-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add AWS Cloud scanning #2493
Merged
Merged
Changes from 38 commits
Commits
Show all changes
43 commits
Select commit
Hold shift + click to select a range
6b736e4
feat: Added AWS Cloud scanning
liamg 433c457
Add api-gateway scanning
liamg 0dd95ba
add more services
liamg 13f7117
fix cache bug
liamg f4eebb8
refactoring cache
liamg f175f7f
reworked caching
liamg ea65572
update defsec
liamg e484bbd
fixed cache issues
liamg 50d9cae
add docs image
liamg 20dfb6f
add docs image
liamg 9932423
add docs image
liamg 4e778ec
update defsec
liamg 23bd2ca
updated defect to v0.70.1
liamg 757e3ed
deps: upgrade defsec to v0.70.2
liamg 4c8170b
fix go.mod
liamg 8359ee3
fix output
liamg 7b9f05e
update defsec
liamg 60e698c
add tests for result conversion
liamg a1f7ee3
add more tests
liamg 47c233b
Merge branch 'main' into liamg-aws-poc
liamg 6947aec
add info to base report
liamg b93b113
fix deps
liamg 4fe6c82
fix linting issues
liamg 7d061e9
fix refactoring
liamg 09ea6b4
make report output deterministic
liamg 897ed3a
update defsec to 0.71.0
liamg f638413
only show progress bars for TTYs
liamg 0478721
add note avbout aws cis 1.2
liamg 43fdceb
upgrade defsec to v0.71.1
liamg e3ccebf
update defsec v0.71.2
liamg 0949f1b
tidy up flags and documentation
liamg 2ee6e4f
fix non-deterministic tests
liamg d4078e3
tweak codeowners
liamg adb69f5
upgrade dep
liamg e00460d
upgrade dep
liamg 0a02a42
fix: broken flags
liamg d02a7da
fix: remove import
30bb7a8
add docs for permissions
liamg 920cdee
update defsec
liamg f4f5eea
tweak docs
liamg ccea210
address PR comments
liamg 633034d
fix go.mod
liamg 5093670
add warnings when single services fail
liamg File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| # Amazon Web Services | ||
|
|
||
| !!! warning "EXPERIMENTAL" | ||
| This feature might change without preserving backwards compatibility. | ||
|
|
||
| The Trivy AWS CLI allows you to scan your AWS account for misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. | ||
|
|
||
| Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too. | ||
|
|
||
| The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks. | ||
|
|
||
| Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform. | ||
|
|
||
| You will need permissions configured to read all AWS resources - we recommend using a role with the `ReadOnlyAccess` and `SecurityAudit` policies attached. | ||
|
|
||
| Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - results are cached locally per AWS account/region. | ||
|
|
||
| ## CLI Commands | ||
|
|
||
| Scan a full AWS account (all supported services): | ||
|
|
||
| ```shell | ||
| trivy aws --region us-east-1 | ||
| ``` | ||
|
|
||
| You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these. | ||
|
|
||
|  | ||
|
|
||
| The summary view is the default when scanning multiple services. | ||
|
|
||
| Scan a specific service: | ||
|
|
||
| ```shell | ||
| trivy aws --service s3 | ||
| ``` | ||
|
|
||
| Scan multiple services: | ||
|
|
||
| ```shell | ||
| # --service s3,ec2 works too | ||
| trivy aws --service s3 --service ec2 | ||
| ``` | ||
|
|
||
| Show results for a specific AWS resource: | ||
|
|
||
| ```shell | ||
| trivy aws --service s3 --arn arn:aws:s3:::example-bucket | ||
| ``` | ||
|
|
||
| All ARNs with detected issues will be displayed when showing results for their associated service. | ||
|
|
||
| ## Cached Results | ||
|
|
||
| By default, Trivy will cache results for each service for 24 hours. This means you can filter and view results for a service without having to wait for the scan to run again. If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`. Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think our changes have a chance to get merged upstream?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think @owenrumney already raised a PR there 👍