Skip to content
Permalink

Comparing changes

This is a direct comparison between two commits made in this repository or its related repositories. View the default comparison for this range or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: aquasecurity/trivy
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 26ed64b33a07cb9805e6c9caeb4c17bfee5fe691
Choose a base ref
..
head repository: aquasecurity/trivy
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 21e7882d2afcf390fb6500b4af5037acb5fd4d2f
Choose a head ref
Showing with 14 additions and 2 deletions.
  1. +1 −1 CHANGELOG.md
  2. +13 −1 docs/docs/scanner/misconfiguration/index.md
2 changes: 1 addition & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Changelog

## [0.56.0](https://github.com/aquasecurity/trivy/compare/v0.55.0...v0.56.0) (2024-09-23)
## [0.56.0](https://github.com/aquasecurity/trivy/compare/v0.55.0...v0.56.0) (2024-09-26)


### Features
14 changes: 13 additions & 1 deletion docs/docs/scanner/misconfiguration/index.md
View file
Original file line number Diff line number Diff line change
@@ -389,15 +389,27 @@ LOW: Service name "serverless-rest-api-with-pynamodb" is not allowed
Ensure that Serverless Framework service names start with "aws-"
```
You can also pass schemas using the `config-file-schemas` flag. Trivy will use these schemas for file filtering and type checking in Rego checks. If the file does not match any of the passed schemas, it will be ignored.
!!! note
In the case above, the custom check specified has a metadata annotation for the input schema `input: schema["serverless-schema"]`. This allows Trivy to type check the input IaC files provided.
Optionally, you can also pass schemas using the `config-file-schemas` flag. Trivy will use these schemas for file filtering and type checking in Rego checks.
!!! example
```bash
$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user --config-file-schemas ./serverless-schema.json ./iac
```
If the `--config-file-schemas` flag is specified Trivy ensures that each input IaC config file being scanned is type-checked against the schema. If the input file does not match any of the passed schemas, it will be ignored.
If the schema is specified in the check metadata and is in the directory specified in the `--config-check` argument, it will be automatically loaded as specified [here](./custom/schema.md#custom-checks-with-custom-schemas), and will only be used for type checking in Rego.
!!! note
If a user specifies the `--config-file-schemas` flag, all input IaC config files are ensured that they pass type-checking. It is not required to pass an input schema in case type checking is not required. This is helpful for scenarios where you simply want to write a Rego check and pass in IaC input for it. Such a use case could include scanning for a new service which Trivy might not support just yet.
!!! tip
It is also possible to specify multiple input schemas with `--config-file-schema` flag as it can accept a comma seperated list of file paths or a directory as input. In the case of multiple schemas being specified, all of them will be evaluated against all the input files.
### Passing custom data
You can pass directories including your custom data through `--data` option.
This can be repeated for specifying multiple directories.