trivy
trivy copied to clipboard
aquasecurity
--ignore-policy unavailable in config target
Description
works:
trivy fs --security-checks config --ignore-policy ./p.rego .
doesn't work:
trivy config --ignore-policy ./p.rego .
What did you expect to happen?
able to ignore with rego policies in config scan
What happened instead?
error:
unknown flag: --ignore-policy
Output of run with -debug:
same
Output of trivy -v:
Version: 0.36.0
Vulnerability DB:
Version: 2
UpdatedAt: 2023-01-27 12:08:06.732856126 +0000 UTC
NextUpdate: 2023-01-27 18:08:06.732855426 +0000 UTC
DownloadedAt: 2023-01-27 14:18:11.663968 +0000 UTC
Additional details (base image name, container registry info...):
--ignore-policy supports only vulnerabilities for now.
https://aquasecurity.github.io/trivy/v0.36/docs/vulnerability/examples/filter/#by-open-policy-agent
❯ cat ignore.rego
package trivy
default ignore=true
ignore=false {
input.AVDID == "AVD-AWS-0094"
}
❯ trivy fs /Users/itaysk/dev/trivy/pkg/fanal/artifact/local/testdata/misconfig/cloudformation/passed/src --security-checks config --ignore-policy ./ignore.rego -q
main.yaml (cloudformation)
Tests: 13 (SUCCESSES: 4, FAILURES: 9, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
LOW: Bucket does not have a corresponding public access block.
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
The "block public access" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.
See https://avd.aquasec.com/misconfig/avd-aws-0094
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.yaml:2-5
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
2 ┌ S3Bucket:
3 │ Type: 'AWS::S3::Bucket'
4 │ Properties:
5 └ BucketName: public-bucket
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
❯ cat ignore.rego
package trivy
default ignore=true
❯ trivy fs /Users/itaysk/dev/trivy/pkg/fanal/artifact/local/testdata/misconfig/cloudformation/passed/src --security-checks config --ignore-policy ./ignore.rego -q
even tough it works, the exception seems wrong:
"Results": [
{
"Target": "main.yaml",
"Class": "config",
"Type": "cloudformation",
"MisconfSummary": {
"Successes": 4,
"Failures": 9,
"Exceptions": 0
},
Thanks for looking into this. I think I just discovered this the hard way myself 😅 Also, there seems to be a lot of places in the docs (and the examples) mentioning the --policy flag, but that one does not seem to exist? I see other flags to do this though, like --config-policy so presumably that one has been replaced?
Also, as a Trivy n00b, it's not clear to me what the difference is between a "ignore policy" and and "exception policy". But that might be out of topic :)
@anderseknert about --policy flag, @simar7 or @giorod3 can comment.
about exception vs ignore, you're right, we'll fix it with https://github.com/aquasecurity/trivy/issues/3486#issuecomment-1426870603
I tried it with
fs --security-checks configand it worked
I added the support... I didn't remember it at all 😄 https://github.com/aquasecurity/trivy/blob/6cac6c917f4f688e451851c8778b009794b453e2/pkg/result/filter.go#L195-L207
even tough it works, the exception seems wrong:
"Results": [ { "Target": "main.yaml", "Class": "config", "Type": "cloudformation", "MisconfSummary": { "Successes": 4, "Failures": 9, "Exceptions": 0 },
Revisiting this thread, can someone remind me of the expected behavior here? Below is what I see with the latest release of Trivy
cat ignore.rego
package trivy
default ignore=true
ignore=false {
input.AVDID == "avd-aws-0094"
}
trivy fs ~/repos/trivy/pkg/fanal/artifact/local/testdata/misconfig/cloudformation/passed/src/ --security-checks config --ignore-policy ./ignore.rego --format json
2023-08-08T23:22:33.374-0600 WARN '--security-checks' is deprecated. Use '--scanners' instead.
2023-08-08T23:22:33.389-0600 INFO Misconfiguration scanning is enabled
2023-08-08T23:22:33.699-0600 INFO Detected config files: 1
{
"SchemaVersion": 2,
"ArtifactName": "/Users/simarpreetsingh/repos/trivy/pkg/fanal/artifact/local/testdata/misconfig/cloudformation/passed/src",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "main.yaml",
"Class": "config",
"Type": "cloudformation",
"MisconfSummary": {
"Successes": 2,
"Failures": 9,
"Exceptions": 0
}
}
]
}
Below is what I have able to gather from the discussion so far:
- We need to expose
--ignore-policydirectly with thetrivy configflag. Today it is only exposed astrivy fs --scanners config --ignore-policy. - We need to add the list of results that got "ignored" via the
--ignore-policyinto theExceptionsfield count.
Please correct me if I'm wrong.
