admin/aquasecurity-trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2026-02-11 11:13:15 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
7ea9cb4f90af2cb2ce2b5ea71e436fa1f772ce49
aquasecurity-trivy/dev/docs/scanner/misconfiguration/custom/index.html

3461 lines
76 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI">
<link rel="canonical" href="https://aquasecurity.github.io/trivy/dev/docs/scanner/misconfiguration/custom/">
<link rel="icon" href="../../../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.3.0, mkdocs-material-8.3.9">
<title>Overview - Trivy</title>
<link rel="stylesheet" href="../../../../assets/stylesheets/main.1d29e8d0.min.css">
<link rel="stylesheet" href="../../../../assets/stylesheets/palette.cbb835fc.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>__md_scope=new URL("../../../..",location),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#custom-policies" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<div data-md-component="outdated" hidden>
<aside class="md-banner md-banner--warning">
</aside>
</div>
<header class="md-header md-header--lifted" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="../../../.." title="Trivy" class="md-header__button md-logo" aria-label="Trivy" data-md-component="logo">
<img src="../../../../imgs/logo-white.svg" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Trivy
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Overview
</span>
</div>
</div>
</div>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/aquasecurity/trivy" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
<nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
<div class="md-tabs__inner md-grid">
<ul class="md-tabs__list">
<li class="md-tabs__item">
<a href="../../../.." class="md-tabs__link">
Getting Started
</a>
</li>
<li class="md-tabs__item">
<a href="../../../../tutorials/overview/" class="md-tabs__link">
Tutorials
</a>
</li>
<li class="md-tabs__item">
<a href="../../../" class="md-tabs__link md-tabs__link--active">
Docs
</a>
</li>
<li class="md-tabs__item">
<a href="../../../../ecosystem/" class="md-tabs__link">
Ecosystem
</a>
</li>
<li class="md-tabs__item">
<a href="../../../../community/contribute/issue/" class="md-tabs__link">
Contributing
</a>
</li>
</ul>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="../../../.." title="Trivy" class="md-nav__button md-logo" aria-label="Trivy" data-md-component="logo">
<img src="../../../../imgs/logo-white.svg" alt="logo">
</a>
Trivy
</label>
<div class="md-nav__source">
<a href="https://github.com/aquasecurity/trivy" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_1" type="checkbox" id="__nav_1" >
<label class="md-nav__link" for="__nav_1">
Getting Started
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Getting Started" data-md-level="1">
<label class="md-nav__title" for="__nav_1">
<span class="md-nav__icon md-icon"></span>
Getting Started
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../.." class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../../../getting-started/installation/" class="md-nav__link">
Installation
</a>
</li>
<li class="md-nav__item">
<a href="../../../../getting-started/faq/" class="md-nav__link">
FAQ
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" >
<label class="md-nav__link" for="__nav_2">
Tutorials
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Tutorials" data-md-level="1">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Tutorials
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../../tutorials/overview/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_2" type="checkbox" id="__nav_2_2" >
<label class="md-nav__link" for="__nav_2_2">
CI/CD
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="CI/CD" data-md-level="2">
<label class="md-nav__title" for="__nav_2_2">
<span class="md-nav__icon md-icon"></span>
CI/CD
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../../tutorials/integrations/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../../../tutorials/integrations/github-actions/" class="md-nav__link">
GitHub Actions
</a>
</li>
<li class="md-nav__item">
<a href="../../../../tutorials/integrations/circleci/" class="md-nav__link">
CircleCI
</a>
</li>
<li class="md-nav__item">
<a href="../../../../tutorials/integrations/travis-ci/" class="md-nav__link">
Travis CI
</a>
</li>
<li class="md-nav__item">
<a href="../../../../tutorials/integrations/gitlab-ci/" class="md-nav__link">
GitLab CI
</a>
</li>
<li class="md-nav__item">
<a href="../../../../tutorials/integrations/bitbucket/" class="md-nav__link">
Bitbucket Pipelines
</a>
</li>
<li class="md-nav__item">
<a href="../../../../tutorials/integrations/aws-codepipeline/" class="md-nav__link">
AWS CodePipeline
</a>
</li>
<li class="md-nav__item">
<a href="../../../../tutorials/integrations/aws-security-hub/" class="md-nav__link">
AWS Security Hub
</a>
</li>
<li class="md-nav__item">
<a href="../../../../tutorials/integrations/azure-devops/" class="md-nav__link">
Azure
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_3" type="checkbox" id="__nav_2_3" >
<label class="md-nav__link" for="__nav_2_3">
Kubernetes
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Kubernetes" data-md-level="2">
<label class="md-nav__title" for="__nav_2_3">
<span class="md-nav__icon md-icon"></span>
Kubernetes
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../../tutorials/kubernetes/cluster-scanning/" class="md-nav__link">
Cluster Scanning
</a>
</li>
<li class="md-nav__item">
<a href="../../../../tutorials/kubernetes/kyverno/" class="md-nav__link">
Kyverno
</a>
</li>
<li class="md-nav__item">
<a href="../../../../tutorials/kubernetes/gitops/" class="md-nav__link">
GitOps
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_4" type="checkbox" id="__nav_2_4" >
<label class="md-nav__link" for="__nav_2_4">
Signing
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Signing" data-md-level="2">
<label class="md-nav__title" for="__nav_2_4">
<span class="md-nav__icon md-icon"></span>
Signing
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../../tutorials/signing/vuln-attestation/" class="md-nav__link">
Vulnerability Scan Record Attestation
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_5" type="checkbox" id="__nav_2_5" >
<label class="md-nav__link" for="__nav_2_5">
Shell
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Shell" data-md-level="2">
<label class="md-nav__title" for="__nav_2_5">
<span class="md-nav__icon md-icon"></span>
Shell
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../../tutorials/shell/shell-completion/" class="md-nav__link">
Completion
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_6" type="checkbox" id="__nav_2_6" >
<label class="md-nav__link" for="__nav_2_6">
Additional Resources
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Additional Resources" data-md-level="2">
<label class="md-nav__title" for="__nav_2_6">
<span class="md-nav__icon md-icon"></span>
Additional Resources
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../../tutorials/additional-resources/references/" class="md-nav__link">
Additional Resources
</a>
</li>
<li class="md-nav__item">
<a href="../../../../tutorials/additional-resources/community/" class="md-nav__link">
Community References
</a>
</li>
<li class="md-nav__item">
<a href="../../../../tutorials/additional-resources/cks/" class="md-nav__link">
CKS Reference
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3" type="checkbox" id="__nav_3" checked>
<label class="md-nav__link" for="__nav_3">
Docs
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Docs" data-md-level="1">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
Docs
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_2" type="checkbox" id="__nav_3_2" >
<label class="md-nav__link" for="__nav_3_2">
Target
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Target" data-md-level="2">
<label class="md-nav__title" for="__nav_3_2">
<span class="md-nav__icon md-icon"></span>
Target
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../target/container_image/" class="md-nav__link">
Container Image
</a>
</li>
<li class="md-nav__item">
<a href="../../../target/filesystem/" class="md-nav__link">
Filesystem
</a>
</li>
<li class="md-nav__item">
<a href="../../../target/rootfs/" class="md-nav__link">
Rootfs
</a>
</li>
<li class="md-nav__item">
<a href="../../../target/git-repository/" class="md-nav__link">
Git Repository
</a>
</li>
<li class="md-nav__item">
<a href="../../../target/vm/" class="md-nav__link">
Virtual Machine Image
</a>
</li>
<li class="md-nav__item">
<a href="../../../target/kubernetes/" class="md-nav__link">
Kubernetes
</a>
</li>
<li class="md-nav__item">
<a href="../../../target/aws/" class="md-nav__link">
AWS
</a>
</li>
<li class="md-nav__item">
<a href="../../../target/sbom/" class="md-nav__link">
SBOM
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_3" type="checkbox" id="__nav_3_3" checked>
<label class="md-nav__link" for="__nav_3_3">
Scanner
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Scanner" data-md-level="2">
<label class="md-nav__title" for="__nav_3_3">
<span class="md-nav__icon md-icon"></span>
Scanner
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_3_1" type="checkbox" id="__nav_3_3_1" >
<label class="md-nav__link" for="__nav_3_3_1">
Vulnerability
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Vulnerability" data-md-level="3">
<label class="md-nav__title" for="__nav_3_3_1">
<span class="md-nav__icon md-icon"></span>
Vulnerability
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../vulnerability/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../vulnerability/os/" class="md-nav__link">
OS Packages
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_3_1_3" type="checkbox" id="__nav_3_3_1_3" >
<label class="md-nav__link" for="__nav_3_3_1_3">
Language-specific Packages
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Language-specific Packages" data-md-level="4">
<label class="md-nav__title" for="__nav_3_3_1_3">
<span class="md-nav__icon md-icon"></span>
Language-specific Packages
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../vulnerability/language/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../vulnerability/language/golang/" class="md-nav__link">
Go
</a>
</li>
<li class="md-nav__item">
<a href="../../vulnerability/language/java/" class="md-nav__link">
Java
</a>
</li>
<li class="md-nav__item">
<a href="../../vulnerability/language/nodejs/" class="md-nav__link">
Node.js
</a>
</li>
<li class="md-nav__item">
<a href="../../vulnerability/language/php/" class="md-nav__link">
PHP
</a>
</li>
<li class="md-nav__item">
<a href="../../vulnerability/language/python/" class="md-nav__link">
Python
</a>
</li>
<li class="md-nav__item">
<a href="../../vulnerability/language/rust/" class="md-nav__link">
Rust
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_3_2" type="checkbox" id="__nav_3_3_2" checked>
<label class="md-nav__link" for="__nav_3_3_2">
Misconfiguration
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Misconfiguration" data-md-level="3">
<label class="md-nav__title" for="__nav_3_3_2">
<span class="md-nav__icon md-icon"></span>
Misconfiguration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_3_2_2" type="checkbox" id="__nav_3_3_2_2" >
<label class="md-nav__link" for="__nav_3_3_2_2">
Policy
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Policy" data-md-level="4">
<label class="md-nav__title" for="__nav_3_3_2_2">
<span class="md-nav__icon md-icon"></span>
Policy
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../policy/builtin/" class="md-nav__link">
Built-in Policies
</a>
</li>
<li class="md-nav__item">
<a href="../policy/exceptions/" class="md-nav__link">
Exceptions
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_3_2_3" type="checkbox" id="__nav_3_3_2_3" checked>
<label class="md-nav__link" for="__nav_3_3_2_3">
Custom Policies
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Custom Policies" data-md-level="4">
<label class="md-nav__title" for="__nav_3_3_2_3">
<span class="md-nav__icon md-icon"></span>
Custom Policies
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Overview
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
Overview
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#overview" class="md-nav__link">
Overview
</a>
<nav class="md-nav" aria-label="Overview">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#file-formats" class="md-nav__link">
File formats
</a>
</li>
<li class="md-nav__item">
<a href="#configuration-languages" class="md-nav__link">
Configuration languages
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#rego-format" class="md-nav__link">
Rego format
</a>
<nav class="md-nav" aria-label="Rego format">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#policy-structure" class="md-nav__link">
Policy structure
</a>
</li>
<li class="md-nav__item">
<a href="#package" class="md-nav__link">
Package
</a>
</li>
<li class="md-nav__item">
<a href="#metadata" class="md-nav__link">
Metadata
</a>
</li>
<li class="md-nav__item">
<a href="#input" class="md-nav__link">
Input
</a>
</li>
<li class="md-nav__item">
<a href="#schemas" class="md-nav__link">
Schemas
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="data/" class="md-nav__link">
Data
</a>
</li>
<li class="md-nav__item">
<a href="combine/" class="md-nav__link">
Combine
</a>
</li>
<li class="md-nav__item">
<a href="selectors/" class="md-nav__link">
Selectors
</a>
</li>
<li class="md-nav__item">
<a href="schema/" class="md-nav__link">
Schemas
</a>
</li>
<li class="md-nav__item">
<a href="testing/" class="md-nav__link">
Testing
</a>
</li>
<li class="md-nav__item">
<a href="debug/" class="md-nav__link">
Debugging Policies
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../secret/" class="md-nav__link">
Secret
</a>
</li>
<li class="md-nav__item">
<a href="../../license/" class="md-nav__link">
License
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_4" type="checkbox" id="__nav_3_4" >
<label class="md-nav__link" for="__nav_3_4">
Configuration
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Configuration" data-md-level="2">
<label class="md-nav__title" for="__nav_3_4">
<span class="md-nav__icon md-icon"></span>
Configuration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../configuration/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../../configuration/filtering/" class="md-nav__link">
Filtering
</a>
</li>
<li class="md-nav__item">
<a href="../../../configuration/skipping/" class="md-nav__link">
Skipping Files
</a>
</li>
<li class="md-nav__item">
<a href="../../../configuration/reporting/" class="md-nav__link">
Reporting
</a>
</li>
<li class="md-nav__item">
<a href="../../../configuration/cache/" class="md-nav__link">
Cache
</a>
</li>
<li class="md-nav__item">
<a href="../../../configuration/db/" class="md-nav__link">
DB
</a>
</li>
<li class="md-nav__item">
<a href="../../../configuration/others/" class="md-nav__link">
Others
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_5" type="checkbox" id="__nav_3_5" >
<label class="md-nav__link" for="__nav_3_5">
Supply Chain
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Supply Chain" data-md-level="2">
<label class="md-nav__title" for="__nav_3_5">
<span class="md-nav__icon md-icon"></span>
Supply Chain
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../supply-chain/sbom/" class="md-nav__link">
SBOM
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_5_2" type="checkbox" id="__nav_3_5_2" >
<label class="md-nav__link" for="__nav_3_5_2">
Attestation
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Attestation" data-md-level="3">
<label class="md-nav__title" for="__nav_3_5_2">
<span class="md-nav__icon md-icon"></span>
Attestation
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../supply-chain/attestation/sbom/" class="md-nav__link">
SBOM
</a>
</li>
<li class="md-nav__item">
<a href="../../../supply-chain/attestation/vuln/" class="md-nav__link">
Cosign Vulnerability Scan Record
</a>
</li>
<li class="md-nav__item">
<a href="../../../supply-chain/attestation/rekor/" class="md-nav__link">
SBOM Attestation in Rekor
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../../supply-chain/vex/" class="md-nav__link">
VEX
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_6" type="checkbox" id="__nav_3_6" >
<label class="md-nav__link" for="__nav_3_6">
Compliance
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Compliance" data-md-level="2">
<label class="md-nav__title" for="__nav_3_6">
<span class="md-nav__icon md-icon"></span>
Compliance
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../compliance/compliance/" class="md-nav__link">
Reports
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_7" type="checkbox" id="__nav_3_7" >
<label class="md-nav__link" for="__nav_3_7">
Advanced
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Advanced" data-md-level="2">
<label class="md-nav__title" for="__nav_3_7">
<span class="md-nav__icon md-icon"></span>
Advanced
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../advanced/modules/" class="md-nav__link">
Modules
</a>
</li>
<li class="md-nav__item">
<a href="../../../advanced/plugins/" class="md-nav__link">
Plugins
</a>
</li>
<li class="md-nav__item">
<a href="../../../advanced/air-gap/" class="md-nav__link">
Air-Gapped Environment
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_7_4" type="checkbox" id="__nav_3_7_4" >
<label class="md-nav__link" for="__nav_3_7_4">
Container Image
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Container Image" data-md-level="3">
<label class="md-nav__title" for="__nav_3_7_4">
<span class="md-nav__icon md-icon"></span>
Container Image
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../advanced/container/embed-in-dockerfile/" class="md-nav__link">
Embed in Dockerfile
</a>
</li>
<li class="md-nav__item">
<a href="../../../advanced/container/unpacked-filesystem/" class="md-nav__link">
Unpacked container image filesystem
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_7_4_3" type="checkbox" id="__nav_3_7_4_3" >
<label class="md-nav__link" for="__nav_3_7_4_3">
Private Docker Registries
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Private Docker Registries" data-md-level="4">
<label class="md-nav__title" for="__nav_3_7_4_3">
<span class="md-nav__icon md-icon"></span>
Private Docker Registries
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../advanced/private-registries/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../../advanced/private-registries/docker-hub/" class="md-nav__link">
Docker Hub
</a>
</li>
<li class="md-nav__item">
<a href="../../../advanced/private-registries/ecr/" class="md-nav__link">
AWS ECR (Elastic Container Registry)
</a>
</li>
<li class="md-nav__item">
<a href="../../../advanced/private-registries/gcr/" class="md-nav__link">
GCR (Google Container Registry)
</a>
</li>
<li class="md-nav__item">
<a href="../../../advanced/private-registries/acr/" class="md-nav__link">
ACR (Azure Container Registry)
</a>
</li>
<li class="md-nav__item">
<a href="../../../advanced/private-registries/self/" class="md-nav__link">
Self-Hosted
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_8" type="checkbox" id="__nav_3_8" >
<label class="md-nav__link" for="__nav_3_8">
References
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="References" data-md-level="2">
<label class="md-nav__title" for="__nav_3_8">
<span class="md-nav__icon md-icon"></span>
References
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_8_1" type="checkbox" id="__nav_3_8_1" >
<label class="md-nav__link" for="__nav_3_8_1">
Configuration
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Configuration" data-md-level="3">
<label class="md-nav__title" for="__nav_3_8_1">
<span class="md-nav__icon md-icon"></span>
Configuration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_8_1_1" type="checkbox" id="__nav_3_8_1_1" >
<label class="md-nav__link" for="__nav_3_8_1_1">
CLI
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="CLI" data-md-level="4">
<label class="md-nav__title" for="__nav_3_8_1_1">
<span class="md-nav__icon md-icon"></span>
CLI
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_aws/" class="md-nav__link">
AWS
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_config/" class="md-nav__link">
Config
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_filesystem/" class="md-nav__link">
Filesystem
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_image/" class="md-nav__link">
Image
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_kubernetes/" class="md-nav__link">
Kubernetes
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_module/" class="md-nav__link">
Module
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_module_install/" class="md-nav__link">
Module Install
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_module_uninstall/" class="md-nav__link">
Module Uninstall
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_plugin/" class="md-nav__link">
Plugin
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_plugin_info/" class="md-nav__link">
Plugin Info
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_plugin_install/" class="md-nav__link">
Plugin Install
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_plugin_list/" class="md-nav__link">
Plugin List
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_plugin_run/" class="md-nav__link">
Plugin Run
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_plugin_uninstall/" class="md-nav__link">
Plugin Uninstall
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_plugin_update/" class="md-nav__link">
Plugin Update
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_repository/" class="md-nav__link">
Repository
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_rootfs/" class="md-nav__link">
Rootfs
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_sbom/" class="md-nav__link">
SBOM
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_server/" class="md-nav__link">
Server
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_version/" class="md-nav__link">
Version
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/cli/trivy_vm/" class="md-nav__link">
VM
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../../references/configuration/config-file/" class="md-nav__link">
Config file
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_8_2" type="checkbox" id="__nav_3_8_2" >
<label class="md-nav__link" for="__nav_3_8_2">
Modes
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Modes" data-md-level="3">
<label class="md-nav__title" for="__nav_3_8_2">
<span class="md-nav__icon md-icon"></span>
Modes
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../references/modes/standalone/" class="md-nav__link">
Standalone
</a>
</li>
<li class="md-nav__item">
<a href="../../../references/modes/client-server/" class="md-nav__link">
Client/Server
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../../references/troubleshooting/" class="md-nav__link">
Troubleshooting
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4">
Ecosystem
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Ecosystem" data-md-level="1">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Ecosystem
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../../ecosystem/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../../../ecosystem/cicd/" class="md-nav__link">
CI/CD
</a>
</li>
<li class="md-nav__item">
<a href="../../../../ecosystem/ide/" class="md-nav__link">
IDE and Dev tools
</a>
</li>
<li class="md-nav__item">
<a href="../../../../ecosystem/prod/" class="md-nav__link">
Production and Clouds
</a>
</li>
<li class="md-nav__item">
<a href="../../../../ecosystem/security/" class="md-nav__link">
Security Management
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5" type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5">
Contributing
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Contributing" data-md-level="1">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Contributing
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_1" type="checkbox" id="__nav_5_1" >
<label class="md-nav__link" for="__nav_5_1">
How to contribute
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="How to contribute" data-md-level="2">
<label class="md-nav__title" for="__nav_5_1">
<span class="md-nav__icon md-icon"></span>
How to contribute
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../../community/contribute/issue/" class="md-nav__link">
Issues
</a>
</li>
<li class="md-nav__item">
<a href="../../../../community/contribute/discussion/" class="md-nav__link">
Discussions
</a>
</li>
<li class="md-nav__item">
<a href="../../../../community/contribute/pr/" class="md-nav__link">
Pull Requests
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_2" type="checkbox" id="__nav_5_2" >
<label class="md-nav__link" for="__nav_5_2">
Maintainer
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Maintainer" data-md-level="2">
<label class="md-nav__title" for="__nav_5_2">
<span class="md-nav__icon md-icon"></span>
Maintainer
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../../community/maintainer/help-wanted/" class="md-nav__link">
Help Wanted
</a>
</li>
<li class="md-nav__item">
<a href="../../../../community/maintainer/triage/" class="md-nav__link">
Triage
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#overview" class="md-nav__link">
Overview
</a>
<nav class="md-nav" aria-label="Overview">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#file-formats" class="md-nav__link">
File formats
</a>
</li>
<li class="md-nav__item">
<a href="#configuration-languages" class="md-nav__link">
Configuration languages
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#rego-format" class="md-nav__link">
Rego format
</a>
<nav class="md-nav" aria-label="Rego format">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#policy-structure" class="md-nav__link">
Policy structure
</a>
</li>
<li class="md-nav__item">
<a href="#package" class="md-nav__link">
Package
</a>
</li>
<li class="md-nav__item">
<a href="#metadata" class="md-nav__link">
Metadata
</a>
</li>
<li class="md-nav__item">
<a href="#input" class="md-nav__link">
Input
</a>
</li>
<li class="md-nav__item">
<a href="#schemas" class="md-nav__link">
Schemas
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1 id="custom-policies">Custom Policies</h1>
<h2 id="overview">Overview</h2>
<p>You can write custom policies in <a href="https://www.openpolicyagent.org/docs/latest/policy-language/">Rego</a>.
Once you finish writing custom policies, you can pass the directory where those policies are stored with <code>--policy</code> option.</p>
<div class="highlight"><pre><span></span><code>trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir
</code></pre></div>
<p>As for <code>--namespaces</code> option, the detail is described as below.</p>
<h3 id="file-formats">File formats</h3>
<p>If a file name matches the following file patterns, Trivy will parse the file and pass it as input to your Rego policy.</p>
<table>
<thead>
<tr>
<th>File format</th>
<th>File pattern</th>
</tr>
</thead>
<tbody>
<tr>
<td>JSON</td>
<td><code>*.json</code></td>
</tr>
<tr>
<td>YAML</td>
<td><code>*.yaml</code> and <code>*.yml</code></td>
</tr>
<tr>
<td>Dockerfile</td>
<td><code>Dockerfile</code>, <code>Dockerfile.*</code>, and <code>*.Dockerfile</code></td>
</tr>
<tr>
<td>Containerfile</td>
<td><code>Containerfile</code>, <code>Containerfile.*</code>, and <code>*.Containerfile</code></td>
</tr>
<tr>
<td>Terraform</td>
<td><code>*.tf</code> and <code>*.tf.json</code></td>
</tr>
</tbody>
</table>
<h3 id="configuration-languages">Configuration languages</h3>
<p>In the above general file formats, Trivy automatically identifies the following types of configuration files:</p>
<ul>
<li>CloudFormation (JSON/YAML)</li>
<li>Kubernetes (JSON/YAML)</li>
<li>Helm (YAML)</li>
<li>Terraform Plan (JSON)</li>
</ul>
<p>This is useful for filtering inputs, as described below.</p>
<h2 id="rego-format">Rego format</h2>
<p>A single package must contain only one policy.</p>
<div class="admonition example">
<p class="admonition-title">Example</p>
<div class="highlight"><pre><span></span><code># METADATA
# title: Deployment not allowed
# description: Deployments are not allowed because of some reasons.
# schemas:
# - input: schema[&quot;kubernetes&quot;]
# custom:
# id: ID001
# severity: LOW
# input:
# selector:
# - type: kubernetes
package user.kubernetes.ID001
deny[res] {
input.kind == &quot;Deployment&quot;
msg := sprintf(&quot;Found deployment &#39;%s&#39; but deployments are not allowed&quot;, [input.metadata.name])
res := result.new(msg, input.kind)
}
</code></pre></div>
</div>
<p>In this example, ID001 "Deployment not allowed" is defined under <code>user.kubernetes.ID001</code>.
If you add a new custom policy, it must be defined under a new package like <code>user.kubernetes.ID002</code>.</p>
<h3 id="policy-structure">Policy structure</h3>
<dl>
<dt><code># METADATA</code> (optional)</dt>
<dd>
<ul>
<li>SHOULD be defined for clarity since these values will be displayed in the scan results</li>
<li><code>custom.input</code> SHOULD be set to indicate the input type the policy should be applied to. See <a href="https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go">list of available types</a></li>
</ul>
</dd>
<dt><code>package</code> (required)</dt>
<dd>
<ul>
<li>MUST follow the Rego's <a href="https://www.openpolicyagent.org/docs/latest/policy-language/#packages">specification</a></li>
<li>MUST be unique per policy</li>
<li>SHOULD include policy id for uniqueness</li>
<li>MAY include the group name such as <code>kubernetes</code> for clarity<ul>
<li>Group name has no effect on policy evaluation</li>
</ul>
</li>
</ul>
</dd>
<dt><code>deny</code> (required)</dt>
<dd>
<ul>
<li>SHOULD be <code>deny</code> or start with <code>deny_</code><ul>
<li>Although <code>warn</code>, <code>warn_*</code>, <code>violation</code>, <code>violation_</code> also work for compatibility, <code>deny</code> is recommended as severity can be defined in <code>__rego_metadata__</code>.</li>
</ul>
</li>
<li>SHOULD return ONE OF:<ul>
<li>The result of a call to <code>result.new(msg, cause)</code>. The <code>msg</code> is a <code>string</code> describing the issue occurrence, and the <code>cause</code> is the property/object where the issue occurred. Providing this allows Trivy to ascertain line numbers and highlight code in the output. </li>
<li>A <code>string</code> denoting the detected issue<ul>
<li>Although <code>object</code> with <code>msg</code> field is accepted, other fields are dropped and <code>string</code> is recommended if <code>result.new()</code> is not utilised.</li>
<li>e.g. <code>{"msg": "deny message", "details": "something"}</code></li>
</ul>
</li>
</ul>
</li>
</ul>
</dd>
</dl>
<h3 id="package">Package</h3>
<p>A package name must be unique per policy.</p>
<div class="admonition example">
<p class="admonition-title">Example</p>
<div class="highlight"><pre><span></span><code>package user.kubernetes.ID001
</code></pre></div>
</div>
<p>By default, only <code>builtin.*</code> packages will be evaluated.
If you define custom packages, you have to specify the package prefix via <code>--namespaces</code> option. </p>
<div class="highlight"><pre><span></span><code>trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir
</code></pre></div>
<p>In this case, <code>user.*</code> will be evaluated.
Any package prefixes such as <code>main</code> and <code>user</code> are allowed.</p>
<h3 id="metadata">Metadata</h3>
<p>Metadata helps enrich Trivy's scan results with useful information.</p>
<p>The annotation format is described in the <a href="https://www.openpolicyagent.org/docs/latest/annotations/">OPA documentation</a>.</p>
<p>Trivy supports extra fields in the <code>custom</code> section as described below.</p>
<div class="admonition example">
<p class="admonition-title">Example</p>
<div class="highlight"><pre><span></span><code># METADATA
# title: Deployment not allowed
# description: Deployments are not allowed because of some reasons.
# custom:
# id: ID001
# severity: LOW
# input:
# selector:
# - type: kubernetes
</code></pre></div>
</div>
<p>All fields are optional. The <code>schemas</code> field should be used to enable policy validation using a built-in schema. The
schema that will be used is based on the input document type. It is recommended to use this to ensure your policies are
correct and do not reference incorrect properties/values.</p>
<table>
<thead>
<tr>
<th>Field name</th>
<th>Allowed values</th>
<th align="center">Default value</th>
<th align="center">In table</th>
<th align="center">In JSON</th>
</tr>
</thead>
<tbody>
<tr>
<td>title</td>
<td>Any characters</td>
<td align="center">N/A</td>
<td align="center"><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 7 9 19l-5.5-5.5 1.41-1.41L9 16.17 19.59 5.59 21 7Z"/></svg></span></td>
<td align="center"><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 7 9 19l-5.5-5.5 1.41-1.41L9 16.17 19.59 5.59 21 7Z"/></svg></span></td>
</tr>
<tr>
<td>description</td>
<td>Any characters</td>
<td align="center"></td>
<td align="center"><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg></span></td>
<td align="center"><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 7 9 19l-5.5-5.5 1.41-1.41L9 16.17 19.59 5.59 21 7Z"/></svg></span></td>
</tr>
<tr>
<td>schemas.input</td>
<td><code>schema["kubernetes"]</code>, <code>schema["dockerfile"]</code>, <code>schema["cloud"]</code></td>
<td align="center">(applied to all input types)</td>
<td align="center"><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg></span></td>
<td align="center"><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg></span></td>
</tr>
<tr>
<td>custom.id</td>
<td>Any characters</td>
<td align="center">N/A</td>
<td align="center"><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 7 9 19l-5.5-5.5 1.41-1.41L9 16.17 19.59 5.59 21 7Z"/></svg></span></td>
<td align="center"><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 7 9 19l-5.5-5.5 1.41-1.41L9 16.17 19.59 5.59 21 7Z"/></svg></span></td>
</tr>
<tr>
<td>custom.severity</td>
<td><code>LOW</code>, <code>MEDIUM</code>, <code>HIGH</code>, <code>CRITICAL</code></td>
<td align="center">UNKNOWN</td>
<td align="center"><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 7 9 19l-5.5-5.5 1.41-1.41L9 16.17 19.59 5.59 21 7Z"/></svg></span></td>
<td align="center"><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 7 9 19l-5.5-5.5 1.41-1.41L9 16.17 19.59 5.59 21 7Z"/></svg></span></td>
</tr>
<tr>
<td>custom.recommended_actions</td>
<td>Any characters</td>
<td align="center"></td>
<td align="center"><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg></span></td>
<td align="center"><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 7 9 19l-5.5-5.5 1.41-1.41L9 16.17 19.59 5.59 21 7Z"/></svg></span></td>
</tr>
<tr>
<td>custom.input.selector.type</td>
<td>Any item(s) in <a href="https://github.com/aquasecurity/defsec/blob/418759b4dc97af25f30f32e0bd365be7984003a1/pkg/types/sources.go)">this list</a></td>
<td align="center"></td>
<td align="center"><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg></span></td>
<td align="center"><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 7 9 19l-5.5-5.5 1.41-1.41L9 16.17 19.59 5.59 21 7Z"/></svg></span></td>
</tr>
<tr>
<td>url</td>
<td>Any characters</td>
<td align="center"></td>
<td align="center"><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg></span></td>
<td align="center"><span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 7 9 19l-5.5-5.5 1.41-1.41L9 16.17 19.59 5.59 21 7Z"/></svg></span></td>
</tr>
</tbody>
</table>
<p>Some fields are displayed in scan results.</p>
<div class="highlight"><pre><span></span><code>k.yaml <span class="o">(</span>kubernetes<span class="o">)</span>
───────────────────
Tests: <span class="m">32</span> <span class="o">(</span>SUCCESSES: <span class="m">31</span>, FAILURES: <span class="m">1</span>, EXCEPTIONS: <span class="m">0</span><span class="o">)</span>
Failures: <span class="m">1</span> <span class="o">(</span>UNKNOWN: <span class="m">0</span>, LOW: <span class="m">1</span>, MEDIUM: <span class="m">0</span>, HIGH: <span class="m">0</span>, CRITICAL: <span class="m">0</span><span class="o">)</span>
LOW: Found deployment <span class="s1">&#39;my-deployment&#39;</span> but deployments are not allowed
════════════════════════════════════════════════════════════════════════
Deployments are not allowed because of some reasons.
────────────────────────────────────────────────────────────────────────
k.yaml:1-2
────────────────────────────────────────────────────────────────────────
<span class="m">1</span> ┌ apiVersion: v1
<span class="m">2</span> └ kind: Deployment
────────────────────────────────────────────────────────────────────────
</code></pre></div>
<h3 id="input">Input</h3>
<p>You can specify input format via the <code>custom.input</code> annotation.</p>
<div class="admonition example">
<p class="admonition-title">Example</p>
<div class="highlight"><pre><span></span><code># METADATA
# custom:
# input:
# combine: false
# selector:
# - type: kubernetes
</code></pre></div>
</div>
<dl>
<dt><code>combine</code> (boolean)</dt>
<dd>The details are <a href="combine/">here</a>.</dd>
<dt><code>selector</code> (array)</dt>
<dd>
<p>This option filters the input by file format or configuration language.
In the above example, Trivy passes only Kubernetes files to this policy.
Even if a Dockerfile exists in the specified directory, it will not be passed to the policy as input.</p>
<p>Possible values for input types are:
- <code>dockerfile</code> (Dockerfile)
- <code>kubernetes</code> (Kubernetes YAML/JSON)
- <code>rbac</code> (Kubernetes RBAC YAML/JSON)
- <code>cloud</code> (Cloud format, as defined by defsec - this is used for Terraform, CloudFormation, and Cloud/AWS scanning)
- <code>yaml</code> (Generic YAML)
- <code>json</code> (Generic JSON)
- <code>toml</code> (Generic TOML)</p>
<p>When configuration languages such as Kubernetes are not identified, file formats such as JSON will be used as <code>type</code>.
When a configuration language is identified, it will overwrite <code>type</code>.</p>
<div class="admonition example">
<p class="admonition-title">Example</p>
<p><code>pod.yaml</code> including Kubernetes Pod will be handled as <code>kubernetes</code>, not <code>yaml</code>.
<code>type</code> is overwritten by <code>kubernetes</code> from <code>yaml</code>.</p>
</div>
<p><code>type</code> accepts <code>kubernetes</code>, <code>dockerfile</code>, <code>cloudformation</code>, <code>terraform</code>, <code>terraformplan</code>, <code>json</code>, or <code>yaml</code>.</p>
</dd>
</dl>
<h3 id="schemas">Schemas</h3>
<p>See <a href="schema/">here</a> for the detail.</p>
</article>
<script>var tabs=__md_get("__tabs");if(Array.isArray(tabs))e:for(var set of document.querySelectorAll(".tabbed-set")){var tab,labels=set.querySelector(".tabbed-labels");for(tab of tabs)for(var label of labels.getElementsByTagName("label"))if(label.innerText.trim()===tab){var input=document.getElementById(label.htmlFor);input.checked=!0;continue e}}</script>
</div>
</div>
</main>
<footer class="md-footer">
<nav class="md-footer__inner md-grid" aria-label="Footer" >
<a href="../policy/exceptions/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Exceptions" rel="prev">
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
</div>
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Previous
</span>
Exceptions
</div>
</div>
</a>
<a href="data/" class="md-footer__link md-footer__link--next" aria-label="Next: Data" rel="next">
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Next
</span>
Data
</div>
</div>
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4Z"/></svg>
</div>
</a>
</nav>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "../../../..", "features": ["navigation.tabs", "navigation.tabs.sticky", "navigation.sections", "content.tabs.link"], "search": "../../../../assets/javascripts/workers/search.b97dbffb.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "version": {"method": "mike", "provider": "mike"}}</script>
<script src="../../../../assets/javascripts/bundle.6c7ad80a.min.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink