Policy

Pass custom policies

You can pass directories including your custom policies through --policy option. This can be repeated for specifying multiple directories.

  1. cd examplex/misconf/
  2. trivy conf --policy custom-policy/policy --policy combine/policy --namespaces user misconf/mixed

For more details, see Custom Policies.

Tip

You also need to specify --namespaces option.

Pass custom data

You can pass directories including your custom data through --data option. This can be repeated for specifying multiple directories.

  1. cd examples/misconf/custom-data
  2. trivy conf --policy ./policy --data ./data --namespaces user ./configs

For more details, see Custom Data.

Pass namespaces

By default, Trivy evaluate policies defined in appshield.*. If you want to evaluate custom policies in other packages, you have to specify package prefixes through --namespaces option. This can be repeated for specifying multiple packages.

  1. trivy conf --policy ./policy --namespaces main --namespaces user ./configs

Skip update of built-in policies

Trivy downloads built-in policies when it starts operating. Then, it checks for updates every 24 hours. You can use the --skip-policy-update option to skip it. If you skip it the first time, the built-in policies will not be loaded.

Note

Even if you specify the option the first time, it will be loaded as Terraform policies are written in Go.

  1. trivy conf --skip-policy-update examples/misconf/mixed [~/src/github.com/aquasecurity/trivy]

Result

  1. 2021-07-10T18:04:19.083+0300 INFO No builtin policies were loaded
  2. 2021-07-10T18:04:19.174+0300 INFO Detected config files: 2
  3. configs/main.tf (terraform)
  4. ===========================
  5. Tests: 19 (SUCCESSES: 11, FAILURES: 8, EXCEPTIONS: 0)
  6. Failures: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 1)
  7. +------------------------------------------+------------+------------------------------------------+----------+------------------------------------------+
  8. | TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
  9. +------------------------------------------+------------+------------------------------------------+----------+------------------------------------------+
  10. | Terraform Security Check powered by | AWS004 | Use of plain HTTP. | CRITICAL | Resource |
  11. | tfsec | | | | 'aws_alb_listener.my-alb-listener' |
  12. | | | | | uses plain HTTP instead of HTTPS. |
  13. | | | | | -->tfsec.dev/docs/aws/AWS004/ |
  14. + +------------+------------------------------------------+----------+------------------------------------------+
  15. | | AWS006 | An ingress security group rule allows | MEDIUM | Resource |
  16. | | | traffic from /0. | | 'aws_security_group_rule.my-rule' |
  17. | | | | | defines a fully open |
  18. | | | | | ingress security group rule. |
  19. | | | | | -->tfsec.dev/docs/aws/AWS006/ |
  20. + +------------+------------------------------------------+----------+------------------------------------------+
  21. | | AZU003 | Unencrypted managed disk. | HIGH | Resource 'azurerm_managed_disk.source' |
  22. | | | | | defines an unencrypted managed disk. |
  23. | | | | | -->tfsec.dev/docs/azure/AZU003/ |
  24. +------------------------------------------+------------+------------------------------------------+----------+------------------------------------------+
  25. configs/variables.tf (terraform)
  26. ================================
  27. Tests: 1 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 0)
  28. Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)