Infrastructure as Code (IaC)

Quick start

Simply specify a directory containing IaC files such as Terraform, CloudFormation and Dockerfile.

  1. $ trivy config [YOUR_IaC_DIRECTORY]

Trivy will automatically fetch the managed policies and will keep them up-to-date in future scans.

Example

  1. $ ls build/
  2. Dockerfile
  3. $ trivy config ./build
  4. 2021-07-09T10:06:29.188+0300 INFO Need to update the built-in policies
  5. 2021-07-09T10:06:29.188+0300 INFO Downloading the built-in policies...
  6. 2021-07-09T10:06:30.520+0300 INFO Detected config files: 1
  7. Dockerfile (dockerfile)
  8. =======================
  9. Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
  10. Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
  11. +---------------------------+------------+----------------------+----------+------------------------------------------+
  12. | TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
  13. +---------------------------+------------+----------------------+----------+------------------------------------------+
  14. | Dockerfile Security Check | DS002 | Image user is 'root' | HIGH | Last USER command in |
  15. | | | | | Dockerfile should not be 'root' |
  16. | | | | | -->avd.aquasec.com/appshield/ds002 |
  17. +---------------------------+------------+----------------------+----------+------------------------------------------+

Type detection

The specified directory can contain mixed types of IaC files. Trivy automatically detects config types and applies relevant policies.

For example, the following example holds IaC files for Terraform, CloudFormation, Kubernetes, and Dockerfile in the same directory.

  1. $ ls iac/
  2. Dockerfile deployment.yaml main.tf
  3. $ trivy conf --severity HIGH,CRITICAL ./iac

Result

  1. 2021-07-09T11:51:08.212+0300 INFO Need to update the built-in policies
  2. 2021-07-09T11:51:08.212+0300 INFO Downloading the built-in policies...
  3. 2021-07-09T11:51:09.527+0300 INFO Detected config files: 3
  4. Dockerfile (dockerfile)
  5. =======================
  6. Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
  7. Failures: 1 (HIGH: 1, CRITICAL: 0)
  8. +---------------------------+------------+----------------------+----------+------------------------------------------+
  9. | TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
  10. +---------------------------+------------+----------------------+----------+------------------------------------------+
  11. | Dockerfile Security Check | DS002 | Image user is 'root' | HIGH | Last USER command in |
  12. | | | | | Dockerfile should not be 'root' |
  13. | | | | | -->avd.aquasec.com/appshield/ds002 |
  14. +---------------------------+------------+----------------------+----------+------------------------------------------+
  15. deployment.yaml (kubernetes)
  16. ============================
  17. Tests: 28 (SUCCESSES: 15, FAILURES: 13, EXCEPTIONS: 0)
  18. Failures: 13 (HIGH: 1, CRITICAL: 0)
  19. +---------------------------+------------+----------------------------+----------+------------------------------------------+
  20. | TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
  21. +---------------------------+------------+----------------------------+----------+------------------------------------------+
  22. | Kubernetes Security Check | KSV005 | SYS_ADMIN capability added | HIGH | Container 'hello-kubernetes' of |
  23. | | | | | Deployment 'hello-kubernetes' |
  24. | | | | | should not include 'SYS_ADMIN' in |
  25. | | | | | 'securityContext.capabilities.add' |
  26. | | | | | -->avd.aquasec.com/appshield/ksv005 |
  27. +---------------------------+------------+----------------------------+----------+------------------------------------------+
  28. main.tf (terraform)
  29. ===================
  30. Tests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)
  31. Failures: 9 (HIGH: 6, CRITICAL: 1)
  32. +------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+
  33. | TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
  34. +------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+
  35. | Terraform Security Check powered by | AWS003 | AWS Classic resource usage. | HIGH | Resource |
  36. | tfsec | | | | 'aws_db_security_group.my-group' |
  37. | | | | | uses EC2 Classic. Use a VPC instead. |
  38. | | | | | -->tfsec.dev/docs/aws/AWS003/ |
  39. + +------------+------------------------------------------+----------+--------------------------------------------------------+
  40. | | AWS004 | Use of plain HTTP. | CRITICAL | Resource |
  41. | | | | | 'aws_alb_listener.my-alb-listener' |
  42. | | | | | uses plain HTTP instead of HTTPS. |
  43. | | | | | -->tfsec.dev/docs/aws/AWS004/ |
  44. + +------------+------------------------------------------+----------+--------------------------------------------------------+
  45. | | AWS018 | Missing description for security | HIGH | Resource |
  46. | | | group/security group rule. | | 'aws_security_group_rule.my-rule' should |
  47. | | | | | include a description for auditing |
  48. | | | | | purposes. -->tfsec.dev/docs/aws/AWS018/ |
  49. + +------------+------------------------------------------+ +--------------------------------------------------------+
  50. | | AWS025 | API Gateway domain name uses outdated | | Resource |
  51. | | | SSL/TLS protocols. | | 'aws_api_gateway_domain_name.empty_security_policy' |
  52. | | | | | defines outdated SSL/TLS policies (not using |
  53. | | | | | TLS_1_2). -->tfsec.dev/docs/aws/AWS025/ |
  54. + + + + +--------------------------------------------------------+
  55. | | | | | Resource |
  56. | | | | | 'aws_api_gateway_domain_name.missing_security_policy' |
  57. | | | | | should include security_policy (defauls to outdated |
  58. | | | | | SSL/TLS policy). -->tfsec.dev/docs/aws/AWS025/ |
  59. + + + + +--------------------------------------------------------+
  60. | | | | | Resource |
  61. | | | | | 'aws_api_gateway_domain_name.outdated_security_policy' |
  62. | | | | | defines outdated SSL/TLS policies (not using TLS_1_2). |
  63. | | | | | -->tfsec.dev/docs/aws/AWS025/ |
  64. + +------------+------------------------------------------+ +--------------------------------------------------------+
  65. | | AZU003 | Unencrypted managed disk. | | Resource 'azurerm_managed_disk.source' |
  66. | | | | | defines an unencrypted managed disk. |
  67. | | | | | -->tfsec.dev/docs/azure/AZU003/ |
  68. +------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+

You can see the config type next to each file name.

Example

  1. Dockerfile (dockerfile)
  2. =======================
  3. Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
  4. Failures: 1 (HIGH: 1, CRITICAL: 0)
  5. ...
  6. deployment.yaml (kubernetes)
  7. ============================
  8. Tests: 28 (SUCCESSES: 15, FAILURES: 13, EXCEPTIONS: 0)
  9. Failures: 13 (HIGH: 1, CRITICAL: 0)
  10. ...
  11. main.tf (terraform)
  12. ===================
  13. Tests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)
  14. Failures: 9 (HIGH: 6, CRITICAL: 1)
  15. ...
  16. bucket.yaml (cloudformation)
  17. ============================
  18. Tests: 9 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 0)
  19. Failures: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)

Example

See here