我的书签
添加书签
移除书签Policy
Pass custom policies
You can pass directories including your custom policies through --policy option. This can be repeated for specifying multiple directories.
cd examplex/misconf/trivy conf --policy custom-policy/policy --policy combine/policy --namespaces user misconf/mixed
For more details, see Custom Policies.
Tip
You also need to specify --namespaces option.
Pass custom data
You can pass directories including your custom data through --data option. This can be repeated for specifying multiple directories.
cd examples/misconf/custom-datatrivy conf --policy ./policy --data ./data --namespaces user ./configs
For more details, see Custom Data.
Pass namespaces
By default, Trivy evaluate policies defined in appshield.*. If you want to evaluate custom policies in other packages, you have to specify package prefixes through --namespaces option. This can be repeated for specifying multiple packages.
trivy conf --policy ./policy --namespaces main --namespaces user ./configs
Skip update of built-in policies
Trivy downloads built-in policies when it starts operating. Then, it checks for updates every 24 hours. You can use the --skip-policy-update option to skip it. If you skip it the first time, the built-in policies will not be loaded.
Note
Even if you specify the option the first time, it will be loaded as Terraform policies are written in Go.
trivy conf --skip-policy-update examples/misconf/mixed [~/src/github.com/aquasecurity/trivy]
Result
2021-07-10T18:04:19.083+0300 INFO No builtin policies were loaded2021-07-10T18:04:19.174+0300 INFO Detected config files: 2configs/main.tf (terraform)===========================Tests: 19 (SUCCESSES: 11, FAILURES: 8, EXCEPTIONS: 0)Failures: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 1)+------------------------------------------+------------+------------------------------------------+----------+------------------------------------------+| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |+------------------------------------------+------------+------------------------------------------+----------+------------------------------------------+| Terraform Security Check powered by | AWS004 | Use of plain HTTP. | CRITICAL | Resource || tfsec | | | | 'aws_alb_listener.my-alb-listener' || | | | | uses plain HTTP instead of HTTPS. || | | | | -->tfsec.dev/docs/aws/AWS004/ |+ +------------+------------------------------------------+----------+------------------------------------------+| | AWS006 | An ingress security group rule allows | MEDIUM | Resource || | | traffic from /0. | | 'aws_security_group_rule.my-rule' || | | | | defines a fully open || | | | | ingress security group rule. || | | | | -->tfsec.dev/docs/aws/AWS006/ |+ +------------+------------------------------------------+----------+------------------------------------------+| | AZU003 | Unencrypted managed disk. | HIGH | Resource 'azurerm_managed_disk.source' || | | | | defines an unencrypted managed disk. || | | | | -->tfsec.dev/docs/azure/AZU003/ |+------------------------------------------+------------+------------------------------------------+----------+------------------------------------------+configs/variables.tf (terraform)================================Tests: 1 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 0)Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
