docs: add info on adding compliance checks #6275
Conversation
AnaisUrlichs
changed the title
|
|
||
| Create a new file under `trivy-policies/specs/compliance/` and name the file in the format of "provider-resource-spectype-version.yaml". For example, the file name for AWS CIS Benchmarks for EKS version 1.4 is: `aws-eks-cis-1.4.yaml`. | ||
|
|
||
| ### Minimum spec structure |
There was a problem hiding this comment.
IMO there's too much duplication with the general compliance documentation, this should be about how to upstream a compliance, not the complete guide to write a compliance.
There was a problem hiding this comment.
Does this relate to line 19 or to the minimum spec structure?
There was a problem hiding this comment.
I have moved some to the normal compliance documentation but I am thinking about the following instead:
- divide the compliance docs into the following two separate sections in the table of content: built-in compliance and custom compliance. The custom compliance would then also detail how to contribute the custom compliance check to Trivy
There was a problem hiding this comment.
Does this relate to line 19 or to the minimum spec structure?
Minimum spec structure (and what follows)
There was a problem hiding this comment.
table of content: built-in compliance and custom compliance
not sure I understand how your suggestion is different than existing?
| - `checks.id` -- Required; this is the AVD ID or AVD IDs referenced that perform the Rego check for this compliance check, more information is provided below. | ||
| - `severity` -- Required; more information provided below. | ||
|
|
||
| ### Populating the `control` section |
There was a problem hiding this comment.
there's more to say about vulnerability checks and node checks
There was a problem hiding this comment.
@chen-keinan I need your help here
There was a problem hiding this comment.
@chen-keinan :) help
| # Custom Compliance Checks | ||
|
|
||
| Trivy supports several different compliance checks. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../docs/compliance/compliance.md). | ||
| All of the Compliance Checks currently available in Trivy can be found in the `trivy-policies/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-policies/tree/main/specs/compliance)). |
There was a problem hiding this comment.
trivy-policies repo on github name has been changed to trivy-checks, change should apply to all references in doc
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
AnaisUrlichs
force-pushed
the
compliance-docs-update
branch
from
f9e1d5d
to
cf29bb9
Compare
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
There was a problem hiding this comment.
@AnaisUrlichs all entries where trivy-policies appear it should be replaced with trivy-checks
| ``` | ||
|
|
||
| - Again, the `id`, `name` and `description` are taken directly from the EKS CIS Benchmarks v1.4.0 | ||
| - The `checks` is in this case `null` as the check is not currently present in the AVD and does not have a check in the [trivy policies](https://github.com/aquasecurity/trivy-policies/tree/main/checks) repository |
There was a problem hiding this comment.
| - The `checks` is in this case `null` as the check is not currently present in the AVD and does not have a check in the [trivy policies](https://github.com/aquasecurity/trivy-policies/tree/main/checks) repository | |
| - The `checks` is in this case `null` as the check is not currently present in the AVD and does not have a check in the [trivy policies](https://github.com/aquasecurity/trivy-checks/tree/main/checks) repository |
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Adding documentation to the contributing section on writing Compliance Checks