ b/docs/tutorials/signing/vuln-attestation.md @@ -8,7 +8,7 @@ This tutorial details how to #### Prerequisites 1. [Trivy CLI](../../getting-started/installation.md) installed -2. [Cosign CLI](https://docs.sigstore.dev/system_config/installation/) installed +2. [Cosign CLI](https://docs.sigstore.dev/cosign/system_config/installation/) installed 3. Ensure that you have access to a container image in a remote container registry that you own/within your account. In this tutorial, we will use DockerHub. ## Scan Container Image for vulnerabilities