diff --git a/docs/docs/references/configuration/cli/trivy_config.md b/docs/docs/references/configuration/cli/trivy_config.md index 7cc65a04e949..2e7b78197d04 100644 --- a/docs/docs/references/configuration/cli/trivy_config.md +++ b/docs/docs/references/configuration/cli/trivy_config.md @@ -9,52 +9,52 @@ trivy config [flags] DIR ### Options ``` - --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory") - --cache-ttl duration cache TTL when using redis as cache backend - --cf-params strings specify paths to override the CloudFormation parameters files - --check-namespaces strings Rego namespaces - --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1") - --compliance string compliance report to generate - --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files - --config-data strings specify paths from which data for the Rego checks will be recursively loaded - --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking - --enable-modules strings [EXPERIMENTAL] module names to enable - --exit-code int specify exit code when any security issues are found - --file-patterns strings specify config file patterns - -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") - --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment) - --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command. - --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) - --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-values strings specify paths to override the Helm values.yaml files - -h, --help help for config - --ignore-policy string specify the Rego file path to evaluate each vulnerability - --ignorefile string specify .trivyignore file (default ".trivyignore") - --include-deprecated-checks include deprecated checks - --include-non-failures include successes, available with '--scanners misconfig' - --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0) - --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) - --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") - -o, --output string output file name - --output-plugin-arg string [EXPERIMENTAL] output plugin arguments - --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. - --password-stdin password from stdin. Comma-separated passwords are not supported. - --redis-ca string redis ca file location, if using redis as cache backend - --redis-cert string redis certificate file location, if using redis as cache backend - --redis-key string redis key file location, if using redis as cache backend - --redis-tls enable redis TLS with public certificates, if using redis as cache backend - --registry-token string registry token - --report string specify a compliance report format for the output (all,summary) (default "all") - -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) - --skip-check-update skip fetching rego check updates - --skip-dirs strings specify the directories or glob patterns to skip - --skip-files strings specify the files or glob patterns to skip - -t, --template string output template - --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules - --tf-vars strings specify paths to override the Terraform tfvars files - --trace enable more verbose trace output for custom queries - --username strings username. Comma-separated usernames allowed. + --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory") + --cache-ttl duration cache TTL when using redis as cache backend + --cf-params strings specify paths to override the CloudFormation parameters files + --check-namespaces strings Rego namespaces + --checks-bundle-repositories strings OCI registry URL(s) to retrieve checks bundle from (default [mirror.gcr.io/aquasec/trivy-checks:1,ghcr.io/aquasecurity/trivy-checks:1]) + --compliance string compliance report to generate + --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files + --config-data strings specify paths from which data for the Rego checks will be recursively loaded + --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking + --enable-modules strings [EXPERIMENTAL] module names to enable + --exit-code int specify exit code when any security issues are found + --file-patterns strings specify config file patterns + -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") + --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment) + --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command. + --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) + --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-values strings specify paths to override the Helm values.yaml files + -h, --help help for config + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-deprecated-checks include deprecated checks + --include-non-failures include successes, available with '--scanners misconfig' + --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0) + --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) + --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") + -o, --output string output file name + --output-plugin-arg string [EXPERIMENTAL] output plugin arguments + --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. + --password-stdin password from stdin. Comma-separated passwords are not supported. + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + --redis-tls enable redis TLS with public certificates, if using redis as cache backend + --registry-token string registry token + --report string specify a compliance report format for the output (all,summary) (default "all") + -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) + --skip-check-update skip fetching rego check updates + --skip-dirs strings specify the directories or glob patterns to skip + --skip-files strings specify the files or glob patterns to skip + -t, --template string output template + --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules + --tf-vars strings specify paths to override the Terraform tfvars files + --trace enable more verbose trace output for custom queries + --username strings username. Comma-separated usernames allowed. ``` ### Options inherited from parent commands diff --git a/docs/docs/references/configuration/cli/trivy_filesystem.md b/docs/docs/references/configuration/cli/trivy_filesystem.md index 4bf6aa064999..738b3cbe57fa 100644 --- a/docs/docs/references/configuration/cli/trivy_filesystem.md +++ b/docs/docs/references/configuration/cli/trivy_filesystem.md @@ -19,85 +19,85 @@ trivy filesystem [flags] PATH ### Options ``` - --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory") - --cache-ttl duration cache TTL when using redis as cache backend - --cf-params strings specify paths to override the CloudFormation parameters files - --check-namespaces strings Rego namespaces - --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1") - --compliance string compliance report to generate - --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files - --config-data strings specify paths from which data for the Rego checks will be recursively loaded - --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking - --custom-headers strings custom headers in client mode - --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2]) - --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages - --detection-priority string specify the detection priority: - - "precise": Prioritizes precise by minimizing false positives. - - "comprehensive": Aims to detect more security findings at the cost of potential false positives. - (precise,comprehensive) (default "precise") - --download-db-only download/update vulnerability database but don't run a scan - --download-java-db-only download/update Java index database but don't run a scan - --enable-modules strings [EXPERIMENTAL] module names to enable - --exit-code int specify exit code when any security issues are found - --file-patterns strings specify config file patterns - -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") - --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment) - --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command. - --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) - --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-values strings specify paths to override the Helm values.yaml files - -h, --help help for filesystem - --ignore-policy string specify the Rego file path to evaluate each vulnerability - --ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life) - --ignore-unfixed display only fixed vulnerabilities - --ignored-licenses strings specify a list of license to ignore - --ignorefile string specify .trivyignore file (default ".trivyignore") - --include-deprecated-checks include deprecated checks - --include-dev-deps include development dependencies in the report (supported: npm, yarn) - --include-non-failures include successes, available with '--scanners misconfig' - --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1]) - --license-confidence-level float specify license classifier's confidence level (default 0.9) - --license-full eagerly look for licenses in source code headers and license files - --list-all-pkgs output all packages in the JSON report regardless of vulnerability - --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) - --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") - --no-progress suppress progress bar - --offline-scan do not issue API requests to identify dependencies - -o, --output string output file name - --output-plugin-arg string [EXPERIMENTAL] output plugin arguments - --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5) - --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. - --password-stdin password from stdin. Comma-separated passwords are not supported. - --pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect]) - --pkg-types strings list of package types (os,library) (default [os,library]) - --redis-ca string redis ca file location, if using redis as cache backend - --redis-cert string redis certificate file location, if using redis as cache backend - --redis-key string redis key file location, if using redis as cache backend - --redis-tls enable redis TLS with public certificates, if using redis as cache backend - --registry-token string registry token - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") - --report string specify a compliance report format for the output (all,summary) (default "all") - --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret]) - --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") - --server string server address in client mode - -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) - --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities - --skip-check-update skip fetching rego check updates - --skip-db-update skip updating vulnerability database - --skip-dirs strings specify the directories or glob patterns to skip - --skip-files strings specify the files or glob patterns to skip - --skip-java-db-update skip updating Java index database - --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update - -t, --template string output template - --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules - --tf-vars strings specify paths to override the Terraform tfvars files - --token string for authentication in client/server mode - --token-header string specify a header name for token in client/server mode (default "Trivy-Token") - --trace enable more verbose trace output for custom queries - --username strings username. Comma-separated usernames allowed. - --vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path) + --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory") + --cache-ttl duration cache TTL when using redis as cache backend + --cf-params strings specify paths to override the CloudFormation parameters files + --check-namespaces strings Rego namespaces + --checks-bundle-repositories strings OCI registry URL(s) to retrieve checks bundle from (default [mirror.gcr.io/aquasec/trivy-checks:1,ghcr.io/aquasecurity/trivy-checks:1]) + --compliance string compliance report to generate + --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files + --config-data strings specify paths from which data for the Rego checks will be recursively loaded + --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking + --custom-headers strings custom headers in client mode + --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2]) + --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages + --detection-priority string specify the detection priority: + - "precise": Prioritizes precise by minimizing false positives. + - "comprehensive": Aims to detect more security findings at the cost of potential false positives. + (precise,comprehensive) (default "precise") + --download-db-only download/update vulnerability database but don't run a scan + --download-java-db-only download/update Java index database but don't run a scan + --enable-modules strings [EXPERIMENTAL] module names to enable + --exit-code int specify exit code when any security issues are found + --file-patterns strings specify config file patterns + -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") + --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment) + --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command. + --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) + --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-values strings specify paths to override the Helm values.yaml files + -h, --help help for filesystem + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life) + --ignore-unfixed display only fixed vulnerabilities + --ignored-licenses strings specify a list of license to ignore + --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-deprecated-checks include deprecated checks + --include-dev-deps include development dependencies in the report (supported: npm, yarn) + --include-non-failures include successes, available with '--scanners misconfig' + --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1]) + --license-confidence-level float specify license classifier's confidence level (default 0.9) + --license-full eagerly look for licenses in source code headers and license files + --list-all-pkgs output all packages in the JSON report regardless of vulnerability + --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) + --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") + --no-progress suppress progress bar + --offline-scan do not issue API requests to identify dependencies + -o, --output string output file name + --output-plugin-arg string [EXPERIMENTAL] output plugin arguments + --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5) + --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. + --password-stdin password from stdin. Comma-separated passwords are not supported. + --pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect]) + --pkg-types strings list of package types (os,library) (default [os,library]) + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + --redis-tls enable redis TLS with public certificates, if using redis as cache backend + --registry-token string registry token + --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --report string specify a compliance report format for the output (all,summary) (default "all") + --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) + --scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret]) + --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") + --server string server address in client mode + -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) + --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities + --skip-check-update skip fetching rego check updates + --skip-db-update skip updating vulnerability database + --skip-dirs strings specify the directories or glob patterns to skip + --skip-files strings specify the files or glob patterns to skip + --skip-java-db-update skip updating Java index database + --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update + -t, --template string output template + --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules + --tf-vars strings specify paths to override the Terraform tfvars files + --token string for authentication in client/server mode + --token-header string specify a header name for token in client/server mode (default "Trivy-Token") + --trace enable more verbose trace output for custom queries + --username strings username. Comma-separated usernames allowed. + --vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path) ``` ### Options inherited from parent commands diff --git a/docs/docs/references/configuration/cli/trivy_image.md b/docs/docs/references/configuration/cli/trivy_image.md index 41bc6ce842bc..198061c77cae 100644 --- a/docs/docs/references/configuration/cli/trivy_image.md +++ b/docs/docs/references/configuration/cli/trivy_image.md @@ -34,90 +34,90 @@ trivy image [flags] IMAGE_NAME ### Options ``` - --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs") - --cache-ttl duration cache TTL when using redis as cache backend - --check-namespaces strings Rego namespaces - --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1") - --compliance string compliance report to generate (docker-cis-1.6.0) - --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files - --config-data strings specify paths from which data for the Rego checks will be recursively loaded - --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking - --custom-headers strings custom headers in client mode - --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2]) - --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages - --detection-priority string specify the detection priority: - - "precise": Prioritizes precise by minimizing false positives. - - "comprehensive": Aims to detect more security findings at the cost of potential false positives. - (precise,comprehensive) (default "precise") - --docker-host string unix domain socket path to use for docker scanning - --download-db-only download/update vulnerability database but don't run a scan - --download-java-db-only download/update Java index database but don't run a scan - --enable-modules strings [EXPERIMENTAL] module names to enable - --exit-code int specify exit code when any security issues are found - --exit-on-eol int exit with the specified code when the OS reaches end of service/life - --file-patterns strings specify config file patterns - -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") - --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment) - --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command. - --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) - --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-values strings specify paths to override the Helm values.yaml files - -h, --help help for image - --ignore-policy string specify the Rego file path to evaluate each vulnerability - --ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life) - --ignore-unfixed display only fixed vulnerabilities - --ignored-licenses strings specify a list of license to ignore - --ignorefile string specify .trivyignore file (default ".trivyignore") - --image-config-scanners strings comma-separated list of what security issues to detect on container image configurations (misconfig,secret) - --image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote]) - --include-deprecated-checks include deprecated checks - --include-non-failures include successes, available with '--scanners misconfig' - --input string input file path instead of image name - --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1]) - --license-confidence-level float specify license classifier's confidence level (default 0.9) - --license-full eagerly look for licenses in source code headers and license files - --list-all-pkgs output all packages in the JSON report regardless of vulnerability - --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) - --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") - --no-progress suppress progress bar - --offline-scan do not issue API requests to identify dependencies - -o, --output string output file name - --output-plugin-arg string [EXPERIMENTAL] output plugin arguments - --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5) - --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. - --password-stdin password from stdin. Comma-separated passwords are not supported. - --pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect]) - --pkg-types strings list of package types (os,library) (default [os,library]) - --platform string set platform in the form os/arch if image is multi-platform capable - --podman-host string unix podman socket path to use for podman scanning - --redis-ca string redis ca file location, if using redis as cache backend - --redis-cert string redis certificate file location, if using redis as cache backend - --redis-key string redis key file location, if using redis as cache backend - --redis-tls enable redis TLS with public certificates, if using redis as cache backend - --registry-token string registry token - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") - --removed-pkgs detect vulnerabilities of removed packages (only for Alpine) - --report string specify a format for the compliance report. (all,summary) (default "summary") - --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret]) - --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") - --server string server address in client mode - -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) - --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities - --skip-check-update skip fetching rego check updates - --skip-db-update skip updating vulnerability database - --skip-dirs strings specify the directories or glob patterns to skip - --skip-files strings specify the files or glob patterns to skip - --skip-java-db-update skip updating Java index database - --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update - -t, --template string output template - --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules - --token string for authentication in client/server mode - --token-header string specify a header name for token in client/server mode (default "Trivy-Token") - --trace enable more verbose trace output for custom queries - --username strings username. Comma-separated usernames allowed. - --vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path) + --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --check-namespaces strings Rego namespaces + --checks-bundle-repositories strings OCI registry URL(s) to retrieve checks bundle from (default [mirror.gcr.io/aquasec/trivy-checks:1,ghcr.io/aquasecurity/trivy-checks:1]) + --compliance string compliance report to generate (docker-cis-1.6.0) + --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files + --config-data strings specify paths from which data for the Rego checks will be recursively loaded + --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking + --custom-headers strings custom headers in client mode + --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2]) + --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages + --detection-priority string specify the detection priority: + - "precise": Prioritizes precise by minimizing false positives. + - "comprehensive": Aims to detect more security findings at the cost of potential false positives. + (precise,comprehensive) (default "precise") + --docker-host string unix domain socket path to use for docker scanning + --download-db-only download/update vulnerability database but don't run a scan + --download-java-db-only download/update Java index database but don't run a scan + --enable-modules strings [EXPERIMENTAL] module names to enable + --exit-code int specify exit code when any security issues are found + --exit-on-eol int exit with the specified code when the OS reaches end of service/life + --file-patterns strings specify config file patterns + -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") + --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment) + --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command. + --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) + --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-values strings specify paths to override the Helm values.yaml files + -h, --help help for image + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life) + --ignore-unfixed display only fixed vulnerabilities + --ignored-licenses strings specify a list of license to ignore + --ignorefile string specify .trivyignore file (default ".trivyignore") + --image-config-scanners strings comma-separated list of what security issues to detect on container image configurations (misconfig,secret) + --image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote]) + --include-deprecated-checks include deprecated checks + --include-non-failures include successes, available with '--scanners misconfig' + --input string input file path instead of image name + --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1]) + --license-confidence-level float specify license classifier's confidence level (default 0.9) + --license-full eagerly look for licenses in source code headers and license files + --list-all-pkgs output all packages in the JSON report regardless of vulnerability + --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) + --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") + --no-progress suppress progress bar + --offline-scan do not issue API requests to identify dependencies + -o, --output string output file name + --output-plugin-arg string [EXPERIMENTAL] output plugin arguments + --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5) + --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. + --password-stdin password from stdin. Comma-separated passwords are not supported. + --pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect]) + --pkg-types strings list of package types (os,library) (default [os,library]) + --platform string set platform in the form os/arch if image is multi-platform capable + --podman-host string unix podman socket path to use for podman scanning + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + --redis-tls enable redis TLS with public certificates, if using redis as cache backend + --registry-token string registry token + --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --removed-pkgs detect vulnerabilities of removed packages (only for Alpine) + --report string specify a format for the compliance report. (all,summary) (default "summary") + --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) + --scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret]) + --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") + --server string server address in client mode + -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) + --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities + --skip-check-update skip fetching rego check updates + --skip-db-update skip updating vulnerability database + --skip-dirs strings specify the directories or glob patterns to skip + --skip-files strings specify the files or glob patterns to skip + --skip-java-db-update skip updating Java index database + --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update + -t, --template string output template + --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules + --token string for authentication in client/server mode + --token-header string specify a header name for token in client/server mode (default "Trivy-Token") + --trace enable more verbose trace output for custom queries + --username strings username. Comma-separated usernames allowed. + --vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path) ``` ### Options inherited from parent commands diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md index 9290ec0719b8..3a9c067e2af9 100644 --- a/docs/docs/references/configuration/cli/trivy_kubernetes.md +++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md @@ -29,89 +29,89 @@ trivy kubernetes [flags] [CONTEXT] ### Options ``` - --burst int specify the maximum burst for throttle (default 10) - --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs") - --cache-ttl duration cache TTL when using redis as cache backend - --check-namespaces strings Rego namespaces - --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1") - --compliance string compliance report to generate (k8s-nsa-1.0,k8s-cis-1.23,eks-cis-1.4,rke2-cis-1.24,k8s-pss-baseline-0.1,k8s-pss-restricted-0.1) - --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files - --config-data strings specify paths from which data for the Rego checks will be recursively loaded - --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking - --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2]) - --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages - --detection-priority string specify the detection priority: - - "precise": Prioritizes precise by minimizing false positives. - - "comprehensive": Aims to detect more security findings at the cost of potential false positives. - (precise,comprehensive) (default "precise") - --disable-node-collector When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node. - --download-db-only download/update vulnerability database but don't run a scan - --download-java-db-only download/update Java index database but don't run a scan - --exclude-kinds strings indicate the kinds exclude from scanning (example: node) - --exclude-namespaces strings indicate the namespaces excluded from scanning (example: kube-system) - --exclude-nodes strings indicate the node labels that the node-collector job should exclude from scanning (example: kubernetes.io/arch:arm64,team:dev) - --exclude-owned exclude resources that have an owner reference - --exit-code int specify exit code when any security issues are found - --file-patterns strings specify config file patterns - -f, --format string format (table,json,cyclonedx) (default "table") - --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment) - --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command. - --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) - --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-values strings specify paths to override the Helm values.yaml files - -h, --help help for kubernetes - --ignore-policy string specify the Rego file path to evaluate each vulnerability - --ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life) - --ignore-unfixed display only fixed vulnerabilities - --ignorefile string specify .trivyignore file (default ".trivyignore") - --image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote]) - --include-deprecated-checks include deprecated checks - --include-kinds strings indicate the kinds included in scanning (example: node) - --include-namespaces strings indicate the namespaces included in scanning (example: kube-system) - --include-non-failures include successes, available with '--scanners misconfig' - --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1]) - --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0) - --kubeconfig string specify the kubeconfig file path to use - --list-all-pkgs output all packages in the JSON report regardless of vulnerability - --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) - --no-progress suppress progress bar - --node-collector-imageref string indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.3.1") - --node-collector-namespace string specify the namespace in which the node-collector job should be deployed (default "trivy-temp") - --offline-scan do not issue API requests to identify dependencies - -o, --output string output file name - --output-plugin-arg string [EXPERIMENTAL] output plugin arguments - --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5) - --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. - --password-stdin password from stdin. Comma-separated passwords are not supported. - --pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect]) - --pkg-types strings list of package types (os,library) (default [os,library]) - --qps float specify the maximum QPS to the master from this client (default 5) - --redis-ca string redis ca file location, if using redis as cache backend - --redis-cert string redis certificate file location, if using redis as cache backend - --redis-key string redis key file location, if using redis as cache backend - --redis-tls enable redis TLS with public certificates, if using redis as cache backend - --registry-token string registry token - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") - --report string specify a report format for the output (all,summary) (default "all") - --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac]) - --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") - -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) - --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities - --skip-check-update skip fetching rego check updates - --skip-db-update skip updating vulnerability database - --skip-dirs strings specify the directories or glob patterns to skip - --skip-files strings specify the files or glob patterns to skip - --skip-images skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources - --skip-java-db-update skip updating Java index database - --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update - -t, --template string output template - --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules - --tolerations strings specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule) - --trace enable more verbose trace output for custom queries - --username strings username. Comma-separated usernames allowed. - --vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path) + --burst int specify the maximum burst for throttle (default 10) + --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --check-namespaces strings Rego namespaces + --checks-bundle-repositories strings OCI registry URL(s) to retrieve checks bundle from (default [mirror.gcr.io/aquasec/trivy-checks:1,ghcr.io/aquasecurity/trivy-checks:1]) + --compliance string compliance report to generate (k8s-nsa-1.0,k8s-cis-1.23,eks-cis-1.4,rke2-cis-1.24,k8s-pss-baseline-0.1,k8s-pss-restricted-0.1) + --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files + --config-data strings specify paths from which data for the Rego checks will be recursively loaded + --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking + --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2]) + --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages + --detection-priority string specify the detection priority: + - "precise": Prioritizes precise by minimizing false positives. + - "comprehensive": Aims to detect more security findings at the cost of potential false positives. + (precise,comprehensive) (default "precise") + --disable-node-collector When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node. + --download-db-only download/update vulnerability database but don't run a scan + --download-java-db-only download/update Java index database but don't run a scan + --exclude-kinds strings indicate the kinds exclude from scanning (example: node) + --exclude-namespaces strings indicate the namespaces excluded from scanning (example: kube-system) + --exclude-nodes strings indicate the node labels that the node-collector job should exclude from scanning (example: kubernetes.io/arch:arm64,team:dev) + --exclude-owned exclude resources that have an owner reference + --exit-code int specify exit code when any security issues are found + --file-patterns strings specify config file patterns + -f, --format string format (table,json,cyclonedx) (default "table") + --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment) + --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command. + --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) + --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-values strings specify paths to override the Helm values.yaml files + -h, --help help for kubernetes + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life) + --ignore-unfixed display only fixed vulnerabilities + --ignorefile string specify .trivyignore file (default ".trivyignore") + --image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote]) + --include-deprecated-checks include deprecated checks + --include-kinds strings indicate the kinds included in scanning (example: node) + --include-namespaces strings indicate the namespaces included in scanning (example: kube-system) + --include-non-failures include successes, available with '--scanners misconfig' + --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1]) + --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0) + --kubeconfig string specify the kubeconfig file path to use + --list-all-pkgs output all packages in the JSON report regardless of vulnerability + --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) + --no-progress suppress progress bar + --node-collector-imageref string indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.3.1") + --node-collector-namespace string specify the namespace in which the node-collector job should be deployed (default "trivy-temp") + --offline-scan do not issue API requests to identify dependencies + -o, --output string output file name + --output-plugin-arg string [EXPERIMENTAL] output plugin arguments + --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5) + --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. + --password-stdin password from stdin. Comma-separated passwords are not supported. + --pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect]) + --pkg-types strings list of package types (os,library) (default [os,library]) + --qps float specify the maximum QPS to the master from this client (default 5) + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + --redis-tls enable redis TLS with public certificates, if using redis as cache backend + --registry-token string registry token + --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --report string specify a report format for the output (all,summary) (default "all") + --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) + --scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac]) + --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") + -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) + --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities + --skip-check-update skip fetching rego check updates + --skip-db-update skip updating vulnerability database + --skip-dirs strings specify the directories or glob patterns to skip + --skip-files strings specify the files or glob patterns to skip + --skip-images skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources + --skip-java-db-update skip updating Java index database + --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update + -t, --template string output template + --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules + --tolerations strings specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule) + --trace enable more verbose trace output for custom queries + --username strings username. Comma-separated usernames allowed. + --vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path) ``` ### Options inherited from parent commands diff --git a/docs/docs/references/configuration/cli/trivy_repository.md b/docs/docs/references/configuration/cli/trivy_repository.md index 38ae6611b595..d7d8bfe8c71c 100644 --- a/docs/docs/references/configuration/cli/trivy_repository.md +++ b/docs/docs/references/configuration/cli/trivy_repository.md @@ -18,86 +18,86 @@ trivy repository [flags] (REPO_PATH | REPO_URL) ### Options ``` - --branch string pass the branch name to be scanned - --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory") - --cache-ttl duration cache TTL when using redis as cache backend - --cf-params strings specify paths to override the CloudFormation parameters files - --check-namespaces strings Rego namespaces - --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1") - --commit string pass the commit hash to be scanned - --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files - --config-data strings specify paths from which data for the Rego checks will be recursively loaded - --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking - --custom-headers strings custom headers in client mode - --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2]) - --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages - --detection-priority string specify the detection priority: - - "precise": Prioritizes precise by minimizing false positives. - - "comprehensive": Aims to detect more security findings at the cost of potential false positives. - (precise,comprehensive) (default "precise") - --download-db-only download/update vulnerability database but don't run a scan - --download-java-db-only download/update Java index database but don't run a scan - --enable-modules strings [EXPERIMENTAL] module names to enable - --exit-code int specify exit code when any security issues are found - --file-patterns strings specify config file patterns - -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") - --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment) - --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command. - --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) - --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-values strings specify paths to override the Helm values.yaml files - -h, --help help for repository - --ignore-policy string specify the Rego file path to evaluate each vulnerability - --ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life) - --ignore-unfixed display only fixed vulnerabilities - --ignored-licenses strings specify a list of license to ignore - --ignorefile string specify .trivyignore file (default ".trivyignore") - --include-deprecated-checks include deprecated checks - --include-dev-deps include development dependencies in the report (supported: npm, yarn) - --include-non-failures include successes, available with '--scanners misconfig' - --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1]) - --license-confidence-level float specify license classifier's confidence level (default 0.9) - --license-full eagerly look for licenses in source code headers and license files - --list-all-pkgs output all packages in the JSON report regardless of vulnerability - --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) - --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") - --no-progress suppress progress bar - --offline-scan do not issue API requests to identify dependencies - -o, --output string output file name - --output-plugin-arg string [EXPERIMENTAL] output plugin arguments - --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5) - --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. - --password-stdin password from stdin. Comma-separated passwords are not supported. - --pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect]) - --pkg-types strings list of package types (os,library) (default [os,library]) - --redis-ca string redis ca file location, if using redis as cache backend - --redis-cert string redis certificate file location, if using redis as cache backend - --redis-key string redis key file location, if using redis as cache backend - --redis-tls enable redis TLS with public certificates, if using redis as cache backend - --registry-token string registry token - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") - --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret]) - --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") - --server string server address in client mode - -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) - --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities - --skip-check-update skip fetching rego check updates - --skip-db-update skip updating vulnerability database - --skip-dirs strings specify the directories or glob patterns to skip - --skip-files strings specify the files or glob patterns to skip - --skip-java-db-update skip updating Java index database - --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update - --tag string pass the tag name to be scanned - -t, --template string output template - --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules - --tf-vars strings specify paths to override the Terraform tfvars files - --token string for authentication in client/server mode - --token-header string specify a header name for token in client/server mode (default "Trivy-Token") - --trace enable more verbose trace output for custom queries - --username strings username. Comma-separated usernames allowed. - --vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path) + --branch string pass the branch name to be scanned + --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory") + --cache-ttl duration cache TTL when using redis as cache backend + --cf-params strings specify paths to override the CloudFormation parameters files + --check-namespaces strings Rego namespaces + --checks-bundle-repositories strings OCI registry URL(s) to retrieve checks bundle from (default [mirror.gcr.io/aquasec/trivy-checks:1,ghcr.io/aquasecurity/trivy-checks:1]) + --commit string pass the commit hash to be scanned + --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files + --config-data strings specify paths from which data for the Rego checks will be recursively loaded + --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking + --custom-headers strings custom headers in client mode + --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2]) + --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages + --detection-priority string specify the detection priority: + - "precise": Prioritizes precise by minimizing false positives. + - "comprehensive": Aims to detect more security findings at the cost of potential false positives. + (precise,comprehensive) (default "precise") + --download-db-only download/update vulnerability database but don't run a scan + --download-java-db-only download/update Java index database but don't run a scan + --enable-modules strings [EXPERIMENTAL] module names to enable + --exit-code int specify exit code when any security issues are found + --file-patterns strings specify config file patterns + -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") + --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment) + --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command. + --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) + --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-values strings specify paths to override the Helm values.yaml files + -h, --help help for repository + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life) + --ignore-unfixed display only fixed vulnerabilities + --ignored-licenses strings specify a list of license to ignore + --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-deprecated-checks include deprecated checks + --include-dev-deps include development dependencies in the report (supported: npm, yarn) + --include-non-failures include successes, available with '--scanners misconfig' + --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1]) + --license-confidence-level float specify license classifier's confidence level (default 0.9) + --license-full eagerly look for licenses in source code headers and license files + --list-all-pkgs output all packages in the JSON report regardless of vulnerability + --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) + --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") + --no-progress suppress progress bar + --offline-scan do not issue API requests to identify dependencies + -o, --output string output file name + --output-plugin-arg string [EXPERIMENTAL] output plugin arguments + --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5) + --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. + --password-stdin password from stdin. Comma-separated passwords are not supported. + --pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect]) + --pkg-types strings list of package types (os,library) (default [os,library]) + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + --redis-tls enable redis TLS with public certificates, if using redis as cache backend + --registry-token string registry token + --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) + --scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret]) + --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") + --server string server address in client mode + -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) + --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities + --skip-check-update skip fetching rego check updates + --skip-db-update skip updating vulnerability database + --skip-dirs strings specify the directories or glob patterns to skip + --skip-files strings specify the files or glob patterns to skip + --skip-java-db-update skip updating Java index database + --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update + --tag string pass the tag name to be scanned + -t, --template string output template + --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules + --tf-vars strings specify paths to override the Terraform tfvars files + --token string for authentication in client/server mode + --token-header string specify a header name for token in client/server mode (default "Trivy-Token") + --trace enable more verbose trace output for custom queries + --username strings username. Comma-separated usernames allowed. + --vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path) ``` ### Options inherited from parent commands diff --git a/docs/docs/references/configuration/cli/trivy_rootfs.md b/docs/docs/references/configuration/cli/trivy_rootfs.md index b84dcc5cd2c3..24ba896839d1 100644 --- a/docs/docs/references/configuration/cli/trivy_rootfs.md +++ b/docs/docs/references/configuration/cli/trivy_rootfs.md @@ -22,83 +22,83 @@ trivy rootfs [flags] ROOTDIR ### Options ``` - --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory") - --cache-ttl duration cache TTL when using redis as cache backend - --cf-params strings specify paths to override the CloudFormation parameters files - --check-namespaces strings Rego namespaces - --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1") - --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files - --config-data strings specify paths from which data for the Rego checks will be recursively loaded - --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking - --custom-headers strings custom headers in client mode - --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2]) - --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages - --detection-priority string specify the detection priority: - - "precise": Prioritizes precise by minimizing false positives. - - "comprehensive": Aims to detect more security findings at the cost of potential false positives. - (precise,comprehensive) (default "precise") - --download-db-only download/update vulnerability database but don't run a scan - --download-java-db-only download/update Java index database but don't run a scan - --enable-modules strings [EXPERIMENTAL] module names to enable - --exit-code int specify exit code when any security issues are found - --exit-on-eol int exit with the specified code when the OS reaches end of service/life - --file-patterns strings specify config file patterns - -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") - --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment) - --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command. - --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) - --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-values strings specify paths to override the Helm values.yaml files - -h, --help help for rootfs - --ignore-policy string specify the Rego file path to evaluate each vulnerability - --ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life) - --ignore-unfixed display only fixed vulnerabilities - --ignored-licenses strings specify a list of license to ignore - --ignorefile string specify .trivyignore file (default ".trivyignore") - --include-deprecated-checks include deprecated checks - --include-non-failures include successes, available with '--scanners misconfig' - --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1]) - --license-confidence-level float specify license classifier's confidence level (default 0.9) - --license-full eagerly look for licenses in source code headers and license files - --list-all-pkgs output all packages in the JSON report regardless of vulnerability - --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) - --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") - --no-progress suppress progress bar - --offline-scan do not issue API requests to identify dependencies - -o, --output string output file name - --output-plugin-arg string [EXPERIMENTAL] output plugin arguments - --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5) - --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. - --password-stdin password from stdin. Comma-separated passwords are not supported. - --pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect]) - --pkg-types strings list of package types (os,library) (default [os,library]) - --redis-ca string redis ca file location, if using redis as cache backend - --redis-cert string redis certificate file location, if using redis as cache backend - --redis-key string redis key file location, if using redis as cache backend - --redis-tls enable redis TLS with public certificates, if using redis as cache backend - --registry-token string registry token - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") - --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret]) - --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") - --server string server address in client mode - -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) - --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities - --skip-check-update skip fetching rego check updates - --skip-db-update skip updating vulnerability database - --skip-dirs strings specify the directories or glob patterns to skip - --skip-files strings specify the files or glob patterns to skip - --skip-java-db-update skip updating Java index database - --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update - -t, --template string output template - --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules - --tf-vars strings specify paths to override the Terraform tfvars files - --token string for authentication in client/server mode - --token-header string specify a header name for token in client/server mode (default "Trivy-Token") - --trace enable more verbose trace output for custom queries - --username strings username. Comma-separated usernames allowed. - --vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path) + --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory") + --cache-ttl duration cache TTL when using redis as cache backend + --cf-params strings specify paths to override the CloudFormation parameters files + --check-namespaces strings Rego namespaces + --checks-bundle-repositories strings OCI registry URL(s) to retrieve checks bundle from (default [mirror.gcr.io/aquasec/trivy-checks:1,ghcr.io/aquasecurity/trivy-checks:1]) + --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files + --config-data strings specify paths from which data for the Rego checks will be recursively loaded + --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking + --custom-headers strings custom headers in client mode + --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2]) + --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages + --detection-priority string specify the detection priority: + - "precise": Prioritizes precise by minimizing false positives. + - "comprehensive": Aims to detect more security findings at the cost of potential false positives. + (precise,comprehensive) (default "precise") + --download-db-only download/update vulnerability database but don't run a scan + --download-java-db-only download/update Java index database but don't run a scan + --enable-modules strings [EXPERIMENTAL] module names to enable + --exit-code int specify exit code when any security issues are found + --exit-on-eol int exit with the specified code when the OS reaches end of service/life + --file-patterns strings specify config file patterns + -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") + --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment) + --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command. + --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) + --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-values strings specify paths to override the Helm values.yaml files + -h, --help help for rootfs + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life) + --ignore-unfixed display only fixed vulnerabilities + --ignored-licenses strings specify a list of license to ignore + --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-deprecated-checks include deprecated checks + --include-non-failures include successes, available with '--scanners misconfig' + --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1]) + --license-confidence-level float specify license classifier's confidence level (default 0.9) + --license-full eagerly look for licenses in source code headers and license files + --list-all-pkgs output all packages in the JSON report regardless of vulnerability + --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) + --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") + --no-progress suppress progress bar + --offline-scan do not issue API requests to identify dependencies + -o, --output string output file name + --output-plugin-arg string [EXPERIMENTAL] output plugin arguments + --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5) + --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. + --password-stdin password from stdin. Comma-separated passwords are not supported. + --pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect]) + --pkg-types strings list of package types (os,library) (default [os,library]) + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + --redis-tls enable redis TLS with public certificates, if using redis as cache backend + --registry-token string registry token + --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) + --scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret]) + --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") + --server string server address in client mode + -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) + --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities + --skip-check-update skip fetching rego check updates + --skip-db-update skip updating vulnerability database + --skip-dirs strings specify the directories or glob patterns to skip + --skip-files strings specify the files or glob patterns to skip + --skip-java-db-update skip updating Java index database + --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update + -t, --template string output template + --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules + --tf-vars strings specify paths to override the Terraform tfvars files + --token string for authentication in client/server mode + --token-header string specify a header name for token in client/server mode (default "Trivy-Token") + --trace enable more verbose trace output for custom queries + --username strings username. Comma-separated usernames allowed. + --vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path) ``` ### Options inherited from parent commands diff --git a/docs/docs/references/configuration/cli/trivy_vm.md b/docs/docs/references/configuration/cli/trivy_vm.md index 1074d878d866..abe433fae396 100644 --- a/docs/docs/references/configuration/cli/trivy_vm.md +++ b/docs/docs/references/configuration/cli/trivy_vm.md @@ -20,70 +20,70 @@ trivy vm [flags] VM_IMAGE ### Options ``` - --aws-region string AWS region to scan - --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs") - --cache-ttl duration cache TTL when using redis as cache backend - --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1") - --compliance string compliance report to generate - --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking - --custom-headers strings custom headers in client mode - --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2]) - --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages - --detection-priority string specify the detection priority: - - "precise": Prioritizes precise by minimizing false positives. - - "comprehensive": Aims to detect more security findings at the cost of potential false positives. - (precise,comprehensive) (default "precise") - --download-db-only download/update vulnerability database but don't run a scan - --download-java-db-only download/update Java index database but don't run a scan - --enable-modules strings [EXPERIMENTAL] module names to enable - --exit-code int specify exit code when any security issues are found - --exit-on-eol int exit with the specified code when the OS reaches end of service/life - --file-patterns strings specify config file patterns - -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") - --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment) - --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command. - --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) - --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-values strings specify paths to override the Helm values.yaml files - -h, --help help for vm - --ignore-policy string specify the Rego file path to evaluate each vulnerability - --ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life) - --ignore-unfixed display only fixed vulnerabilities - --ignorefile string specify .trivyignore file (default ".trivyignore") - --include-non-failures include successes, available with '--scanners misconfig' - --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1]) - --list-all-pkgs output all packages in the JSON report regardless of vulnerability - --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) - --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") - --no-progress suppress progress bar - --offline-scan do not issue API requests to identify dependencies - -o, --output string output file name - --output-plugin-arg string [EXPERIMENTAL] output plugin arguments - --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5) - --pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect]) - --pkg-types strings list of package types (os,library) (default [os,library]) - --redis-ca string redis ca file location, if using redis as cache backend - --redis-cert string redis certificate file location, if using redis as cache backend - --redis-key string redis key file location, if using redis as cache backend - --redis-tls enable redis TLS with public certificates, if using redis as cache backend - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") - --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret]) - --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") - --server string server address in client mode - -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) - --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities - --skip-db-update skip updating vulnerability database - --skip-dirs strings specify the directories or glob patterns to skip - --skip-files strings specify the files or glob patterns to skip - --skip-java-db-update skip updating Java index database - --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update - -t, --template string output template - --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules - --token string for authentication in client/server mode - --token-header string specify a header name for token in client/server mode (default "Trivy-Token") - --vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path) + --aws-region string AWS region to scan + --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --checks-bundle-repositories strings OCI registry URL(s) to retrieve checks bundle from (default [mirror.gcr.io/aquasec/trivy-checks:1,ghcr.io/aquasecurity/trivy-checks:1]) + --compliance string compliance report to generate + --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking + --custom-headers strings custom headers in client mode + --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2]) + --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages + --detection-priority string specify the detection priority: + - "precise": Prioritizes precise by minimizing false positives. + - "comprehensive": Aims to detect more security findings at the cost of potential false positives. + (precise,comprehensive) (default "precise") + --download-db-only download/update vulnerability database but don't run a scan + --download-java-db-only download/update Java index database but don't run a scan + --enable-modules strings [EXPERIMENTAL] module names to enable + --exit-code int specify exit code when any security issues are found + --exit-on-eol int exit with the specified code when the OS reaches end of service/life + --file-patterns strings specify config file patterns + -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") + --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment) + --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command. + --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) + --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-values strings specify paths to override the Helm values.yaml files + -h, --help help for vm + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life) + --ignore-unfixed display only fixed vulnerabilities + --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-non-failures include successes, available with '--scanners misconfig' + --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1]) + --list-all-pkgs output all packages in the JSON report regardless of vulnerability + --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) + --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") + --no-progress suppress progress bar + --offline-scan do not issue API requests to identify dependencies + -o, --output string output file name + --output-plugin-arg string [EXPERIMENTAL] output plugin arguments + --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5) + --pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect]) + --pkg-types strings list of package types (os,library) (default [os,library]) + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + --redis-tls enable redis TLS with public certificates, if using redis as cache backend + --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) + --scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret]) + --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") + --server string server address in client mode + -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) + --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities + --skip-db-update skip updating vulnerability database + --skip-dirs strings specify the directories or glob patterns to skip + --skip-files strings specify the files or glob patterns to skip + --skip-java-db-update skip updating Java index database + --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update + -t, --template string output template + --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules + --token string for authentication in client/server mode + --token-header string specify a header name for token in client/server mode (default "Trivy-Token") + --vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path) ``` ### Options inherited from parent commands diff --git a/docs/docs/references/configuration/config-file.md b/docs/docs/references/configuration/config-file.md index 365d2e5a57a9..3f9dbe54183b 100644 --- a/docs/docs/references/configuration/config-file.md +++ b/docs/docs/references/configuration/config-file.md @@ -374,8 +374,10 @@ license: ```yaml misconfiguration: - # Same as '--checks-bundle-repository' - checks-bundle-repository: "mirror.gcr.io/aquasec/trivy-checks:1" + # Same as '--checks-bundle-repositories' + checks-bundle-repositories: + - mirror.gcr.io/aquasec/trivy-checks:1 + - ghcr.io/aquasecurity/trivy-checks:1 cloudformation: # Same as '--cf-params' diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go index 798838259ed2..ac41a0d35dda 100644 --- a/pkg/commands/artifact/run.go +++ b/pkg/commands/artifact/run.go @@ -646,7 +646,7 @@ func initMisconfScannerOption(ctx context.Context, opts flag.Options) (misconf.S var downloadedPolicyPaths []string var disableEmbedded bool - downloadedPolicyPaths, err := operation.InitBuiltinChecks(ctx, opts.CacheDir, opts.Quiet, opts.SkipCheckUpdate, opts.MisconfOptions.ChecksBundleRepository, opts.RegistryOpts()) + downloadedPolicyPaths, err := operation.InitBuiltinChecks(ctx, opts.CacheDir, opts.Quiet, opts.SkipCheckUpdate, opts.MisconfOptions.ChecksBundleRepositories, opts.RegistryOpts()) if err != nil { if !opts.SkipCheckUpdate { log.ErrorContext(ctx, "Falling back to embedded checks", log.Err(err)) diff --git a/pkg/commands/clean/run.go b/pkg/commands/clean/run.go index 8dd83519422f..479d327f2c03 100644 --- a/pkg/commands/clean/run.go +++ b/pkg/commands/clean/run.go @@ -96,7 +96,7 @@ func cleanJavaDB(ctx context.Context, opts flag.Options) error { func cleanCheckBundle(opts flag.Options) error { log.Info("Removing check bundle...") - c, err := policy.NewClient(opts.CacheDir, true, opts.MisconfOptions.ChecksBundleRepository) + c, err := policy.NewClient(opts.CacheDir, true, opts.MisconfOptions.ChecksBundleRepositories) if err != nil { return xerrors.Errorf("failed to instantiate check client: %w", err) } diff --git a/pkg/commands/operation/operation.go b/pkg/commands/operation/operation.go index ac52eee7fb1e..bb001fffa645 100644 --- a/pkg/commands/operation/operation.go +++ b/pkg/commands/operation/operation.go @@ -78,11 +78,11 @@ func DownloadVEXRepositories(ctx context.Context, opts flag.Options) error { } // InitBuiltinChecks downloads the built-in policies and loads them -func InitBuiltinChecks(ctx context.Context, cacheDir string, quiet, skipUpdate bool, checkBundleRepository string, registryOpts ftypes.RegistryOptions) ([]string, error) { +func InitBuiltinChecks(ctx context.Context, cacheDir string, quiet, skipUpdate bool, checkBundleRepositories []string, registryOpts ftypes.RegistryOptions) ([]string, error) { mu.Lock() defer mu.Unlock() - client, err := policy.NewClient(cacheDir, quiet, checkBundleRepository) + client, err := policy.NewClient(cacheDir, quiet, checkBundleRepositories) if err != nil { return nil, xerrors.Errorf("check client error: %w", err) } diff --git a/pkg/flag/misconf_flags.go b/pkg/flag/misconf_flags.go index 421e9c899285..105090171fea 100644 --- a/pkg/flag/misconf_flags.go +++ b/pkg/flag/misconf_flags.go @@ -1,8 +1,6 @@ package flag import ( - "fmt" - "github.com/samber/lo" "github.com/aquasecurity/trivy/pkg/fanal/analyzer" @@ -82,17 +80,21 @@ var ( ConfigName: "misconfiguration.terraform.exclude-downloaded-modules", Usage: "exclude misconfigurations for downloaded terraform modules", } - ChecksBundleRepositoryFlag = Flag[string]{ - Name: "checks-bundle-repository", - ConfigName: "misconfiguration.checks-bundle-repository", - Default: fmt.Sprintf("%s:%d", policy.BundleRepository, policy.BundleVersion), - Usage: "OCI registry URL to retrieve checks bundle from", + ChecksBundleRepositoriesFlag = Flag[[]string]{ + Name: "checks-bundle-repositories", + ConfigName: "misconfiguration.checks-bundle-repositories", + Default: policy.BundleRepositories, + Usage: "OCI registry URL(s) to retrieve checks bundle from", Aliases: []Alias{ { Name: "policy-bundle-repository", ConfigName: "misconfiguration.policy-bundle-repository", Deprecated: true, }, + { + Name: "checks-bundle-repository", + ConfigName: "misconfiguration.checks-bundle-repository", + }, }, } MisconfigScannersFlag = Flag[[]string]{ @@ -112,9 +114,9 @@ var ( // MisconfFlagGroup composes common printer flag structs used for commands providing misconfiguration scanning. type MisconfFlagGroup struct { - IncludeNonFailures *Flag[bool] - ResetChecksBundle *Flag[bool] - ChecksBundleRepository *Flag[string] + IncludeNonFailures *Flag[bool] + ResetChecksBundle *Flag[bool] + ChecksBundleRepositories *Flag[[]string] // Values Files HelmValues *Flag[[]string] @@ -131,9 +133,9 @@ type MisconfFlagGroup struct { } type MisconfOptions struct { - IncludeNonFailures bool - ResetChecksBundle bool - ChecksBundleRepository string + IncludeNonFailures bool + ResetChecksBundle bool + ChecksBundleRepositories []string // Values Files HelmValues []string @@ -151,9 +153,9 @@ type MisconfOptions struct { func NewMisconfFlagGroup() *MisconfFlagGroup { return &MisconfFlagGroup{ - IncludeNonFailures: IncludeNonFailuresFlag.Clone(), - ResetChecksBundle: ResetChecksBundleFlag.Clone(), - ChecksBundleRepository: ChecksBundleRepositoryFlag.Clone(), + IncludeNonFailures: IncludeNonFailuresFlag.Clone(), + ResetChecksBundle: ResetChecksBundleFlag.Clone(), + ChecksBundleRepositories: ChecksBundleRepositoriesFlag.Clone(), HelmValues: HelmSetFlag.Clone(), HelmFileValues: HelmSetFileFlag.Clone(), @@ -177,7 +179,7 @@ func (f *MisconfFlagGroup) Flags() []Flagger { return []Flagger{ f.IncludeNonFailures, f.ResetChecksBundle, - f.ChecksBundleRepository, + f.ChecksBundleRepositories, f.HelmValues, f.HelmValueFiles, f.HelmFileValues, @@ -198,19 +200,19 @@ func (f *MisconfFlagGroup) ToOptions() (MisconfOptions, error) { } return MisconfOptions{ - IncludeNonFailures: f.IncludeNonFailures.Value(), - ResetChecksBundle: f.ResetChecksBundle.Value(), - ChecksBundleRepository: f.ChecksBundleRepository.Value(), - HelmValues: f.HelmValues.Value(), - HelmValueFiles: f.HelmValueFiles.Value(), - HelmFileValues: f.HelmFileValues.Value(), - HelmStringValues: f.HelmStringValues.Value(), - HelmAPIVersions: f.HelmAPIVersions.Value(), - HelmKubeVersion: f.HelmKubeVersion.Value(), - TerraformTFVars: f.TerraformTFVars.Value(), - CloudFormationParamVars: f.CloudformationParamVars.Value(), - TfExcludeDownloaded: f.TerraformExcludeDownloaded.Value(), - MisconfigScanners: xstrings.ToTSlice[analyzer.Type](f.MisconfigScanners.Value()), - ConfigFileSchemas: f.ConfigFileSchemas.Value(), + IncludeNonFailures: f.IncludeNonFailures.Value(), + ResetChecksBundle: f.ResetChecksBundle.Value(), + ChecksBundleRepositories: f.ChecksBundleRepositories.Value(), + HelmValues: f.HelmValues.Value(), + HelmValueFiles: f.HelmValueFiles.Value(), + HelmFileValues: f.HelmFileValues.Value(), + HelmStringValues: f.HelmStringValues.Value(), + HelmAPIVersions: f.HelmAPIVersions.Value(), + HelmKubeVersion: f.HelmKubeVersion.Value(), + TerraformTFVars: f.TerraformTFVars.Value(), + CloudFormationParamVars: f.CloudformationParamVars.Value(), + TfExcludeDownloaded: f.TerraformExcludeDownloaded.Value(), + MisconfigScanners: xstrings.ToTSlice[analyzer.Type](f.MisconfigScanners.Value()), + ConfigFileSchemas: f.ConfigFileSchemas.Value(), }, nil } diff --git a/pkg/k8s/commands/cluster.go b/pkg/k8s/commands/cluster.go index 11dd5e0d3a00..3873ddf89437 100644 --- a/pkg/k8s/commands/cluster.go +++ b/pkg/k8s/commands/cluster.go @@ -69,7 +69,7 @@ func nodeCollectorOptions(ctx context.Context, opts flag.Options) []trivyk8s.Nod ctx = log.WithContextPrefix(ctx, log.PrefixMisconfiguration) contentPath, err := operation.InitBuiltinChecks(ctx, opts.CacheDir, opts.Quiet, opts.SkipCheckUpdate, - opts.MisconfOptions.ChecksBundleRepository, opts.RegistryOpts()) + opts.MisconfOptions.ChecksBundleRepositories, opts.RegistryOpts()) if err != nil { log.Error("Falling back to embedded checks", log.Err(err)) nodeCollectorOptions = append(nodeCollectorOptions, diff --git a/pkg/policy/policy.go b/pkg/policy/policy.go index 6b1d175e3115..8010739ef95f 100644 --- a/pkg/policy/policy.go +++ b/pkg/policy/policy.go @@ -18,10 +18,16 @@ import ( ) const ( - BundleVersion = 1 // Latest released MAJOR version for trivy-checks - BundleRepository = "mirror.gcr.io/aquasec/trivy-checks" - policyMediaType = "application/vnd.cncf.openpolicyagent.layer.v1.tar+gzip" - updateInterval = 24 * time.Hour + BundleVersion = 1 // Latest released MAJOR version for trivy-checks + policyMediaType = "application/vnd.cncf.openpolicyagent.layer.v1.tar+gzip" + updateInterval = 24 * time.Hour +) + +var ( + BundleRepositories = []string{ + fmt.Sprintf("%s:%d", "mirror.gcr.io/aquasec/trivy-checks", BundleVersion), // primary + fmt.Sprintf("%s:%d", "ghcr.io/aquasecurity/trivy-checks", BundleVersion), // secondary + } ) type options struct { @@ -49,9 +55,9 @@ type Option func(*options) // Client implements check operations type Client struct { *options - policyDir string - checkBundleRepo string - quiet bool + policyDir string + checkBundleRepos []string + quiet bool } // Metadata holds default check metadata @@ -68,7 +74,7 @@ func (m Metadata) String() string { } // NewClient is the factory method for check client -func NewClient(cacheDir string, quiet bool, checkBundleRepo string, opts ...Option) (*Client, error) { +func NewClient(cacheDir string, quiet bool, checkBundleRepos []string, opts ...Option) (*Client, error) { o := &options{ clock: clock.RealClock{}, } @@ -77,47 +83,72 @@ func NewClient(cacheDir string, quiet bool, checkBundleRepo string, opts ...Opti opt(o) } - if checkBundleRepo == "" { - checkBundleRepo = fmt.Sprintf("%s:%d", BundleRepository, BundleVersion) + if len(checkBundleRepos) == 0 { + checkBundleRepos = BundleRepositories } return &Client{ - options: o, - policyDir: filepath.Join(cacheDir, "policy"), - checkBundleRepo: checkBundleRepo, - quiet: quiet, + options: o, + policyDir: filepath.Join(cacheDir, "policy"), + checkBundleRepos: checkBundleRepos, + quiet: quiet, }, nil } -func (c *Client) populateOCIArtifact(ctx context.Context, registryOpts types.RegistryOptions) { +func (c *Client) populateOCIArtifact(ctx context.Context, repo string, registryOpts types.RegistryOptions) { if c.artifact == nil { - log.DebugContext(ctx, "Loading check bundle", log.String("repository", c.checkBundleRepo)) - c.artifact = oci.NewArtifact(c.checkBundleRepo, registryOpts) + if repo == "" { + repo = c.checkBundleRepos[0] + } + log.DebugContext(ctx, "Loading check bundle", log.String("repo", repo)) + c.artifact = oci.NewArtifact(repo, registryOpts) } } -// DownloadBuiltinChecks download default policies from GitHub Pages +// DownloadBuiltinChecks download default policies from OCI registry func (c *Client) DownloadBuiltinChecks(ctx context.Context, registryOpts types.RegistryOptions) error { - c.populateOCIArtifact(ctx, registryOpts) - - dst := c.contentDir() - if err := c.artifact.Download(ctx, dst, oci.DownloadOption{ - MediaType: policyMediaType, - Quiet: c.quiet, - }, - ); err != nil { - return xerrors.Errorf("download error: %w", err) - } - - digest, err := c.artifact.Digest(ctx) - if err != nil { - return xerrors.Errorf("digest error: %w", err) - } - log.DebugContext(ctx, "Digest of the built-in checks", log.String("digest", digest)) - - // Update metadata.json with the new digest and the current date - if err = c.updateMetadata(digest, c.clock.Now()); err != nil { - return xerrors.Errorf("unable to update the check metadata: %w", err) + oldart := c.artifact + + for i, repo := range c.checkBundleRepos { + c.populateOCIArtifact(ctx, repo, registryOpts) + + dst := c.contentDir() + if err := c.artifact.Download(ctx, dst, oci.DownloadOption{ + MediaType: policyMediaType, + Quiet: c.quiet, + }, + ); err != nil { + if i == len(c.checkBundleRepos)-1 { + return xerrors.Errorf("download error: %w", err) + } + log.ErrorContext(ctx, "Failed to download checks bundle", log.String("repo", repo), log.Err(err)) + c.artifact = oldart + continue + } + + digest, err := c.artifact.Digest(ctx) + if err != nil { + if i == len(c.checkBundleRepos)-1 { + return xerrors.Errorf("digest error: %w", err) + } + log.ErrorContext(ctx, "Failed to get digest for check bundle", log.String("repo", repo), log.Err(err)) + c.artifact = oldart + continue + } + log.DebugContext(ctx, "Digest of the built-in checks", log.String("digest", digest)) + + // Update metadata.json with the new digest and the current date + if err = c.updateMetadata(digest, c.clock.Now()); err != nil { + if i == len(c.checkBundleRepos)-1 { + return xerrors.Errorf("unable to update the check metadata: %w", err) + } + log.ErrorContext(ctx, "Failed to update metadata", log.String("digest", digest), log.Err(err)) + c.artifact = oldart + continue + } + + log.DebugContext(ctx, "Successfully loaded check bundle", log.String("repo", repo), log.String("digest", digest)) + break } return nil @@ -162,7 +193,7 @@ func (c *Client) NeedsUpdate(ctx context.Context, registryOpts types.RegistryOpt return false, nil } - c.populateOCIArtifact(ctx, registryOpts) + c.populateOCIArtifact(ctx, "", registryOpts) digest, err := c.artifact.Digest(ctx) if err != nil { return false, xerrors.Errorf("digest error: %w", err) diff --git a/pkg/policy/policy_test.go b/pkg/policy/policy_test.go index 4752fa4ce7fc..afc900db31ac 100644 --- a/pkg/policy/policy_test.go +++ b/pkg/policy/policy_test.go @@ -117,7 +117,7 @@ func TestClient_LoadBuiltinPolicies(t *testing.T) { // Mock OCI artifact art := oci.NewArtifact("repo", ftypes.RegistryOptions{}, oci.WithImage(img)) - c, err := policy.NewClient(tt.cacheDir, true, "", policy.WithOCIArtifact(art)) + c, err := policy.NewClient(tt.cacheDir, true, nil, policy.WithOCIArtifact(art)) require.NoError(t, err) got, err := c.LoadBuiltinChecks() @@ -256,7 +256,7 @@ func TestClient_NeedsUpdate(t *testing.T) { } art := oci.NewArtifact("repo", ftypes.RegistryOptions{}, oci.WithImage(img)) - c, err := policy.NewClient(tmpDir, true, "", policy.WithOCIArtifact(art), policy.WithClock(tt.clock)) + c, err := policy.NewClient(tmpDir, true, nil, policy.WithOCIArtifact(art), policy.WithClock(tt.clock)) require.NoError(t, err) // Assert results @@ -272,17 +272,23 @@ func TestClient_DownloadBuiltinPolicies(t *testing.T) { h v1.Hash err error } + type digestReturnsOnCall map[int]struct { + h v1.Hash + err error + } type layersReturns struct { layers []v1.Layer err error } tests := []struct { - name string - clock clock.Clock - layersReturns layersReturns - digestReturns digestReturns - want *policy.Metadata - wantErr string + name string + clock clock.Clock + repos []string + layersReturns layersReturns + digestReturns digestReturns + digestReturnsOnCall digestReturnsOnCall + want *policy.Metadata + wantErr string }{ { name: "happy path", @@ -290,6 +296,7 @@ func TestClient_DownloadBuiltinPolicies(t *testing.T) { layersReturns: layersReturns{ layers: []v1.Layer{newFakeLayer(t)}, }, + repos: []string{"repo0"}, digestReturns: digestReturns{ h: v1.Hash{ Algorithm: "sha256", @@ -301,6 +308,31 @@ func TestClient_DownloadBuiltinPolicies(t *testing.T) { DownloadedAt: time.Date(2021, 1, 1, 1, 0, 0, 0, time.UTC), }, }, + { + name: "mixed path, first repo fails, second succeeds", + clock: fake.NewFakeClock(time.Date(2021, 1, 1, 1, 0, 0, 0, time.UTC)), + layersReturns: layersReturns{ + layers: []v1.Layer{newFakeLayer(t)}, + }, + repos: []string{"repo0", "repo1"}, + digestReturnsOnCall: digestReturnsOnCall{ + 0: struct { + h v1.Hash + err error + }{err: fmt.Errorf("error")}, + 1: struct { + h v1.Hash + err error + }{h: v1.Hash{ + Algorithm: "sha256", + Hex: "01e033e78bd8a59fa4f4577215e7da06c05e1152526094d8d79d2aa06e98cb9d", + }}, + }, + want: &policy.Metadata{ + Digest: "sha256:01e033e78bd8a59fa4f4577215e7da06c05e1152526094d8d79d2aa06e98cb9d", + DownloadedAt: time.Date(2021, 1, 1, 1, 0, 0, 0, time.UTC), + }, + }, { name: "sad: broken layer", clock: fake.NewFakeClock(time.Date(2021, 1, 1, 1, 0, 0, 0, time.UTC)), @@ -340,6 +372,12 @@ func TestClient_DownloadBuiltinPolicies(t *testing.T) { img := new(fakei.FakeImage) img.DigestReturns(tt.digestReturns.h, tt.digestReturns.err) img.LayersReturns(tt.layersReturns.layers, tt.layersReturns.err) + + if len(tt.digestReturnsOnCall) > 0 { + img.DigestReturnsOnCall(0, tt.digestReturnsOnCall[0].h, tt.digestReturnsOnCall[0].err) + img.DigestReturnsOnCall(1, tt.digestReturnsOnCall[1].h, tt.digestReturnsOnCall[1].err) + } + img.ManifestReturns(&v1.Manifest{ Layers: []v1.Descriptor{ { @@ -358,7 +396,7 @@ func TestClient_DownloadBuiltinPolicies(t *testing.T) { // Mock OCI artifact art := oci.NewArtifact("repo", ftypes.RegistryOptions{}, oci.WithImage(img)) - c, err := policy.NewClient(tempDir, true, "", policy.WithClock(tt.clock), policy.WithOCIArtifact(art)) + c, err := policy.NewClient(tempDir, true, tt.repos, policy.WithClock(tt.clock), policy.WithOCIArtifact(art)) require.NoError(t, err) err = c.DownloadBuiltinChecks(context.Background(), ftypes.RegistryOptions{}) @@ -388,7 +426,7 @@ func TestClient_Clear(t *testing.T) { err := os.MkdirAll(filepath.Join(cacheDir, "policy"), 0755) require.NoError(t, err) - c, err := policy.NewClient(cacheDir, true, "") + c, err := policy.NewClient(cacheDir, true, nil) require.NoError(t, err) require.NoError(t, c.Clear()) } diff --git a/pkg/version/version.go b/pkg/version/version.go index 17da77a2a1bd..d12571d1a0bd 100644 --- a/pkg/version/version.go +++ b/pkg/version/version.go @@ -76,7 +76,7 @@ func NewVersionInfo(cacheDir string) VersionInfo { } var pbMeta *policy.Metadata - pc, err := policy.NewClient(cacheDir, false, "") + pc, err := policy.NewClient(cacheDir, false, nil) if err != nil { log.Debug("Failed to instantiate policy client", log.Err(err)) }