New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: add info on adding compliance checks #6275
docs: add info on adding compliance checks #6275
Conversation
|
||
Create a new file under `trivy-policies/specs/compliance/` and name the file in the format of "provider-resource-spectype-version.yaml". For example, the file name for AWS CIS Benchmarks for EKS version 1.4 is: `aws-eks-cis-1.4.yaml`. | ||
|
||
### Minimum spec structure |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO there's too much duplication with the general compliance documentation, this should be about how to upstream a compliance, not the complete guide to write a compliance.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this relate to line 19 or to the minimum spec structure?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have moved some to the normal compliance documentation but I am thinking about the following instead:
- divide the compliance docs into the following two separate sections in the table of content: built-in compliance and custom compliance. The custom compliance would then also detail how to contribute the custom compliance check to Trivy
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this relate to line 19 or to the minimum spec structure?
Minimum spec structure (and what follows)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- `checks.id` -- Required; this is the AVD ID or AVD IDs referenced that perform the Rego check for this compliance check, more information is provided below. | ||
- `severity` -- Required; more information provided below. | ||
|
||
### Populating the `control` section |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there's more to say about vulnerability checks and node checks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@chen-keinan I need your help here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@chen-keinan :) help
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@AnaisUrlichs look good, I have added few comments
# Custom Compliance Checks | ||
|
||
Trivy supports several different compliance checks. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../docs/compliance/compliance.md). | ||
All of the Compliance Checks currently available in Trivy can be found in the `trivy-policies/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-policies/tree/main/specs/compliance)). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
trivy-policies
repo on github name has been changed to trivy-checks
, change should apply to all references in doc
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
f9e1d5d
to
cf29bb9
Compare
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@AnaisUrlichs all entries where trivy-policies
appear it should be replaced with trivy-checks
``` | ||
|
||
- Again, the `id`, `name` and `description` are taken directly from the EKS CIS Benchmarks v1.4.0 | ||
- The `checks` is in this case `null` as the check is not currently present in the AVD and does not have a check in the [trivy policies](https://github.com/aquasecurity/trivy-policies/tree/main/checks) repository |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- The `checks` is in this case `null` as the check is not currently present in the AVD and does not have a check in the [trivy policies](https://github.com/aquasecurity/trivy-policies/tree/main/checks) repository | |
- The `checks` is in this case `null` as the check is not currently present in the AVD and does not have a check in the [trivy policies](https://github.com/aquasecurity/trivy-checks/tree/main/checks) repository |
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Adding documentation to the contributing section on writing Compliance Checks