-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(misconf): Support custom data for rego policies for cloud #4745
Changes from 8 commits
ed04503
20a8964
d03f011
76f217c
47cd724
0d62006
8ec081d
366991b
18b29d5
2785fbf
5a17119
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,9 +9,9 @@ import ( | |
"time" | ||
|
||
defsecTypes "github.com/aquasecurity/defsec/pkg/types" | ||
"github.com/aquasecurity/trivy/pkg/compliance/spec" | ||
|
||
dbTypes "github.com/aquasecurity/trivy-db/pkg/types" | ||
"github.com/aquasecurity/trivy/pkg/compliance/spec" | ||
"github.com/aquasecurity/trivy/pkg/flag" | ||
"github.com/stretchr/testify/assert" | ||
"github.com/stretchr/testify/require" | ||
|
@@ -287,6 +287,7 @@ const expectedS3ScanResult = `{ | |
] | ||
} | ||
` | ||
|
||
const expectedCustomScanResult = `{ | ||
"ArtifactName": "12345678", | ||
"ArtifactType": "aws_account", | ||
|
@@ -303,13 +304,46 @@ const expectedCustomScanResult = `{ | |
} | ||
}, | ||
"Results": [ | ||
{ | ||
"Target": "", | ||
"Class": "config", | ||
"Type": "cloud", | ||
"MisconfSummary": { | ||
"Successes": 0, | ||
"Failures": 1, | ||
"Exceptions": 0 | ||
}, | ||
"Misconfigurations": [ | ||
{ | ||
"Type": "AWS", | ||
"Title": "Bad input data", | ||
"Description": "Just failing rule with input data", | ||
"Message": "Rego policy resulted in DENY", | ||
"Namespace": "user.whatever", | ||
"Query": "deny", | ||
"Severity": "LOW", | ||
"References": [ | ||
"" | ||
], | ||
"Status": "FAIL", | ||
"Layer": {}, | ||
"CauseMetadata": { | ||
"Provider": "cloud", | ||
"Service": "s3", | ||
"Code": { | ||
"Lines": null | ||
} | ||
} | ||
} | ||
] | ||
}, | ||
{ | ||
"Target": "arn:aws:s3:::examplebucket", | ||
"Class": "config", | ||
"Type": "cloud", | ||
"MisconfSummary": { | ||
"Successes": 1, | ||
"Failures": 10, | ||
"Failures": 9, | ||
"Exceptions": 0 | ||
}, | ||
"Misconfigurations": [ | ||
|
@@ -551,34 +585,13 @@ const expectedCustomScanResult = `{ | |
"Lines": null | ||
} | ||
} | ||
}, | ||
{ | ||
"Type": "AWS", | ||
"Title": "No example buckets", | ||
"Description": "Buckets should not be named with \"example\" in the name", | ||
"Message": "example bucket detected", | ||
"Namespace": "user.whatever", | ||
"Query": "deny", | ||
"Severity": "LOW", | ||
"References": [ | ||
"" | ||
], | ||
"Status": "FAIL", | ||
"Layer": {}, | ||
"CauseMetadata": { | ||
"Resource": "arn:aws:s3:::examplebucket", | ||
"Provider": "cloud", | ||
"Service": "s3", | ||
"Code": { | ||
"Lines": null | ||
} | ||
} | ||
} | ||
] | ||
} | ||
] | ||
} | ||
` | ||
|
||
const expectedS3AndCloudTrailResult = `{ | ||
"ArtifactName": "123456789", | ||
"ArtifactType": "aws_account", | ||
|
@@ -958,8 +971,9 @@ const expectedS3AndCloudTrailResult = `{ | |
` | ||
|
||
func Test_Run(t *testing.T) { | ||
|
||
regoDir := t.TempDir() | ||
regoDir := filepath.Join("testdata", "Test_Run_Dir") | ||
require.NoError(t, os.MkdirAll(regoDir, 0755)) | ||
defer os.RemoveAll(regoDir) | ||
|
||
tests := []struct { | ||
name string | ||
|
@@ -969,6 +983,7 @@ func Test_Run(t *testing.T) { | |
cacheContent string | ||
regoPolicy string | ||
allServices []string | ||
inputData string | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Will we provide an example in the docs on using this? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We already have that here https://aquasecurity.github.io/trivy/v0.43/docs/scanner/misconfiguration/custom/data/ This PR just extends that functionality to be used in Trivy Cloud Scanning. |
||
}{ | ||
{ | ||
name: "fail without region", | ||
|
@@ -1042,13 +1057,16 @@ func Test_Run(t *testing.T) { | |
PolicyNamespaces: []string{ | ||
"user", | ||
}, | ||
DataPaths: []string{ | ||
filepath.Join(regoDir, "data"), | ||
}, | ||
SkipPolicyUpdate: true, | ||
}, | ||
MisconfOptions: flag.MisconfOptions{IncludeNonFailures: true}, | ||
}, | ||
regoPolicy: `# METADATA | ||
# title: No example buckets | ||
# description: Buckets should not be named with "example" in the name | ||
# title: Bad input data | ||
# description: Just failing rule with input data | ||
# scope: package | ||
# schemas: | ||
# - input: schema["input"] | ||
|
@@ -1059,14 +1077,20 @@ func Test_Run(t *testing.T) { | |
# selector: | ||
# - type: cloud | ||
package user.whatever | ||
import data.settings.DS123.foo | ||
|
||
deny[res] { | ||
bucket := input.aws.s3.buckets[_] | ||
contains(bucket.name.value, "example") | ||
res := result.new("example bucket detected", bucket.name) | ||
deny { | ||
foo == true | ||
} | ||
`, | ||
cacheContent: "testdata/s3onlycache.json", | ||
inputData: `{ | ||
"settings": { | ||
"DS123": { | ||
"foo": true | ||
} | ||
} | ||
}`, | ||
cacheContent: filepath.Join("testdata", "s3onlycache.json"), | ||
allServices: []string{"s3"}, | ||
want: expectedCustomScanResult, | ||
}, | ||
|
@@ -1241,6 +1265,11 @@ Summary Report for compliance: my-custom-spec | |
require.NoError(t, os.WriteFile(filepath.Join(regoDir, "policies", "user.rego"), []byte(test.regoPolicy), 0644)) | ||
} | ||
|
||
if test.inputData != "" { | ||
require.NoError(t, os.MkdirAll(filepath.Join(regoDir, "data"), 0755)) | ||
require.NoError(t, os.WriteFile(filepath.Join(regoDir, "data", "data.json"), []byte(test.inputData), 0644)) | ||
} | ||
|
||
if test.cacheContent != "" { | ||
cacheRoot := t.TempDir() | ||
test.options.CacheDir = cacheRoot | ||
|
@@ -1250,7 +1279,7 @@ Summary Report for compliance: my-custom-spec | |
cacheData, err := os.ReadFile(test.cacheContent) | ||
require.NoError(t, err, test.name) | ||
|
||
require.NoError(t, os.WriteFile(cacheFile, []byte(cacheData), 0600)) | ||
require.NoError(t, os.WriteFile(cacheFile, cacheData, 0600)) | ||
} | ||
|
||
err := Run(context.Background(), test.options) | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -579,7 +579,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi | |
Trace: opts.Trace, | ||
Namespaces: append(opts.PolicyNamespaces, defaultPolicyNamespaces...), | ||
PolicyPaths: append(opts.PolicyPaths, downloadedPolicyPaths...), | ||
DataPaths: opts.DataPaths, | ||
DataPaths: append(opts.DataPaths, downloadedPolicyPaths...), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why do we want to pass policy paths as data paths? The policies are loaded as data by mistake, no? I may be missing something. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. it was a typo, updated here 18b29d5 |
||
HelmValues: opts.HelmValues, | ||
HelmValueFiles: opts.HelmValueFiles, | ||
HelmFileValues: opts.HelmFileValues, | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm curious about the benefit of this change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
open-policy-agent/opa#4521