-
Notifications
You must be signed in to change notification settings - Fork 2.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* docs: add coverage * add more pages * add dart, dotnet, elixir languages. * add C, ruby, cocoapods. Update links * rename headers for dart and elixir * docs: add Google Distroless and Photon OS * docs: add IaC * docs: put vulnerability into a single page * fixed broken links * docs: add coverage overview * update some links * add note about arch for Rocky linux * docs: fix typo * fix typo * docs: add footnotes * docs: add a link to coverage in the license section * docs: add a conversion table * docs: get aligned --------- Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
- Loading branch information
1 parent
6f03c79
commit a4e981b
Showing
58 changed files
with
1,736 additions
and
495 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
# Azure ARM Template | ||
Trivy supports the scanners listed in the table below. | ||
|
||
| Scanner | Supported | | ||
| :----------------: | :-------: | | ||
| [Misconfiguration] | ✓ | | ||
| [Secret] | ✓ | | ||
|
||
It supports the following configurations: | ||
|
||
| Format | Supported | | ||
| :----------: | :-------: | | ||
| ARM template | ✓ | | ||
| Bicep | ✓[^1] | | ||
|
||
To scan Bicep codes, you need to convert them into ARM templates first. | ||
|
||
``` | ||
az bicep build -f main.bicep | ||
or | ||
bicep build main.bicep | ||
``` | ||
|
||
## Misconfiguration | ||
Trivy recursively searches directories and scans all found Azure ARM templates. | ||
|
||
## Secret | ||
The secret scan is performed on plain text files, with no special treatment for Azure ARM templates. | ||
|
||
[Misconfiguration]: ../../scanner/misconfiguration/index.md | ||
[Secret]: ../../scanner/secret.md | ||
|
||
[^1]: Bicep is not natively supported. It needs to be converted into Azure ARM templates. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# CloudFormation | ||
Trivy supports the scanners listed in the table below. | ||
|
||
| Scanner | Supported | | ||
| :----------------: | :-------: | | ||
| [Misconfiguration] | ✓ | | ||
| [Secret] | ✓ | | ||
|
||
It supports the following formats. | ||
|
||
| Format | Supported | | ||
| :----: | :-------: | | ||
| JSON | ✓ | | ||
| YAML | ✓ | | ||
|
||
## Misconfiguration | ||
Trivy recursively searches directories and scans all found CloudFormation files. | ||
It evaluates properties, functions, and other elements within CloudFormation files to detect misconfigurations. | ||
|
||
## Secret | ||
The secret scan is performed on plain text files, with no special treatment for CloudFormation. | ||
|
||
[Misconfiguration]: ../../scanner/misconfiguration/index.md | ||
[Secret]: ../../scanner/secret.md |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# Docker | ||
Trivy supports the scanners listed in the table below. | ||
|
||
| Scanner | Supported | | ||
| :----------------: | :-------: | | ||
| [Misconfiguration] | ✓ | | ||
| [Secret] | ✓ | | ||
|
||
It supports the following configurations. | ||
|
||
| Config | Supported | | ||
| :-----------: | :-------: | | ||
| Dockerfile | ✓ | | ||
| Containerfile | ✓ | | ||
| Compose | - | | ||
|
||
## Misconfiguration | ||
Trivy recursively searches directories and scans all found Docker files. | ||
|
||
## Secret | ||
The secret scan is performed on plain text files, with no special treatment for Dockerfile. | ||
|
||
[Misconfiguration]: ../../scanner/misconfiguration/index.md | ||
[Secret]: ../../scanner/secret.md |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# Helm | ||
Trivy supports two types of Helm scanning, templates and packaged charts. | ||
The following scanners are supported. | ||
|
||
| Format | [Misconfiguration] | [Secret] | | ||
| -------- | :----------------: | :------: | | ||
| Template | ✓ | ✓ | | ||
| Chart | ✓ | - | | ||
|
||
## Misconfiguration | ||
Trivy recursively searches directories and scans all found Helm files. | ||
|
||
It evaluates variables, functions, and other elements within Helm templates and resolve the chart to Kubernetes manifests then run the Kubernetes checks. | ||
See [here](../../scanner/misconfiguration/policy/builtin.md) for more details on the built-in policies. | ||
|
||
### Value overrides | ||
There are a number of options for overriding values in Helm charts. | ||
When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact. | ||
|
||
#### Setting inline value overrides | ||
Overrides can be set inline on the command line | ||
|
||
```bash | ||
trivy conf --helm-set securityContext.runAsUser=0 ./charts/mySql | ||
``` | ||
|
||
#### Setting value file overrides | ||
Overrides can be in a file that has the key=value set. | ||
|
||
```yaml | ||
# Example override file (overrides.yaml) | ||
|
||
securityContext: | ||
runAsUser: 0 | ||
``` | ||
|
||
```bash | ||
trivy conf --helm-values overrides.yaml ./charts/mySql | ||
``` | ||
|
||
#### Setting value as explicit string | ||
the `--helm-set-string` is the same as `--helm-set` but explicitly retains the value as a string | ||
|
||
```bash | ||
trivy config --helm-set-string name=false ./infrastructure/tf | ||
``` | ||
|
||
#### Setting specific values from files | ||
Specific override values can come from specific files | ||
|
||
```bash | ||
trivy conf --helm-set-file environment=dev.values.yaml ./charts/mySql | ||
``` | ||
|
||
## Secret | ||
The secret scan is performed on plain text files, with no special treatment for Helm. | ||
Secret scanning is not conducted on the contents of packaged Charts, such as tar or tar.gz. | ||
|
||
[Misconfiguration]: ../../scanner/misconfiguration/index.md | ||
[Secret]: ../../scanner/secret.md |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Infrastructure as Code | ||
|
||
## Scanner | ||
Trivy scans Infrastructure as Code (IaC) files for | ||
|
||
- [Misconfigurations][misconf] | ||
- [Secrets][secret] | ||
|
||
## Supported configurations | ||
|
||
| Config type | File patterns | | ||
| ----------------------------------- | ----------------------------- | | ||
| [Kubernetes](kubernetes.md) | *.yml, *.yaml, *.json | | ||
| [Docker](docker.md) | Dockerfile, Containerfile | | ||
| [Terraform](terraform.md) | *.tf, *.tf.json, *.tfvars, | | ||
| [CloudFormation](cloudformation.md) | *.yml, *.yaml, *.json | | ||
| [Azure ARM Template](azure-arm.md) | *.json | | ||
| [Helm](helm.md) | *.yaml, *.tpl, *.tar.gz, etc. | | ||
|
||
[misconf]: ../../scanner/misconfiguration/index.md | ||
[secret]: ../../scanner/secret.md |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
# Kubernetes | ||
Trivy supports the scanners listed in the table below. | ||
|
||
| Scanner | Supported | | ||
| :----------------: | :-------: | | ||
| [Misconfiguration] | ✓ | | ||
| [Secret] | ✓ | | ||
|
||
In addition to raw YAML and JSON, it supports the following templates: | ||
|
||
| Template | Supported | | ||
| :-------------: | :-------: | | ||
| [Helm](helm.md) | ✓ | | ||
| Kustomize | ✓[^1] | | ||
|
||
!!! note | ||
Trivy does not support Kustomize overlays, so it scans files defined in the base. | ||
Or, you can scan the output of `kustomize build`. | ||
|
||
## Misconfiguration | ||
Trivy recursively searches directories and scans all found Kubernetes files. | ||
|
||
## Secret | ||
The secret scan is performed on plain text files, with no special treatment for Kubernetes. | ||
This means that Base64 encoded secrets are not scanned, and only secrets written in plain text are detected. | ||
|
||
|
||
[Misconfiguration]: ../../scanner/misconfiguration/index.md | ||
[Secret]: ../../scanner/secret.md | ||
|
||
[^1]: Kustomize is not natively supported. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
# Terraform | ||
Trivy supports the scanners listed in the table below. | ||
|
||
| Scanner | Supported | | ||
| :--------------: | :-------: | | ||
| Misconfiguration | ✓ | | ||
| Secret | ✓ | | ||
|
||
It supports the following formats: | ||
|
||
| Format | Supported | | ||
| :-------: | :-------: | | ||
| JSON | ✓ | | ||
| HCL | ✓ | | ||
| Plan JSON | ✓ | | ||
|
||
Trivy can scan the results of `terraform plan`. | ||
You can scan by passing the file generated as shown below to Trivy: | ||
|
||
``` | ||
$ terraform plan --out tfplan.binary | ||
$ terraform show -json tfplan.binary > tfplan.json | ||
``` | ||
|
||
## Misconfiguration | ||
Trivy recursively searches directories and scans all found Terraform files. | ||
It also evaluates variables, imports, and other elements within Terraform files to detect misconfigurations. | ||
|
||
### Value Overrides | ||
You can provide `tf-vars` files to Trivy to override default values specified in the Terraform HCL code. | ||
|
||
```bash | ||
trivy conf --tf-vars dev.terraform.tfvars ./infrastructure/tf | ||
``` | ||
|
||
### Exclude Downloaded Terraform Modules | ||
By default, downloaded modules are also scanned. | ||
If you don't want to scan modules downloaded into the `.terraform` directory, you can use the `--tf-exclude-downloaded-modules` flag. | ||
|
||
```bash | ||
trivy conf --tf-exclude-downloaded-modules ./configs | ||
``` | ||
|
||
## Secret | ||
The secret scan is performed on plain text files, with no special treatment for Terraform. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
# Scanning Coverage | ||
Trivy can detect security issues in many different platforms, languages and configuration files. | ||
This section gives a general overview of that coverage, and can help answer the frequently asked question "Does Trivy support X?". | ||
For more detailed information about the specific platforms and languages, check the relevant documentation. | ||
|
||
- [OS Packages](os/index.md) | ||
- [Language-specific Packages](language/index.md) | ||
- [IaC files](iac/index.md) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# C/C++ | ||
|
||
Trivy supports [Conan][conan] C/C++ Package Manager. | ||
|
||
The following scanners are supported. | ||
|
||
| Package manager | SBOM | Vulnerability | License | | ||
| --------------- | :---: | :-----------: | :-----: | | ||
| Conan | ✓ | ✓ | - | | ||
|
||
The following table provides an outline of the features Trivy offers. | ||
|
||
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position | | ||
| --------------- | -------------- | :---------------------: | :--------------: | :----------------------------------: | :------: | | ||
| Conan | conan.lock[^1] | ✓ | Excluded | ✓ | ✓ | | ||
|
||
## Conan | ||
In order to detect dependencies, Trivy searches for `conan.lock`[^1]. | ||
|
||
[conan]: https://docs.conan.io/1/index.html | ||
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies | ||
|
||
[^1]: `conan.lock` is default name. To scan a custom filename use [file-patterns](../../configuration/skipping.md#file-patterns) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# Dart | ||
|
||
Trivy supports [Dart][dart]. | ||
|
||
The following scanners are supported. | ||
|
||
| Package manager | SBOM | Vulnerability | License | | ||
|-------------------------| :---: | :-----------: |:-------:| | ||
| [Dart][dart-repository] | ✓ | ✓ | - | | ||
|
||
The following table provides an outline of the features Trivy offers. | ||
|
||
|
||
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position | | ||
|-------------------------|--------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:| | ||
| [Dart][dart-repository] | pubspec.lock | ✓ | Included | - | - | | ||
|
||
## Dart | ||
In order to detect dependencies, Trivy searches for `pubspec.lock`. | ||
|
||
Trivy marks indirect dependencies, but `pubspec.lock` file doesn't have options to separate root and dev transitive dependencies. | ||
So Trivy includes all dependencies in report. | ||
|
||
[dart]: https://dart.dev/ | ||
[dart-repository]: https://pub.dev/ | ||
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
# .NET | ||
|
||
Trivy supports `.NET core` and `NuGet` package managers. | ||
|
||
The following scanners are supported. | ||
|
||
| Artifact | SBOM | Vulnerability | License | | ||
|-----------|:----:|:-------------:|:-------:| | ||
| .Net Core | ✓ | ✓ | - | | ||
| NuGet | ✓ | ✓ | - | | ||
|
||
The following table provides an outline of the features Trivy offers. | ||
|
||
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position | | ||
|:---------------:|--------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:| | ||
| .Net Core | *.deps.json | ✓ | Excluded | - | ✓ | | ||
| NuGet | packages.config | ✓ | Excluded | - | - | | ||
| NuGet | packages.lock.json | ✓ | Included | ✓ | ✓ | | ||
|
||
### *.deps.json | ||
Trivy parses `*.deps.json` files. Trivy currently excludes dev dependencies from the report. | ||
|
||
### packages.config | ||
Trivy only finds dependency names and versions from `packages.config` files. To build dependency graph, it is better to use `packages.lock.json` files. | ||
|
||
### packages.lock.json | ||
Don't forgot to [enable][enable-lock] lock files in your project. | ||
|
||
!!! tip | ||
Please make sure your lock file is up-to-date after modifying dependencies. | ||
|
||
|
||
[enable-lock]: https://learn.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#enabling-the-lock-file | ||
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
# Elixir | ||
|
||
Trivy supports [Hex][hex] repository for [Elixir][elixir]. | ||
|
||
The following scanners are supported. | ||
|
||
| Package manager | SBOM | Vulnerability | License | | ||
|-----------------| :---: | :-----------: |:-------:| | ||
| [hex][hex] | ✓ | ✓ | - | | ||
|
||
The following table provides an outline of the features Trivy offers. | ||
|
||
|
||
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position | | ||
|-----------------|--------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:| | ||
| [hex][hex] | mix.lock[^1] | ✓ | Excluded | - | ✓ | | ||
|
||
## Hex | ||
In order to detect dependencies, Trivy searches for `mix.lock`[^1]. | ||
|
||
[Configure](https://hexdocs.pm/mix/Mix.Project.html#module-configuration) your project to use `mix.lock`[^1] file. | ||
|
||
[elixir]: https://elixir-lang.org/ | ||
[hex]: https://hex.pm/ | ||
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies | ||
|
||
[^1]: `mix.lock` is default name. To scan a custom filename use [file-patterns](../../configuration/skipping.md#file-patterns) |
Oops, something went wrong.