Trivy ignoring custom checks #6840

vmorkunas · 2024-06-03T10:52:54Z

vmorkunas
Jun 3, 2024

Description

I am trying to run a custom rego check for terraform plan which would just print tags and tags_all fields from json. When i run checks from opa cli it works as expected, but when I try to run it via trivy, then it seems it just gets ignored.

common policy with just few functions to read all resources from terrafom plan (lib.rego):

package common

import rego.v1

resources := {r |
	some path, value

	# Walk over the JSON tree and check if the node we are
	# currently on is a module (either root or child) resources
	# value.
	walk(input.planned_values, [path, value])

	# Look for resources in the current value based on path
	rs := module_resources(path, value)

	# Aggregate them into `resources`
	r := rs[_]
}

# Variant to match root_module resources
module_resources(path, value) := rs if {
	# Expect something like:
	#
	#     {
	#     	"root_module": {
	#         	"resources": [...],
	#             ...
	#         }
	#         ...
	#     }
	#
	# Where the path is [..., "root_module", "resources"]

	reverse_index(path, 1) == "resources"
	reverse_index(path, 2) == "root_module"
	rs := value
}

# Variant to match child_modules resources
module_resources(path, value) := rs if {
	# Expect something like:
	#
	#     {
	#     	...
	#         "child_modules": [
	#         	{
	#             	"resources": [...],
	#                 ...
	#             },
	#             ...
	#         ]
	#         ...
	#     }
	#
	# Where the path is [..., "child_modules", 0, "resources"]
	# Note that there will always be an index int between `child_modules`
	# and `resources`. We know that walk will only visit each one once,
	# so we shouldn't need to keep track of what the index is.

	reverse_index(path, 1) == "resources"
	reverse_index(path, 3) == "child_modules"
	rs := value
}

reverse_index(path, idx) := value if {
	value := path[count(path) - idx]
}

aws_tags.rego:

# METADATA
# title: Missing required tags
# description: Some required AWS tags are missing
# custom:
#   id: ID001
#   severity: HIGH
package user

import data.common

default allow = false

deny[msg] {
    resource := common.resources[_]
    tags := resource.values.tags
    tags_all := resource.values.tags_all
    msg := sprintf("Resource %s is missing the 'aaa' tag", [tags_all])
}

OPA CLI output:

opa exec --decision user/deny --bundle custom_checks tf.json              
{
  "result": [
    {
      "path": "tf.json",
      "result": [
        "Resource { \"Region\": \"EU-CENTRAL-1\", \"Repository\": \"INFRA-SETUP\"} is missing the 'aaa' tag",
        "Resource { \"Region\": \"EU-CENTRAL-1\", \"Repository\": \"INFRA-SETUP\"} is missing the 'aaa' tag",
        "Resource { \"Region\": \"EU-CENTRAL-1\", \"Repository\": \"INFRA-SETUP\"} is missing the 'aaa' tag",
      ]
    }
  ]
}

Desired Behavior

Should print all resources tags

Actual Behavior

Nothing happens

Reproduction Steps

1. trivy config --trace --debug --config-check custom_checks/aws_tags.rego --check-namespaces user tf.json

Target

Filesystem

Scanner

Misconfiguration

Output Format

JSON

Mode

Standalone

Debug Output

2024-06-03T13:44:34+03:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-06-03T13:44:34+03:00       DEBUG   Cache dir       dir="/Users/s/Library/Caches/trivy"
2024-06-03T13:44:34+03:00       INFO    Misconfiguration scanning is enabled
2024-06-03T13:44:34+03:00       DEBUG   Policies successfully loaded from disk
2024-06-03T13:44:34+03:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-06-03T13:44:34+03:00       DEBUG   [nuget] The nuget packages directory couldn't be found. License search disabled
2024-06-03T13:44:34+03:00       DEBUG   Scanning files for misconfigurations... scanner="Terraform Plan JSON"
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.483377000 tfplan.scanner                   Scanning file tf.json
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.485149000 terraform.scanner                Scanning [&{%!s(*memoryfs.dir=&{{{0 0} 0 0 {{} 0} {{} 0}} {. 256 {13947513375603933384 302084626 0x1111ac740} 2147484096 <nil>} map[] map[main.tf:0x140020fd100]})}] at '.'...
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.486729000 terraform.scanner.rego           Overriding filesystem for checks!
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.487253000 terraform.scanner.rego           Loaded 3 embedded libraries.
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.514281000 terraform.scanner.rego           Loaded 191 embedded policies.
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.548399000 terraform.scanner.rego           Loaded 195 policies from disk.
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.548649000 terraform.scanner.rego           Overriding filesystem for data!
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.597802000 terraform.scanner.rego           Error occurred while parsing: Users/s/Library/Caches/trivy/policy/content/policies/docker/policies/update_instruction_alone.rego, Users/s/Library/Caches/trivy/policy/content/policies/docker/policies/update_instruction_alone.rego:48: rego_type_error: undefined function sh.parse_commands. Trying to fallback to embedded check.
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.597941000 terraform.scanner.rego           Found embedded check: checks/docker/update_instruction_alone.rego
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.597952000 terraform.scanner.rego           Error occurred while parsing: Users/s/Library/Caches/trivy/policy/content/policies/docker/policies/yum_clean_all_missing.rego, Users/s/Library/Caches/trivy/policy/content/policies/docker/policies/yum_clean_all_missing.rego:27: rego_type_error: undefined function sh.parse_commands. Trying to fallback to embedded check.
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.598036000 terraform.scanner.rego           Found embedded check: checks/docker/yum_clean_all_missing.rego
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.782961000 terraform.scanner.rego           WARNING: Module Users/s/trivy/custom_checks/aws_tags.rego has no input selectors - it will be loaded for all inputs!
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.783751000 terraform.parser.<root>          Setting project/module root to '.'
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.783761000 terraform.parser.<root>          Parsing FS from '.'
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.783767000 terraform.parser.<root>          Parsing 'main.tf'...
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.784951000 terraform.parser.<root>          Added file main.tf.
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.785156000 terraform.scanner                Scanning root module '.'...
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.785163000 terraform.parser.<root>          Setting project/module root to '.'
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.785166000 terraform.parser.<root>          Parsing FS from '.'
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.785169000 terraform.parser.<root>          Parsing 'main.tf'...
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.786232000 terraform.parser.<root>          Added file main.tf.
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.786236000 terraform.parser.<root>          Evaluating module...
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.786399000 terraform.parser.<root>          Read 8 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.786409000 terraform.parser.<root>          Added 0 variables from tfvars.
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.786413000 terraform.parser.<root>          Error loading module metadata: open .terraform/modules/modules.json: file does not exist.
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.786452000 terraform.parser.<root>          Working directory for module evaluation is '/Users/s/trivy'
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.786488000 terraform.parser.<root>.evaluator Filesystem key is '760a017628b43c62957dd27f45e0160610466f29f04a90f8afa5ac5c0326c68a'
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.786492000 terraform.parser.<root>.evaluator Starting module evaluation...
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.786709000 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.786715000 terraform.parser.<root>.evaluator All submodules are evaluated at i=0
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.786718000 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.786945000 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.786948000 terraform.parser.<root>.evaluator Module evaluation complete.
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.786952000 terraform.parser.<root>          Finished parsing module 'root'.
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.786956000 terraform.executor               Adapting modules...
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.787034000 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.787038000 terraform.executor               Using max routines of 9
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.787088000 terraform.executor               Initialized 486 rule(s).
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.787091000 terraform.executor               Created pool with 9 worker(s) to apply rules.
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.787402000 terraform.scanner.rego           Scanning 1 inputs...
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.789329000 terraform.executor               Finished applying rules.
2024-06-03T13:44:34+03:00       DEBUG   [misconf] 44:34.789343000 terraform.executor               Applying ignores...
2024-06-03T13:44:34+03:00       DEBUG   OS is not detected.
2024-06-03T13:44:34+03:00       INFO    Detected config files   num=2
2024-06-03T13:44:34+03:00       DEBUG   Scanned config file     path="."
2024-06-03T13:44:34+03:00       DEBUG   Scanned config file     path="main.tf"

main.tf (terraformplan)

Tests: 6 (SUCCESSES: 3, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Operating System

macos sonoma

Version

Version: 0.51.1

Checklist

Run trivy image --reset
Read the troubleshooting

nikpivkin · 2024-06-03T11:03:07Z

nikpivkin
Jun 3, 2024
Maintainer

Hi @vmorkunas !

Trivy transforms the raw data and passes a special structure to Rego. Here you can see its json schema.

2 replies

vmorkunas Jun 3, 2024
Author

So how I could select all resources and check their tags? There is no such resource as all in aws cloud schema

nikpivkin Jun 3, 2024
Maintainer

That's right.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trivy ignoring custom checks #6840

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 2 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Trivy ignoring custom checks #6840

vmorkunas Jun 3, 2024

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 1 comment · 2 replies

nikpivkin Jun 3, 2024 Maintainer

vmorkunas Jun 3, 2024 Author

nikpivkin Jun 3, 2024 Maintainer

vmorkunas
Jun 3, 2024

Replies: 1 comment 2 replies

nikpivkin
Jun 3, 2024
Maintainer

vmorkunas Jun 3, 2024
Author

nikpivkin Jun 3, 2024
Maintainer