Debugging policies

When working on more complex queries (or when learning Rego), it’s useful to see exactly how the policy is applied. For this purpose you can use the --trace flag. This will output a large trace from Open Policy Agent like the following:

Tip

Only failed policies show traces. If you want to debug a passed policy, you need to make it fail on purpose.

  1. $ trivy conf --trace configs/
  2. 2021-07-11T16:45:58.493+0300    INFO    Detected config files: 1
  4. Dockerfile (dockerfile)
  5. =======================
  6. Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
  7. Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
  9. +---------------------------+------------+----------------------+----------+------------------------------------------+
  10. |           TYPE            | MISCONF ID |        CHECK         | SEVERITY |                 MESSAGE                  |
  11. +---------------------------+------------+----------------------+----------+------------------------------------------+
  12. | Dockerfile Security Check |   DS002    | Image user is 'root' |   HIGH   | Last USER command in                     |
  13. |                           |            |                      |          | Dockerfile should not be 'root'          |
  14. |                           |            |                      |          | -->avd.aquasec.com/appshield/ds002       |
  15. +---------------------------+------------+----------------------+----------+------------------------------------------+
  17. ID: DS002
  18. File: Dockerfile
  19. Namespace: appshield.dockerfile.DS002
  20. Query: data.appshield.dockerfile.DS002.deny
  21. Message: Last USER command in Dockerfile should not be 'root'
  22. TRACE  Enter data.appshield.dockerfile.DS002.deny = _
  23. TRACE  | Eval data.appshield.dockerfile.DS002.deny = _
  24. TRACE  | Index data.appshield.dockerfile.DS002.deny matched 2 rules)
  25. TRACE  | Enter data.appshield.dockerfile.DS002.deny
  26. TRACE  | | Eval data.appshield.dockerfile.DS002.fail_user_count
  27. TRACE  | | Index data.appshield.dockerfile.DS002.fail_user_count (matched 1 rule)
  28. TRACE  | | Enter data.appshield.dockerfile.DS002.fail_user_count
  29. TRACE  | | | Eval __local559__ = data.appshield.dockerfile.DS002.get_user
  30. TRACE  | | | Index data.appshield.dockerfile.DS002.get_user (matched 1 rule)
  31. TRACE  | | | Enter data.appshield.dockerfile.DS002.get_user
  32. TRACE  | | | | Eval user = data.lib.docker.user[_]
  33. TRACE  | | | | Index data.lib.docker.user (matched 1 rule)
  34. TRACE  | | | | Enter data.lib.docker.user
  35. TRACE  | | | | | Eval instruction = input.stages[_][_]
  36. TRACE  | | | | | Eval instruction.Cmd = "user"
  37. TRACE  | | | | | Fail instruction.Cmd = "user"
  38. TRACE  | | | | | Redo instruction = input.stages[_][_]
  39. TRACE  | | | | | Eval instruction.Cmd = "user"
  40. TRACE  | | | | | Fail instruction.Cmd = "user"
  41. TRACE  | | | | | Redo instruction = input.stages[_][_]
  42. TRACE  | | | | | Eval instruction.Cmd = "user"
  43. TRACE  | | | | | Fail instruction.Cmd = "user"
  44. TRACE  | | | | | Redo instruction = input.stages[_][_]
  45. TRACE  | | | | | Eval instruction.Cmd = "user"
  46. TRACE  | | | | | Fail instruction.Cmd = "user"
  47. TRACE  | | | | | Redo instruction = input.stages[_][_]
  48. TRACE  | | | | | Eval instruction.Cmd = "user"
  49. TRACE  | | | | | Fail instruction.Cmd = "user"
  50. TRACE  | | | | | Redo instruction = input.stages[_][_]
  51. TRACE  | | | | | Eval instruction.Cmd = "user"
  52. TRACE  | | | | | Fail instruction.Cmd = "user"
  53. TRACE  | | | | | Redo instruction = input.stages[_][_]
  54. TRACE  | | | | | Eval instruction.Cmd = "user"
  55. TRACE  | | | | | Fail instruction.Cmd = "user"
  56. TRACE  | | | | | Redo instruction = input.stages[_][_]
  57. TRACE  | | | | | Eval instruction.Cmd = "user"
  58. TRACE  | | | | | Exit data.lib.docker.user
  59. TRACE  | | | | Eval username = user.Value[_]
  60. TRACE  | | | | Exit data.appshield.dockerfile.DS002.get_user
  61. TRACE  | | | Redo data.appshield.dockerfile.DS002.get_user
  62. TRACE  | | | | Redo username = user.Value[_]
  63. TRACE  | | | | Redo user = data.lib.docker.user[_]
  64. TRACE  | | | | Redo data.lib.docker.user
  65. TRACE  | | | | | Redo instruction.Cmd = "user"
  66. TRACE  | | | | | Redo instruction = input.stages[_][_]
  67. TRACE  | | | | | Eval instruction.Cmd = "user"
  68. TRACE  | | | | | Exit data.lib.docker.user
  69. TRACE  | | | | Eval username = user.Value[_]
  70. TRACE  | | | | Exit data.appshield.dockerfile.DS002.get_user
  71. TRACE  | | | Redo data.appshield.dockerfile.DS002.get_user
  72. TRACE  | | | | Redo username = user.Value[_]
  73. TRACE  | | | | Redo user = data.lib.docker.user[_]
  74. TRACE  | | | | Redo data.lib.docker.user
  75. TRACE  | | | | | Redo instruction.Cmd = "user"
  76. TRACE  | | | | | Redo instruction = input.stages[_][_]
  77. TRACE  | | | | | Eval instruction.Cmd = "user"
  78. TRACE  | | | | | Fail instruction.Cmd = "user"
  79. TRACE  | | | | | Redo instruction = input.stages[_][_]
  80. TRACE  | | | Eval count(__local559__, __local391__)
  81. TRACE  | | | Eval lt(__local391__, 1)
  82. TRACE  | | | Fail lt(__local391__, 1)
  83. TRACE  | | | Redo count(__local559__, __local391__)
  84. TRACE  | | | Redo __local559__ = data.appshield.dockerfile.DS002.get_user
  85. TRACE  | | Fail data.appshield.dockerfile.DS002.fail_user_count
  86. TRACE  | Enter data.appshield.dockerfile.DS002.deny
  87. TRACE  | | Eval data.appshield.dockerfile.DS002.fail_last_user_root
  88. TRACE  | | Index data.appshield.dockerfile.DS002.fail_last_user_root (matched 1 rule)
  89. TRACE  | | Enter data.appshield.dockerfile.DS002.fail_last_user_root
  90. TRACE  | | | Eval __local560__ = data.appshield.dockerfile.DS002.get_user
  91. TRACE  | | | Index data.appshield.dockerfile.DS002.get_user (matched 1 rule)
  92. TRACE  | | | Enter data.appshield.dockerfile.DS002.get_user
  93. TRACE  | | | | Eval user = data.lib.docker.user[_]
  94. TRACE  | | | | Index data.lib.docker.user (matched 1 rule)
  95. TRACE  | | | | Enter data.lib.docker.user
  96. TRACE  | | | | | Eval instruction = input.stages[_][_]
  97. TRACE  | | | | | Eval instruction.Cmd = "user"
  98. TRACE  | | | | | Fail instruction.Cmd = "user"
  99. TRACE  | | | | | Redo instruction = input.stages[_][_]
  100. TRACE  | | | | | Eval instruction.Cmd = "user"
  101. TRACE  | | | | | Fail instruction.Cmd = "user"
  102. TRACE  | | | | | Redo instruction = input.stages[_][_]
  103. TRACE  | | | | | Eval instruction.Cmd = "user"
  104. TRACE  | | | | | Fail instruction.Cmd = "user"
  105. TRACE  | | | | | Redo instruction = input.stages[_][_]
  106. TRACE  | | | | | Eval instruction.Cmd = "user"
  107. TRACE  | | | | | Fail instruction.Cmd = "user"
  108. TRACE  | | | | | Redo instruction = input.stages[_][_]
  109. TRACE  | | | | | Eval instruction.Cmd = "user"
  110. TRACE  | | | | | Fail instruction.Cmd = "user"
  111. TRACE  | | | | | Redo instruction = input.stages[_][_]
  112. TRACE  | | | | | Eval instruction.Cmd = "user"
  113. TRACE  | | | | | Fail instruction.Cmd = "user"
  114. TRACE  | | | | | Redo instruction = input.stages[_][_]
  115. TRACE  | | | | | Eval instruction.Cmd = "user"
  116. TRACE  | | | | | Fail instruction.Cmd = "user"
  117. TRACE  | | | | | Redo instruction = input.stages[_][_]
  118. TRACE  | | | | | Eval instruction.Cmd = "user"
  119. TRACE  | | | | | Exit data.lib.docker.user
  120. TRACE  | | | | Eval username = user.Value[_]
  121. TRACE  | | | | Exit data.appshield.dockerfile.DS002.get_user
  122. TRACE  | | | Redo data.appshield.dockerfile.DS002.get_user
  123. TRACE  | | | | Redo username = user.Value[_]
  124. TRACE  | | | | Redo user = data.lib.docker.user[_]
  125. TRACE  | | | | Redo data.lib.docker.user
  126. TRACE  | | | | | Redo instruction.Cmd = "user"
  127. TRACE  | | | | | Redo instruction = input.stages[_][_]
  128. TRACE  | | | | | Eval instruction.Cmd = "user"
  129. TRACE  | | | | | Exit data.lib.docker.user
  130. TRACE  | | | | Eval username = user.Value[_]
  131. TRACE  | | | | Exit data.appshield.dockerfile.DS002.get_user
  132. TRACE  | | | Redo data.appshield.dockerfile.DS002.get_user
  133. TRACE  | | | | Redo username = user.Value[_]
  134. TRACE  | | | | Redo user = data.lib.docker.user[_]
  135. TRACE  | | | | Redo data.lib.docker.user
  136. TRACE  | | | | | Redo instruction.Cmd = "user"
  137. TRACE  | | | | | Redo instruction = input.stages[_][_]
  138. TRACE  | | | | | Eval instruction.Cmd = "user"
  139. TRACE  | | | | | Fail instruction.Cmd = "user"
  140. TRACE  | | | | | Redo instruction = input.stages[_][_]
  141. TRACE  | | | Eval cast_array(__local560__, __local392__)
  142. TRACE  | | | Eval user = __local392__
  143. TRACE  | | | Eval __local561__ = data.appshield.dockerfile.DS002.get_user
  144. TRACE  | | | Index data.appshield.dockerfile.DS002.get_user (matched 1 rule)
  145. TRACE  | | | Enter data.appshield.dockerfile.DS002.get_user
  146. TRACE  | | | | Eval user = data.lib.docker.user[_]
  147. TRACE  | | | | Index data.lib.docker.user (matched 1 rule)
  148. TRACE  | | | | Enter data.lib.docker.user
  149. TRACE  | | | | | Eval instruction = input.stages[_][_]
  150. TRACE  | | | | | Eval instruction.Cmd = "user"
  151. TRACE  | | | | | Fail instruction.Cmd = "user"
  152. TRACE  | | | | | Redo instruction = input.stages[_][_]
  153. TRACE  | | | | | Eval instruction.Cmd = "user"
  154. TRACE  | | | | | Fail instruction.Cmd = "user"
  155. TRACE  | | | | | Redo instruction = input.stages[_][_]
  156. TRACE  | | | | | Eval instruction.Cmd = "user"
  157. TRACE  | | | | | Fail instruction.Cmd = "user"
  158. TRACE  | | | | | Redo instruction = input.stages[_][_]
  159. TRACE  | | | | | Eval instruction.Cmd = "user"
  160. TRACE  | | | | | Fail instruction.Cmd = "user"
  161. TRACE  | | | | | Redo instruction = input.stages[_][_]
  162. TRACE  | | | | | Eval instruction.Cmd = "user"
  163. TRACE  | | | | | Fail instruction.Cmd = "user"
  164. TRACE  | | | | | Redo instruction = input.stages[_][_]
  165. TRACE  | | | | | Eval instruction.Cmd = "user"
  166. TRACE  | | | | | Fail instruction.Cmd = "user"
  167. TRACE  | | | | | Redo instruction = input.stages[_][_]
  168. TRACE  | | | | | Eval instruction.Cmd = "user"
  169. TRACE  | | | | | Fail instruction.Cmd = "user"
  170. TRACE  | | | | | Redo instruction = input.stages[_][_]
  171. TRACE  | | | | | Eval instruction.Cmd = "user"
  172. TRACE  | | | | | Exit data.lib.docker.user
  173. TRACE  | | | | Eval username = user.Value[_]
  174. TRACE  | | | | Exit data.appshield.dockerfile.DS002.get_user
  175. TRACE  | | | Redo data.appshield.dockerfile.DS002.get_user
  176. TRACE  | | | | Redo username = user.Value[_]
  177. TRACE  | | | | Redo user = data.lib.docker.user[_]
  178. TRACE  | | | | Redo data.lib.docker.user
  179. TRACE  | | | | | Redo instruction.Cmd = "user"
  180. TRACE  | | | | | Redo instruction = input.stages[_][_]
  181. TRACE  | | | | | Eval instruction.Cmd = "user"
  182. TRACE  | | | | | Exit data.lib.docker.user
  183. TRACE  | | | | Eval username = user.Value[_]
  184. TRACE  | | | | Exit data.appshield.dockerfile.DS002.get_user
  185. TRACE  | | | Redo data.appshield.dockerfile.DS002.get_user
  186. TRACE  | | | | Redo username = user.Value[_]
  187. TRACE  | | | | Redo user = data.lib.docker.user[_]
  188. TRACE  | | | | Redo data.lib.docker.user
  189. TRACE  | | | | | Redo instruction.Cmd = "user"
  190. TRACE  | | | | | Redo instruction = input.stages[_][_]
  191. TRACE  | | | | | Eval instruction.Cmd = "user"
  192. TRACE  | | | | | Fail instruction.Cmd = "user"
  193. TRACE  | | | | | Redo instruction = input.stages[_][_]
  194. TRACE  | | | Eval count(__local561__, __local393__)
  195. TRACE  | | | Eval len = __local393__
  196. TRACE  | | | Eval minus(len, 1, __local394__)
  197. TRACE  | | | Eval user[__local394__] = "root"
  198. TRACE  | | | Exit data.appshield.dockerfile.DS002.fail_last_user_root
  199. TRACE  | | Eval res = "Last USER command in Dockerfile should not be 'root'"
  200. TRACE  | | Exit data.appshield.dockerfile.DS002.deny
  201. TRACE  | Redo data.appshield.dockerfile.DS002.deny
  202. TRACE  | | Redo res = "Last USER command in Dockerfile should not be 'root'"
  203. TRACE  | | Redo data.appshield.dockerfile.DS002.fail_last_user_root
  204. TRACE  | | Redo data.appshield.dockerfile.DS002.fail_last_user_root
  205. TRACE  | | | Redo user[__local394__] = "root"
  206. TRACE  | | | Redo minus(len, 1, __local394__)
  207. TRACE  | | | Redo len = __local393__
  208. TRACE  | | | Redo count(__local561__, __local393__)
  209. TRACE  | | | Redo __local561__ = data.appshield.dockerfile.DS002.get_user
  210. TRACE  | | | Redo user = __local392__
  211. TRACE  | | | Redo cast_array(__local560__, __local392__)
  212. TRACE  | | | Redo __local560__ = data.appshield.dockerfile.DS002.get_user
  213. TRACE  | Exit data.appshield.dockerfile.DS002.deny = _
  214. TRACE  Redo data.appshield.dockerfile.DS002.deny = _
  215. TRACE  | Redo data.appshield.dockerfile.DS002.deny = _