resolve merge conflict mkdocs

Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
aquasecurity · May 20, 2024 · cf29bb9 · cf29bb9
1 parent b5c84c6
commit cf29bb9
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 66 deletions.
diff --git a/docs/docs/compliance/compliance.md b/docs/docs/compliance/compliance.md
@@ -1,4 +1,4 @@
-# Compliance Reports
+# Built-in Compliance Reports
 
 !!! warning "EXPERIMENTAL"
     This feature might change without preserving backwards compatibility.

diff --git a/docs/community/contribute/compliance.md → docs/docs/compliance/contrib-compliance.md b/docs/community/contribute/compliance.md → docs/docs/compliance/contrib-compliance.md
@@ -1,91 +1,41 @@
-# Contribute Compliance Checks in Trivy
+# Custom Compliance Checks
 
 Trivy supports several different compliance checks. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../docs/compliance/compliance.md).
 All of the Compliance Checks currently available in Trivy can be found in the `trivy-policies/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-policies/tree/main/specs/compliance)).
 
 New checks are based on the custom compliance report detailed in the [main documentation.](../../docs/compliance/compliance/#custom-compliance)
 If you would like to create your custom compliance report, please reference the information in the main documentation. This section details how community members can contribute new Compliance Specs to Trivy.
 
-All compliance specs in Trivy are based on the formal compliance reports such as CIS Benchmarks.
+All compliance specs in Trivy are based on formal compliance reports such as CIS Benchmarks.
 
 ## Contributing new Compliance Specs
 
-Compliance specs can be based on new compliance reports becoming available, or identifying missing compliance specs that Trivy users would like to access. 
+Compliance specs can be based on new compliance reports becoming available e.g. a new CIS Benchmark version, or identifying missing compliance specs that Trivy users would like to access. 
 
 ### Create a new Compliance Spec
 
 The existing compliance specs in Trivy are located under the `trivy-policies/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-policies/tree/main/specs/compliance)).
 
-Create a new file under `trivy-policies/specs/compliance/` and name the file in the format of "provider-resource-spectype-version.yaml". For example, the file name for AWS CIS Benchmarks for EKS version 1.4 is: `aws-eks-cis-1.4.yaml`.
+Create a new file under `trivy-policies/specs/compliance/` and name the file in the format of "provider-resource-spectype-version.yaml". For example, the file name for AWS CIS Benchmarks for EKS version 1.4 is: `aws-eks-cis-1.4.yaml`. Note that if the compliance spec is not specific to a provider, the `provider` field can be ignored.
 
 ### Minimum spec structure
 
-The structure of the compliance spec is detailed in the [main documentation](../../docs/compliance/compliance/#custom-compliance). For example, the beginning of the AWS CIS Benchmarks for EKS version 1.4 spec looks like this:
+The structure of the compliance spec is detailed in the [main documentation](./compliance/#custom-compliance). 
 
-```
-spec:
-  id: eks-cis
-  title: AWS EKS CIS Foundations v1.4
-  description: AWS EKS CIS Foundations
-  version: "1.4"
-  relatedResources:
-  - https://www.cisecurity.org/benchmark/amazon_web_services
-  controls:
-  - id: 2.1.1
-    name: Enable audit Logs (Automated)
-    description: |
-      Control plane logs provide visibility into operation of the EKS Control plane components ystems. 
-      The API server audit logs record all accepted and rejected requests in the cluster. 
-      When enabled via EKS configuration the control plane logs for a cluster are exported to a CloudWatch 
-      Log Group for persistence.
-    checks: null
-    severity: MEDIUM
-  - id: 3.1.1
-    name: Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Manual)
-    description: |
-      If kubelet is running, and if it is configured by a kubeconfig file, ensure that the proxy kubeconfig 
-      file has permissions of 644 or more restrictive
-      Check with the following command: 
-      > sudo systemctl status kubelet
-    checks: null
-    severity: HIGH
-  - id: 3.1.2
-    name: Ensure that the kubelet service file ownership is set to root:root (Manual)
-    description: Ensure that the kubelet service file ownership is set to root:root
-    checks:
-      - id: AVD-KCV-0070
-    severity: HIGH
-    ....
-```
-
-The first section in the spec is focused on the metadata of the spec. Replace all the fields of the metadata with the information relevant to the compliance spec that will be added. This information can be taken from the official report.
-
-- `id` -- Required; this ID is composed of the resource that this check focuses on and the type of compliance spec
-- `title` -- Required; a short title of the spec
-- `description` -- Required; this can be a longer description of the compliance spec
-- `version` -- Required; the compliance spec version that the compliance spec targets. For instance, for CIS Benchmarks version 1.4, the version will be `1.4`.
-- `relatedResources` -- Any resources that relate to this compliance spec and can provide users with more information in the future.
-
-The second section details all of the checks that make up the compliance spec. These checks are detailed under `controls`.
-
-  - `id` -- Required; this has to be the ID from the official compliance documentation such as the CIS Benchmark version.
-  - `name` -- Required; this is the name of the check in short format.
-  - `description` -- Required; this is a description of how the resource should be configured.
-  - `checks.id` -- Required; this is the AVD ID or AVD IDs referenced that perform the Rego check for this compliance check, more information is provided below.
-  - `severity` -- Required; more information provided below.
+The first section in the spec is focused on the metadata of the spec. Replace all the fields of the metadata with the information relevant to the compliance spec that will be added. This information can be taken from the official report e.g. the CIS Benchmark report.
 
 ### Populating the `control` section
 
 Compliance specs detail a set of checks that should pass so that the resource is compliant with the official benchmark specifications. There are two ways in which Trivy compliance checks can enforce the compliance specification:
 
-1. The check is available in Trivy and can be referenced in the Compliance Spec
+1. The check is available in Trivy, as part of the `trivy-policies` and can be referenced in the Compliance Spec
 2. The check is not available in Trivy and a manual check has to be added to the Compliance Spec
 
 Additional information is provided below.
 
 #### 1. Referencing a check that is already part of Trivy
 
-Trivy has a comprehensive list of checks as part of its misconfiguration scanning. These can be found in the `trivy-policies/checks` directory ([Link](https://github.com/aquasecurity/trivy-policies/tree/main/checks)). If the check is present, the AVD_ID and other information from the check has to be used.
+Trivy has a comprehensive list of checks as part of its misconfiguration scanning. These can be found in the `trivy-policies/checks` directory ([Link](https://github.com/aquasecurity/trivy-policies/tree/main/checks)). If the check is present, the `AVD_ID` and other information from the check has to be used.
 
 Note: Take a look at the more generic compliance specs that are already available in Trivy. If you are adding new compliance spec to Kubernetes e.g. AWS EKS CIS Benchmarks, chances are high that the check you would like to add to the new spec has already been defined in the general `k8s-ci-v.000.yaml` compliance spec. The same applies for creating specific Cloud Provider Compliance Specs and the [generic compliance specs](https://github.com/aquasecurity/trivy-policies/tree/main/specs/compliance) available. 
 
@@ -142,7 +92,7 @@ To write new Rego checks for Trivy, please take a look at the contributing docum
 
 ### Test the Compliance Spec
 
-To test the compliance check written on a local Kubernetes cluster, pass the new path into the Trivy scan through the `--compliance` flag:
+To test the compliance check, pass the new path into the Trivy scan through the `--compliance` flag. For instance, to pass the check to the Trivy Kubernetes scan use the following command structure:
 
 ```
 trivy k8s cluster --compliance @</path/to/compliance.yaml> --report summary

diff --git a/mkdocs.yml b/mkdocs.yml
@@ -128,11 +128,8 @@ nav:
                 - SBOM Attestation in Rekor: docs/supply-chain/attestation/rekor.md
           - VEX: docs/supply-chain/vex.md
       - Compliance:
-          - Reports:  docs/compliance/compliance.md
-      - Plugin:
-          - Overview: docs/plugin/index.md
-          - User Guide: docs/plugin/user-guide.md
-          - Developer Guide: docs/plugin/developer-guide.md
+          - Built-in Compliance:  docs/compliance/compliance.md
+          - Custom Compliance: docs/compliance/contrib-compliance.md
       - Advanced:
           - Modules: docs/advanced/modules.md
           - Air-Gapped Environment: docs/advanced/air-gap.md
@@ -193,7 +190,6 @@ nav:
           - Issues: community/contribute/issue.md
           - Discussions: community/contribute/discussion.md
           - Pull Requests: community/contribute/pr.md
-          - Compliance Checks: community/contribute/compliance.md
       - Maintainer:
           - Help Wanted: community/maintainer/help-wanted.md
           - Triage: community/maintainer/triage.md