diff --git a/docs/docs/references/configuration/cli/trivy_aws.md b/docs/docs/references/configuration/cli/trivy_aws.md index de0778205c4..e74a1d63434 100644 --- a/docs/docs/references/configuration/cli/trivy_aws.md +++ b/docs/docs/references/configuration/cli/trivy_aws.md @@ -65,38 +65,39 @@ trivy aws [flags] ### Options ``` - --account string The AWS account to scan. It's useful to specify this when reviewing cached results for multiple accounts. - --arn string The AWS ARN to show results for. Useful to filter results once a scan is cached. - --compliance string compliance report to generate (aws-cis-1.2, aws-cis-1.4) - --config-data strings specify paths from which data for the Rego policies will be recursively loaded - --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files - --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages - --endpoint string AWS Endpoint override - --exit-code int specify exit code when any security issues are found - -f, --format string format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table") - --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) - --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-values strings specify paths to override the Helm values.yaml files - -h, --help help for aws - --ignore-policy string specify the Rego file path to evaluate each vulnerability - --ignorefile string specify .trivyignore file (default ".trivyignore") - --include-non-failures include successes and exceptions, available with '--scanners config' - --list-all-pkgs enabling the option will output all packages regardless of vulnerability - --max-cache-age duration The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s) - -o, --output string output file name - --policy-namespaces strings Rego namespaces - --region string AWS Region to scan - --report string specify a report format for the output. (all,summary) (default "all") - --reset-policy-bundle remove policy bundle - --service strings Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc. - -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") - --skip-policy-update skip fetching rego policy updates - --skip-service strings Skip selected AWS Service(s) specified with this flag. Can specify multiple services using --skip-service A --skip-service B etc. - -t, --template string output template - --tf-vars strings specify paths to override the Terraform tfvars files - --trace enable more verbose trace output for custom queries - --update-cache Update the cache for the applicable cloud provider instead of using cached results. + --account string The AWS account to scan. It's useful to specify this when reviewing cached results for multiple accounts. + --arn string The AWS ARN to show results for. Useful to filter results once a scan is cached. + --compliance string compliance report to generate (aws-cis-1.2, aws-cis-1.4) + --config-data strings specify paths from which data for the Rego policies will be recursively loaded + --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files + --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages + --endpoint string AWS Endpoint override + --exit-code int specify exit code when any security issues are found + -f, --format string format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table") + --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) + --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-values strings specify paths to override the Helm values.yaml files + -h, --help help for aws + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-non-failures include successes and exceptions, available with '--scanners config' + --list-all-pkgs enabling the option will output all packages regardless of vulnerability + --max-cache-age duration The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s) + -o, --output string output file name + --policy-namespaces strings Rego namespaces + --region string AWS Region to scan + --report string specify a report format for the output. (all,summary) (default "all") + --reset-policy-bundle remove policy bundle + --service strings Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc. + -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") + --skip-policy-update skip fetching rego policy updates + --skip-service strings Skip selected AWS Service(s) specified with this flag. Can specify multiple services using --skip-service A --skip-service B etc. + -t, --template string output template + --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder + --tf-vars strings specify paths to override the Terraform tfvars files + --trace enable more verbose trace output for custom queries + --update-cache Update the cache for the applicable cloud provider instead of using cached results. ``` ### Options inherited from parent commands diff --git a/docs/docs/references/configuration/cli/trivy_config.md b/docs/docs/references/configuration/cli/trivy_config.md index e3ffc41b657..4475fe6bf67 100644 --- a/docs/docs/references/configuration/cli/trivy_config.md +++ b/docs/docs/references/configuration/cli/trivy_config.md @@ -9,43 +9,44 @@ trivy config [flags] DIR ### Options ``` - --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") - --cache-ttl duration cache TTL when using redis as cache backend - --clear-cache clear image caches without scanning - --compliance string compliance report to generate - --config-data strings specify paths from which data for the Rego policies will be recursively loaded - --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files - --enable-modules strings [EXPERIMENTAL] module names to enable - --exit-code int specify exit code when any security issues are found - --file-patterns strings specify config file patterns - -f, --format string format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table") - --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) - --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-values strings specify paths to override the Helm values.yaml files - -h, --help help for config - --ignorefile string specify .trivyignore file (default ".trivyignore") - --include-non-failures include successes and exceptions, available with '--scanners config' - --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0) - --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") - -o, --output string output file name - --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. - --policy-namespaces strings Rego namespaces - --redis-ca string redis ca file location, if using redis as cache backend - --redis-cert string redis certificate file location, if using redis as cache backend - --redis-key string redis key file location, if using redis as cache backend - --redis-tls enable redis TLS with public certificates, if using redis as cache backend - --registry-token string registry token - --report string specify a compliance report format for the output. (all,summary) (default "all") - --reset-policy-bundle remove policy bundle - -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") - --skip-dirs strings specify the directories where the traversal is skipped - --skip-files strings specify the file paths to skip traversal - --skip-policy-update skip fetching rego policy updates - -t, --template string output template - --tf-vars strings specify paths to override the Terraform tfvars files - --trace enable more verbose trace output for custom queries - --username strings username. Comma-separated usernames allowed. + --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --clear-cache clear image caches without scanning + --compliance string compliance report to generate + --config-data strings specify paths from which data for the Rego policies will be recursively loaded + --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files + --enable-modules strings [EXPERIMENTAL] module names to enable + --exit-code int specify exit code when any security issues are found + --file-patterns strings specify config file patterns + -f, --format string format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table") + --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) + --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-values strings specify paths to override the Helm values.yaml files + -h, --help help for config + --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-non-failures include successes and exceptions, available with '--scanners config' + --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0) + --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") + -o, --output string output file name + --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. + --policy-namespaces strings Rego namespaces + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + --redis-tls enable redis TLS with public certificates, if using redis as cache backend + --registry-token string registry token + --report string specify a compliance report format for the output. (all,summary) (default "all") + --reset-policy-bundle remove policy bundle + -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") + --skip-dirs strings specify the directories where the traversal is skipped + --skip-files strings specify the file paths to skip traversal + --skip-policy-update skip fetching rego policy updates + -t, --template string output template + --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder + --tf-vars strings specify paths to override the Terraform tfvars files + --trace enable more verbose trace output for custom queries + --username strings username. Comma-separated usernames allowed. ``` ### Options inherited from parent commands diff --git a/docs/docs/references/configuration/cli/trivy_filesystem.md b/docs/docs/references/configuration/cli/trivy_filesystem.md index e915d55f814..daf9932a068 100644 --- a/docs/docs/references/configuration/cli/trivy_filesystem.md +++ b/docs/docs/references/configuration/cli/trivy_filesystem.md @@ -76,6 +76,7 @@ trivy filesystem [flags] PATH --skip-policy-update skip fetching rego policy updates --slow scan over time with lower CPU and memory utilization -t, --template string output template + --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder --tf-vars strings specify paths to override the Terraform tfvars files --token string for authentication in client/server mode --token-header string specify a header name for token in client/server mode (default "Trivy-Token") diff --git a/docs/docs/references/configuration/cli/trivy_image.md b/docs/docs/references/configuration/cli/trivy_image.md index d8fda0d74bb..d075000af0d 100644 --- a/docs/docs/references/configuration/cli/trivy_image.md +++ b/docs/docs/references/configuration/cli/trivy_image.md @@ -97,6 +97,7 @@ trivy image [flags] IMAGE_NAME --skip-policy-update skip fetching rego policy updates --slow scan over time with lower CPU and memory utilization -t, --template string output template + --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder --tf-vars strings specify paths to override the Terraform tfvars files --token string for authentication in client/server mode --token-header string specify a header name for token in client/server mode (default "Trivy-Token") diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md index 84ec5854b34..a632f098653 100644 --- a/docs/docs/references/configuration/cli/trivy_kubernetes.md +++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md @@ -86,6 +86,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: --skip-policy-update skip fetching rego policy updates --slow scan over time with lower CPU and memory utilization -t, --template string output template + --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder --tf-vars strings specify paths to override the Terraform tfvars files --tolerations strings specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule) --trace enable more verbose trace output for custom queries diff --git a/docs/docs/references/configuration/cli/trivy_repository.md b/docs/docs/references/configuration/cli/trivy_repository.md index 1879f383e6f..75afd5bc27f 100644 --- a/docs/docs/references/configuration/cli/trivy_repository.md +++ b/docs/docs/references/configuration/cli/trivy_repository.md @@ -73,6 +73,7 @@ trivy repository [flags] REPO_URL --slow scan over time with lower CPU and memory utilization --tag string pass the tag name to be scanned -t, --template string output template + --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder --tf-vars strings specify paths to override the Terraform tfvars files --token string for authentication in client/server mode --token-header string specify a header name for token in client/server mode (default "Trivy-Token") diff --git a/docs/docs/references/configuration/cli/trivy_rootfs.md b/docs/docs/references/configuration/cli/trivy_rootfs.md index 9698bab851d..fd3a1216708 100644 --- a/docs/docs/references/configuration/cli/trivy_rootfs.md +++ b/docs/docs/references/configuration/cli/trivy_rootfs.md @@ -77,6 +77,7 @@ trivy rootfs [flags] ROOTDIR --skip-policy-update skip fetching rego policy updates --slow scan over time with lower CPU and memory utilization -t, --template string output template + --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder --tf-vars strings specify paths to override the Terraform tfvars files --token string for authentication in client/server mode --token-header string specify a header name for token in client/server mode (default "Trivy-Token") diff --git a/docs/docs/references/configuration/cli/trivy_vm.md b/docs/docs/references/configuration/cli/trivy_vm.md index 3b7a4430c14..0c437ced87f 100644 --- a/docs/docs/references/configuration/cli/trivy_vm.md +++ b/docs/docs/references/configuration/cli/trivy_vm.md @@ -20,58 +20,59 @@ trivy vm [flags] VM_IMAGE ### Options ``` - --aws-region string AWS region to scan - --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") - --cache-ttl duration cache TTL when using redis as cache backend - --clear-cache clear image caches without scanning - --compliance string compliance report to generate - --custom-headers strings custom headers in client mode - --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") - --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages - --download-db-only download/update vulnerability database but don't run a scan - --download-java-db-only download/update Java index database but don't run a scan - --enable-modules strings [EXPERIMENTAL] module names to enable - --exit-code int specify exit code when any security issues are found - --exit-on-eol int exit with the specified code when the OS reaches end of service/life - --file-patterns strings specify config file patterns - -f, --format string format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table") - --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) - --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-values strings specify paths to override the Helm values.yaml files - -h, --help help for vm - --ignore-policy string specify the Rego file path to evaluate each vulnerability - --ignore-unfixed display only fixed vulnerabilities - --ignorefile string specify .trivyignore file (default ".trivyignore") - --include-non-failures include successes and exceptions, available with '--scanners config' - --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") - --list-all-pkgs enabling the option will output all packages regardless of vulnerability - --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") - --no-progress suppress progress bar - --offline-scan do not issue API requests to identify dependencies - -o, --output string output file name - --redis-ca string redis ca file location, if using redis as cache backend - --redis-cert string redis certificate file location, if using redis as cache backend - --redis-key string redis key file location, if using redis as cache backend - --redis-tls enable redis TLS with public certificates, if using redis as cache backend - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") - --reset remove all caches and database - --reset-policy-bundle remove policy bundle - --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) - --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") - --server string server address in client mode - -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") - --skip-db-update skip updating vulnerability database - --skip-dirs strings specify the directories where the traversal is skipped - --skip-files strings specify the file paths to skip traversal - --skip-java-db-update skip updating Java index database - --slow scan over time with lower CPU and memory utilization - -t, --template string output template - --tf-vars strings specify paths to override the Terraform tfvars files - --token string for authentication in client/server mode - --token-header string specify a header name for token in client/server mode (default "Trivy-Token") - --vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library]) + --aws-region string AWS region to scan + --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --clear-cache clear image caches without scanning + --compliance string compliance report to generate + --custom-headers strings custom headers in client mode + --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") + --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages + --download-db-only download/update vulnerability database but don't run a scan + --download-java-db-only download/update Java index database but don't run a scan + --enable-modules strings [EXPERIMENTAL] module names to enable + --exit-code int specify exit code when any security issues are found + --exit-on-eol int exit with the specified code when the OS reaches end of service/life + --file-patterns strings specify config file patterns + -f, --format string format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table") + --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) + --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-values strings specify paths to override the Helm values.yaml files + -h, --help help for vm + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignore-unfixed display only fixed vulnerabilities + --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-non-failures include successes and exceptions, available with '--scanners config' + --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") + --list-all-pkgs enabling the option will output all packages regardless of vulnerability + --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") + --no-progress suppress progress bar + --offline-scan do not issue API requests to identify dependencies + -o, --output string output file name + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + --redis-tls enable redis TLS with public certificates, if using redis as cache backend + --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --reset remove all caches and database + --reset-policy-bundle remove policy bundle + --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) + --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) + --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") + --server string server address in client mode + -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") + --skip-db-update skip updating vulnerability database + --skip-dirs strings specify the directories where the traversal is skipped + --skip-files strings specify the file paths to skip traversal + --skip-java-db-update skip updating Java index database + --slow scan over time with lower CPU and memory utilization + -t, --template string output template + --tf-exclude-downloaded-modules remove results for downloaded modules in .terraform folder + --tf-vars strings specify paths to override the Terraform tfvars files + --token string for authentication in client/server mode + --token-header string specify a header name for token in client/server mode (default "Trivy-Token") + --vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library]) ``` ### Options inherited from parent commands diff --git a/docs/docs/references/configuration/config-file.md b/docs/docs/references/configuration/config-file.md index 8dd02180c12..08902fb8215 100644 --- a/docs/docs/references/configuration/config-file.md +++ b/docs/docs/references/configuration/config-file.md @@ -292,6 +292,11 @@ misconfiguration: vars: - dev-terraform.tfvars - common-terraform.tfvars + + # Same as '--tf-exclude-downloaded-modules' + # Default is false + terraform: + exclude-downloaded-modules: false ``` ## Kubernetes Options diff --git a/docs/docs/scanner/misconfiguration/index.md b/docs/docs/scanner/misconfiguration/index.md index ae3fa33b90f..a7780e08fe7 100644 --- a/docs/docs/scanner/misconfiguration/index.md +++ b/docs/docs/scanner/misconfiguration/index.md @@ -356,6 +356,12 @@ You can pass `tf-vars` files to Trivy to override default values found in the Te trivy conf --tf-vars dev.terraform.tfvars ./infrastructure/tf ``` +### Exclude downloaded Terraform modules +You can remove results for downloaded modules in `.terraform` folder. +```bash +trivy conf --tf-exclude-downloaded-modules ./configs +``` + ### Helm value overrides There are a number of options for overriding values in Helm charts. When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact. diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go index 1010c476333..e7d7622dac9 100644 --- a/pkg/commands/artifact/run.go +++ b/pkg/commands/artifact/run.go @@ -587,6 +587,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi TerraformTFVars: opts.TerraformTFVars, K8sVersion: opts.K8sVersion, DisableEmbeddedPolicies: disableEmbedded, + TfExcludeDownloaded: opts.TfExcludeDownloaded, } } diff --git a/pkg/flag/misconf_flags.go b/pkg/flag/misconf_flags.go index a8f6c8d3f75..e5a09ca6761 100644 --- a/pkg/flag/misconf_flags.go +++ b/pkg/flag/misconf_flags.go @@ -49,6 +49,12 @@ var ( Value: []string{}, Usage: "specify paths to override the Terraform tfvars files", } + TerraformExcludeDownloaded = Flag{ + Name: "tf-exclude-downloaded-modules", + ConfigName: "misconfiguration.terraform.exclude-downloaded-modules", + Value: false, + Usage: "remove results for downloaded modules in .terraform folder", + } ) // MisconfFlagGroup composes common printer flag structs used for commands providing misconfinguration scanning. @@ -57,11 +63,12 @@ type MisconfFlagGroup struct { ResetPolicyBundle *Flag // Values Files - HelmValues *Flag - HelmValueFiles *Flag - HelmFileValues *Flag - HelmStringValues *Flag - TerraformTFVars *Flag + HelmValues *Flag + HelmValueFiles *Flag + HelmFileValues *Flag + HelmStringValues *Flag + TerraformTFVars *Flag + TerraformExcludeDownloaded *Flag } type MisconfOptions struct { @@ -69,22 +76,24 @@ type MisconfOptions struct { ResetPolicyBundle bool // Values Files - HelmValues []string - HelmValueFiles []string - HelmFileValues []string - HelmStringValues []string - TerraformTFVars []string + HelmValues []string + HelmValueFiles []string + HelmFileValues []string + HelmStringValues []string + TerraformTFVars []string + TfExcludeDownloaded bool } func NewMisconfFlagGroup() *MisconfFlagGroup { return &MisconfFlagGroup{ - IncludeNonFailures: &IncludeNonFailuresFlag, - ResetPolicyBundle: &ResetPolicyBundleFlag, - HelmValues: &HelmSetFlag, - HelmFileValues: &HelmSetFileFlag, - HelmStringValues: &HelmSetStringFlag, - HelmValueFiles: &HelmValuesFileFlag, - TerraformTFVars: &TfVarsFlag, + IncludeNonFailures: &IncludeNonFailuresFlag, + ResetPolicyBundle: &ResetPolicyBundleFlag, + HelmValues: &HelmSetFlag, + HelmFileValues: &HelmSetFileFlag, + HelmStringValues: &HelmSetStringFlag, + HelmValueFiles: &HelmValuesFileFlag, + TerraformTFVars: &TfVarsFlag, + TerraformExcludeDownloaded: &TerraformExcludeDownloaded, } } @@ -101,17 +110,19 @@ func (f *MisconfFlagGroup) Flags() []*Flag { f.HelmFileValues, f.HelmStringValues, f.TerraformTFVars, + f.TerraformExcludeDownloaded, } } func (f *MisconfFlagGroup) ToOptions() (MisconfOptions, error) { return MisconfOptions{ - IncludeNonFailures: getBool(f.IncludeNonFailures), - ResetPolicyBundle: getBool(f.ResetPolicyBundle), - HelmValues: getStringSlice(f.HelmValues), - HelmValueFiles: getStringSlice(f.HelmValueFiles), - HelmFileValues: getStringSlice(f.HelmFileValues), - HelmStringValues: getStringSlice(f.HelmStringValues), - TerraformTFVars: getStringSlice(f.TerraformTFVars), + IncludeNonFailures: getBool(f.IncludeNonFailures), + ResetPolicyBundle: getBool(f.ResetPolicyBundle), + HelmValues: getStringSlice(f.HelmValues), + HelmValueFiles: getStringSlice(f.HelmValueFiles), + HelmFileValues: getStringSlice(f.HelmFileValues), + HelmStringValues: getStringSlice(f.HelmStringValues), + TerraformTFVars: getStringSlice(f.TerraformTFVars), + TfExcludeDownloaded: getBool(f.TerraformExcludeDownloaded), }, nil } diff --git a/pkg/misconf/scanner.go b/pkg/misconf/scanner.go index 718d0ba28bd..0691faace56 100644 --- a/pkg/misconf/scanner.go +++ b/pkg/misconf/scanner.go @@ -50,12 +50,13 @@ type ScannerOption struct { DataPaths []string DisableEmbeddedPolicies bool - HelmValues []string - HelmValueFiles []string - HelmFileValues []string - HelmStringValues []string - TerraformTFVars []string - K8sVersion string + HelmValues []string + HelmValueFiles []string + HelmFileValues []string + HelmStringValues []string + TerraformTFVars []string + TfExcludeDownloaded bool + K8sVersion string } func (o *ScannerOption) Sort() { @@ -262,6 +263,7 @@ func addTFOpts(opts []options.ScannerOption, scannerOption ScannerOption) []opti } opts = append(opts, tfscanner.ScannerWithAllDirectories(true)) + opts = append(opts, tfscanner.ScannerWithSkipDownloaded(scannerOption.TfExcludeDownloaded)) return opts }