From ba5c32d6624b86880a50c21a6a2b0d36d94893bd Mon Sep 17 00:00:00 2001 From: Cesar Rodriguez Date: Fri, 15 Oct 2021 23:11:48 -0400 Subject: [PATCH] updates docs --- content/en/docs/usage/command_line_mode.md | 48 ++++++++++++---------- content/en/docs/usage/config_options.md | 4 +- 2 files changed, 28 insertions(+), 24 deletions(-) diff --git a/content/en/docs/usage/command_line_mode.md b/content/en/docs/usage/command_line_mode.md index cf9e32c..d45a031 100644 --- a/content/en/docs/usage/command_line_mode.md +++ b/content/en/docs/usage/command_line_mode.md @@ -272,7 +272,7 @@ aws_ecr_repository: | Flag | Description | Options (default highlighted ) | ----------- | ----------- |------------| -| -h | Help for scan command | See list of all flags supported with descriptions, default options in all commands are highlighted in bold| +| -h | Help for scan command | See a list of all flags supported and descriptions. The default options for all commands are highlighted in bold| | -d | Use this to scan a specific directory. Use "." for current directory | AWS, GCP, Azure, and GitHub| | -f | Use this command to scan a specific file | | | -i type | Use this to change the IaC provider | arm, cft, docker, helm, k8s, kustomize, **terraform**| @@ -283,8 +283,10 @@ aws_ecr_repository: | -u | Use this to specify directory URL for remote IaC repositories | see options below | | |scan-rules|Specify rules to scan, example: --scan-rules="ruleID1,ruleID2"| | |skip-rules|Specify one or more rules to skip while scanning. Example: --skip-rules="ruleID1,ruleID2"| -| |use-colours |Configure the color for output (**auto**, t, f) | +| |use-colors |Configure the color for output (**auto**, t, f) | |--non-recursive |Use this for non recursive directories and modules scan | By default directory is scanned recursively, if this flag is used then only provided root directory will be scanned| +|--notification-webhook-token string| Optional token used when sending authenticated requests to the notification webhook | This flag is optional when using the notification webhook| +|--notification-webhook-url | A webhook URL where Terrascan will send JSON scan report and normalized IaC JSON | This overrides any notification webhook URLs configured in config TOML file specified with the `-c` flag| |--use-terraform-cache |Use this to refer terraform remote modules from terraform init cache rather than downloading | By default remote module will be downloaded in temporary directory. If this flag is set then modules will be refered from terraform init cache if module is not present in terraform init cache it will be downloaded. Directory will be scanned non recurively if this flag is used.(applicable only with terraform IaC provider)| | --find-vuln | find vulnerbilities | Use this to fetch vulnerabilities identified on the registry for docker images present in IaC the files scanned | | -v | verbose | Displays violations with all details | @@ -311,26 +313,28 @@ Usage: terrascan scan [flags] Flags: - --categories strings list of categories of violations to be reported by terrascan (example: --categories="category1,category2") - --config-only will output resource config (should only be used for debugging purposes) - --find-vuln fetches vulnerabilities identified in Docker images - -h, --help help for scan - -d, --iac-dir string path to a directory containing one or more IaC files (default ".") - -f, --iac-file string path to a single IaC file - -i, --iac-type string iac type (arm, cft, docker, helm, k8s, kustomize, terraform, tfplan) - --iac-version string iac version (arm: v1, cft: v1, docker: v1, helm: v3, k8s: v1, kustomize: v2, v3, v4, terraform: v12, v13, v14, v15, tfplan: v1) - --non-recursive do not scan directories and modules recursively - -p, --policy-path stringArray policy path directory - -t, --policy-type strings policy type (all, aws, azure, gcp, github, k8s) (default [all]) - -r, --remote-type string type of remote backend (git, s3, gcs, http, terraform-registry) - -u, --remote-url string url pointing to remote IaC repository - --scan-rules strings one or more rules to scan (example: --scan-rules="ruleID1,ruleID2") - --severity string minimum severity level of the policy violations to be reported by terrascan - --show-passed display passed rules, along with violations - --skip-rules strings one or more rules to skip while scanning (example: --skip-rules="ruleID1,ruleID2") - --use-colors string color output (auto, t, f) (default "auto") - --use-terraform-cache use terraform init cache for remote modules (when used directory scan will be non recursive,flag applicable only with terraform IaC provider) - -v, --verbose will show violations with details (applicable for default output) + --categories strings list of categories of violations to be reported by terrascan (example: --categories="category1,category2") + --config-only will output resource config (should only be used for debugging purposes) + --find-vuln fetches vulnerabilities identified in Docker images + -h, --help help for scan + -d, --iac-dir string path to a directory containing one or more IaC files (default ".") + -f, --iac-file string path to a single IaC file + -i, --iac-type string iac type (arm, cft, docker, helm, k8s, kustomize, terraform, tfplan) + --iac-version string iac version (arm: v1, cft: v1, docker: v1, helm: v3, k8s: v1, kustomize: v2, v3, v4, terraform: v12, v13, v14, v15, tfplan: v1) + --non-recursive do not scan directories and modules recursively + --notification-webhook-token string the auth token to call the notification webhook URL + --notification-webhook-url string the URL where terrascan will send the scan report and normalized config json + -p, --policy-path stringArray policy path directory + -t, --policy-type strings policy type (all, aws, azure, docker, gcp, github, k8s) (default [all]) + -r, --remote-type string type of remote backend (git, s3, gcs, http, terraform-registry) + -u, --remote-url string url pointing to remote IaC repository + --scan-rules strings one or more rules to scan (example: --scan-rules="ruleID1,ruleID2") + --severity string minimum severity level of the policy violations to be reported by terrascan + --show-passed display passed rules, along with violations + --skip-rules strings one or more rules to skip while scanning (example: --skip-rules="ruleID1,ruleID2") + --use-colors string color output (auto, t, f) (default "auto") + --use-terraform-cache use terraform init cache for remote modules (when used directory scan will be non recursive, flag applicable only with terraform IaC provider) + -v, --verbose will show violations with details (applicable for default output) Global Flags: -c, --config-path string config file path diff --git a/content/en/docs/usage/config_options.md b/content/en/docs/usage/config_options.md index df19e06..b49859c 100644 --- a/content/en/docs/usage/config_options.md +++ b/content/en/docs/usage/config_options.md @@ -23,7 +23,7 @@ $ terrascan scan -c [notifications.webhook] url = "https://httpbin.org/post" token = "my_auth_token" - + [severity] level = "medium" [rules] @@ -46,7 +46,7 @@ You can specify the following configurations: * **skip-rules** - Specify one or more rules to skip while scanning. All other rules in the policy pack will be applied. * **severity** - the minimal level of severity of the policies to be scanned and displayed. Options are high, medium and low * **category** - the list of type of categories of the policies to be scanned and displayed -* **notifications** - Use these configuration as seen in the example above to send the output of scans as a webhook to a remote server. +* **notifications** - This configuration can be used, as seen in the example above, to send the output of scans as a webhook to a remote server. Note that the `--notification-webhook-url` CLI flag will override any URLs configured through a configuration file. **k8s-admission-control** - Config options for K8s Admission Controllers and GitOps workflows: