Built-in Policies

Policy Sources

Built-in policies are mainly written in Rego. Those policies are managed under AppShield repository. Terraform policies are currently powered by tfsec and CloudFormation policies are powered by cfsec.

Config typeSource
KubernetesAppShield
DockerfileAppShield
Terraformtfsec
CloudFormationcfsec

For suggestions or issues regarding policy content, please open an issue under AppShield, tfsec or cfsec repository.

Ansible are coming soon.

Policy Distribution

AppShield policies are distributed as an OPA bundle on GitHub Container Registry (GHCR). When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache. Those policies are then loaded into Trivy OPA engine and used for detecting misconfigurations.

Update Interval

Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.