trivy
trivy copied to clipboard
Published
4 months ago
•
aquasecurity
aquasecurity
feat: Add AWS Cloud scanning
Description
WIP
Related issues
- Close #2476
Checklist
- [x] I've read the guidelines for contributing to this repository.
- [x] I've followed the conventions in the PR title.
- [x] I've added tests that prove my fix is effective or that my feature works.
- [x] I've updated the documentation with the relevant information (if needed).
- [x] I've added usage information (if the PR introduces new options)
- [x] I've included a "before" and "after" example to the description (if the PR is a user interface change).
$ ./trivy aws --region eu-central-1 --service ec2
Scan Overview for AWS Account XXXXXXXXXX
┌───────────────┬──────────────────────────────────────────────────┬────────────────┐
│ │ Misconfigurations │ │
│ ├──────────┬──────────────┬────────┬─────┬─────────┤ │
│ Service │ Critical │ High │ Medium │ Low │ Unknown │ Last Scanned │
├───────────────┼──────────┼──────────────┼────────┼─────┼─────────┼────────────────┤
│ api-gateway │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ athena │ 0 │ 2 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ cloudfront │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ cloudtrail │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ cloudwatch │ 0 │ 0 │ 0 │ 4 │ 0 │ 22 minutes ago │
│ codebuild │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ documentdb │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ dynamodb │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ ec2 │ 5 │ 1 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ ecr │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ ecs │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ efs │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ eks │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ elasticache │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ elasticsearch │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ elb │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ emr │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ iam │ 0 │ 507 │ 0 │ 8 │ 0 │ 22 minutes ago │
│ kinesis │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ kms │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ lambda │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ mq │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ msk │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ neptune │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ rds │ 1 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ redshift │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ s3 │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ sns │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ sqs │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ ssm │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
│ workspaces │ 0 │ 0 │ 0 │ 0 │ 0 │ 22 minutes ago │
└───────────────┴──────────┴──────────────┴────────┴─────┴─────────┴────────────────┘
This scan report was loaded from cached results. If you'd like to run a fresh scan, use --update-cache.
Is this behavior intended? Seems like it scans all the resources even with --update-cache.
$ ./trivy aws --region eu-central-1 --service ec2 --update-cache
[1/31] Scanning api-gateway...
[2/31] Scanning athena...
[3/31] Scanning cloudfront...
[4/31] Scanning cloudtrail...
[5/31] Scanning cloudwatch...
[6/31] Scanning codebuild...
[7/31] Scanning documentdb...
[8/31] Scanning dynamodb...
[9/31] Scanning ec2...
[10/31] Scanning ecr...
[11/31] Scanning ecs...
[12/31] Scanning efs...
I confirmed https://github.com/aquasecurity/trivy/pull/2493/commits/633034d377a999832bafc7b1dc6a51d3c54691d5 worked.