Custom Policies

    As for --namespaces option, the detail is described as below.

    If a file name matches the following file patterns, Trivy will parse the file and pass it as input to your Rego policy.

    Configuration languages

    In the above general file formats, Trivy automatically identifies the following types of configuration files:

    • Ansible (YAML)
    • CloudFormation (JSON/YAML)
    • Kubernetes (JSON/YAML)

    This is useful for filtering inputs, as described below.

    Warning

    Custom policies do not support Terraform at the moment.

    Rego format

    A single package must contain only one policy.

    Example

    1. package user.kubernetes.ID001
    3. __rego_metadata__ := {
    4.     "id": "ID001",
    5.     "title": "Deployment not allowed",
    6.     "severity": "LOW",
    7.     "description": "Deployments are not allowed because of some reasons.",
    8. }
    10. __rego_input__ := {
    11.     "selector": [
    12.         {"type": "kubernetes"},
    13.     ],
    14. }
    16. deny[msg] {
    17.     input.kind == "Deployment"
    18.     msg = sprintf("Found deployment '%s' but deployments are not allowed", [input.metadata.name])

    In this example, ID001 “Deployment not allowed” is defined under user.kubernetes.ID001. If you add a new custom policy, it must be defined under a new package like user.kubernetes.ID002.

    • MUST follow the Rego’s specification
    • MUST be unique per policy
    • SHOULD include policy id for uniqueness
    • MAY include the group name such as kubernetes for clarity

    __rego_metadata__ (optional)

    • SHOULD be defined for clarity since these values will be displayed in the scan results

    __rego_input__ (optional)

    • MAY be defined when you want to specify input format

    deny (required)

    • SHOULD be deny or start with deny_
      • Although warn, warn_*, violation, violation_ also work for compatibility, deny is recommended as severity can be defined in __rego_metadata__.
    • SHOULD return string
      • Although object with msg field is accepted, other fields are dropped and string is recommended.
      • e.g. {"msg": "deny message", "details": "something"}

    Package

    A package name must be unique per policy.

    Example

    By default, only appshield.* packages will be evaluated. If you define custom packages, you have to specify the package prefix via --namespaces option.

    1. trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir

    In this case, user.* will be evaluated. Any package prefixes such as main and user are allowed.

    Metadata helps enrich Trivy’s scan results with useful information.

    Example

    Field nameAllowed valuesDefault valueIn tableIn JSON
    idAny charactersN/AOverview - 图2
    titleAny charactersN/AOverview - 图4
    severityLOW, MEDIUM, HIGH, CRITICALUNKNOWNOverview - 图6
    typeAny charactersN/AOverview - 图8
    descriptionAny charactersOverview - 图10
    recommended_actionsAny charactersOverview - 图12
    urlAny charactersOverview - 图14

    Some fields are displayed in scan results.

    2. ============================
    3. Tests: 28 (SUCCESSES: 14, FAILURES: 14, EXCEPTIONS: 0)
    4. Failures: 14 (HIGH: 1)
    6. +---------------------------+------------+-------------------------------------+----------+------------------------------------------+
    7. |           TYPE            | MISCONF ID |                CHECK                | SEVERITY |                 MESSAGE                  |
    8. +---------------------------+------------+-------------------------------------+----------+------------------------------------------+
    9. | Custom Kubernetes Check   |   ID001    | Deployment not allowed              |   LOW    | Found deployment 'test' but deployments  |
    10. +---------------------------+------------+-------------------------------------+----------+------------------------------------------+

    Input

    You can specify input format via __rego_input__. All fields under __rego_input are optional.

    Example

    combine (boolean)

    The details is .

    selector (array)

    This option filters the input by file formats or configuration languages. In the above example, Trivy passes only Kubernetes files to this policy. Even if Dockerfile exists in the specified directory, it will not be passed to the policy as input.

    When configuration language such as Kubernetes is not identified, file format such as JSON will be used as type. When configuration language is identified, it will overwrite type.

    Example

    type accepts kubernetes, dockerfile, ansible, cloudformation, json, yaml, toml, or hcl.