Skip to content

Commit

Permalink
feat: Add AWS Cloud scanning (#2493)
Browse files Browse the repository at this point in the history
* feat: Added AWS Cloud scanning

Co-authored-by: Owen Rumney <[email protected]>
  • Loading branch information
liamg and Owen Rumney authored Aug 11, 2022
1 parent f8edda8 commit b259b25
Show file tree
Hide file tree
Showing 32 changed files with 2,569 additions and 50 deletions.
3 changes: 3 additions & 0 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,11 @@ helm/trivy/ @krol3
# Misconfiguration scanning
examples/misconf/ @owenrumney @liamg @knqyf263
docs/docs/misconfiguration @owenrumney @liamg @knqyf263
docs/docs/cloud @owenrumney @liamg @knqyf263
pkg/fanal/analyzer/config @owenrumney @liamg @knqyf263
pkg/fanal/handler/misconf @owenrumney @liamg @knqyf263
pkg/cloud @owenrumney @liamg @knqyf263
pkg/flag @owenrumney @liamg @knqyf263

# Kubernetes scanning
pkg/k8s/ @josedonizetti @chen-keinan @knqyf263
Expand Down
55 changes: 55 additions & 0 deletions docs/docs/cloud/aws/scanning.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
# Amazon Web Services

!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.

The Trivy AWS CLI allows you to scan your AWS account for misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline.

Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too.

The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks.

Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform.

You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` and `SecurityAudit` policies attached.

Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - results are cached locally per AWS account/region.

## CLI Commands

Scan a full AWS account (all supported services):

```shell
trivy aws --region us-east-1
```

You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these.

![AWS Summary Report](../../../imgs/trivy-aws.png)

The summary view is the default when scanning multiple services.

Scan a specific service:

```shell
trivy aws --service s3
```

Scan multiple services:

```shell
# --service s3,ec2 works too
trivy aws --service s3 --service ec2
```

Show results for a specific AWS resource:

```shell
trivy aws --service s3 --arn arn:aws:s3:::example-bucket
```

All ARNs with detected issues will be displayed when showing results for their associated service.

## Cached Results

By default, Trivy will cache results for each service for 24 hours. This means you can filter and view results for a service without having to wait for the scan to run again. If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`. Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.)
48 changes: 36 additions & 12 deletions docs/docs/references/customization/config-file.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ An example is [here][example].

## Global Options

```
```yaml
# Same as '--quiet'
# Default is false
quiet: false
Expand All @@ -30,7 +30,7 @@ cache-dir: $HOME/.cache/trivy
## Report Options
```
```yaml
# Same as '--format'
# Default is 'table'
format: table
Expand Down Expand Up @@ -80,7 +80,7 @@ severity:
## Scan Options
Available in client/server mode
```
```yaml
scan:
# Same as '--skip-dirs'
# Default is empty
Expand All @@ -107,7 +107,7 @@ scan:
## Cache Options
```
```yaml
cache:
# Same as '--cache-backend'
# Default is 'fs'
Expand All @@ -134,7 +134,7 @@ cache:
## DB Options
```
```yaml
db:
# Same as '--skip-db-update'
# Default is false
Expand All @@ -152,7 +152,7 @@ db:
## Image Options
Available with container image scanning
```
```yaml
image:
# Same as '--input' (available with 'trivy image')
# Default is empty
Expand All @@ -166,7 +166,7 @@ image:
## Vulnerability Options
Available with vulnerability scanning
```
```yaml
vulnerability:
# Same as '--vuln-type'
# Default is 'os,library'
Expand All @@ -182,7 +182,7 @@ vulnerability:
## Secret Options
Available with secret scanning
```
```yaml
secret:
# Same as '--secret-config'
# Default is 'trivy-secret.yaml'
Expand All @@ -193,7 +193,7 @@ secret:
## Misconfiguration Options
Available with misconfiguration scanning
```
```yaml
misconfiguration:
# Same as '--file-patterns'
# Default is empty
Expand Down Expand Up @@ -256,7 +256,7 @@ misconfiguration:
## Kubernetes Options
Available with Kubernetes scanning
```
```yaml
kubernetes:
# Same as '--context'
# Default is empty
Expand All @@ -270,7 +270,7 @@ kubernetes:
## Repository Options
Available with git repository scanning (`trivy repo`)

```
```yaml
repository:
# Same as '--branch'
# Default is empty
Expand All @@ -288,7 +288,7 @@ repository:
## Client/Server Options
Available in client/server mode

```
```yaml
server:
# Same as '--server' (available in client mode)
# Default is empty
Expand All @@ -313,4 +313,28 @@ server:
listen: 0.0.0.0:10000
```

## Cloud Options

Available for cloud scanning (currently only `trivy aws`)

```yaml
cloud:
# whether to force a cache update for every scan
update-cache: false
# how old cached results can be before being invalidated
max-cache-age: 24h
# aws-specific cloud settings
aws:
# the aws region to use
region: us-east-1
# the aws endpoint to use (not required for general use)
endpoint: https://my.custom.aws.endpoint
# the aws account to use (this will be determined from your environment when not set)
account: 123456789012
```

[example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml
Binary file added docs/imgs/trivy-aws.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
73 changes: 62 additions & 11 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ require (
github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516
github.com/aquasecurity/trivy-db v0.0.0-20220627104749-930461748b63
github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20220727123250-2cfd49c5b6c3
github.com/aws/aws-sdk-go-v2 v1.16.8
github.com/aws/aws-sdk-go-v2/config v1.15.15
github.com/aws/aws-sdk-go-v2/service/sts v1.16.10
github.com/caarlos0/env/v6 v6.9.3
github.com/cenkalti/backoff v2.2.1+incompatible
github.com/cheggaaa/pb/v3 v3.1.0
Expand All @@ -38,6 +41,7 @@ require (
github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075
github.com/kylelemons/godebug v1.1.0
github.com/liamg/loading v0.0.4
github.com/liamg/memoryfs v1.4.2
github.com/liamg/tml v0.6.0
github.com/mailru/easyjson v0.7.7
Expand Down Expand Up @@ -67,8 +71,58 @@ require (
)

require (
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.3 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.12.10 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.9 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.15 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.9 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.16 // indirect
github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.6 // indirect
github.com/aws/aws-sdk-go-v2/service/apigateway v1.15.11 // indirect
github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.12.9 // indirect
github.com/aws/aws-sdk-go-v2/service/athena v1.18.1 // indirect
github.com/aws/aws-sdk-go-v2/service/cloudfront v1.18.5 // indirect
github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.16.5 // indirect
github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.19.1 // indirect
github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.15.11 // indirect
github.com/aws/aws-sdk-go-v2/service/codebuild v1.19.9 // indirect
github.com/aws/aws-sdk-go-v2/service/docdb v1.19.1 // indirect
github.com/aws/aws-sdk-go-v2/service/dynamodb v1.15.10 // indirect
github.com/aws/aws-sdk-go-v2/service/ec2 v1.51.1 // indirect
github.com/aws/aws-sdk-go-v2/service/ecr v1.17.9 // indirect
github.com/aws/aws-sdk-go-v2/service/ecs v1.18.12 // indirect
github.com/aws/aws-sdk-go-v2/service/efs v1.17.7 // indirect
github.com/aws/aws-sdk-go-v2/service/eks v1.21.5 // indirect
github.com/aws/aws-sdk-go-v2/service/elasticache v1.22.1 // indirect
github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.18.9 // indirect
github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.16.1 // indirect
github.com/aws/aws-sdk-go-v2/service/emr v1.20.2 // indirect
github.com/aws/aws-sdk-go-v2/service/iam v1.18.10 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.3 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.10 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.9 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.9 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.9 // indirect
github.com/aws/aws-sdk-go-v2/service/kafka v1.17.10 // indirect
github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.10 // indirect
github.com/aws/aws-sdk-go-v2/service/kms v1.18.1 // indirect
github.com/aws/aws-sdk-go-v2/service/lambda v1.23.5 // indirect
github.com/aws/aws-sdk-go-v2/service/mq v1.13.5 // indirect
github.com/aws/aws-sdk-go-v2/service/neptune v1.17.3 // indirect
github.com/aws/aws-sdk-go-v2/service/rds v1.23.2 // indirect
github.com/aws/aws-sdk-go-v2/service/redshift v1.26.1 // indirect
github.com/aws/aws-sdk-go-v2/service/s3 v1.27.2 // indirect
github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.15.14 // indirect
github.com/aws/aws-sdk-go-v2/service/sns v1.17.10 // indirect
github.com/aws/aws-sdk-go-v2/service/sqs v1.19.1 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.11.13 // indirect
github.com/aws/aws-sdk-go-v2/service/workspaces v1.22.0 // indirect
github.com/aws/smithy-go v1.12.0 // indirect
github.com/emicklei/go-restful/v3 v3.8.0 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
gonum.org/v1/gonum v0.7.0 // indirect
)

require (
Expand All @@ -92,7 +146,7 @@ require (
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver v1.5.0 // indirect
github.com/Masterminds/semver/v3 v3.1.1 // indirect
github.com/Masterminds/squirrel v1.5.2 // indirect
github.com/Masterminds/squirrel v1.5.3 // indirect
github.com/Microsoft/go-winio v0.5.2 // indirect
github.com/Microsoft/hcsshim v0.9.3 // indirect
github.com/OneOfOne/xxhash v1.2.8 // indirect
Expand All @@ -107,7 +161,7 @@ require (
github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
github.com/apparentlymart/go-cidr v1.1.0 // indirect
github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
github.com/aquasecurity/defsec v0.70.0
github.com/aquasecurity/defsec v0.71.5
github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
github.com/aws/aws-sdk-go v1.44.66
github.com/beorn7/perks v1.0.1 // indirect
Expand Down Expand Up @@ -173,7 +227,6 @@ require (
github.com/hashicorp/go-safetemp v1.0.0 // indirect
github.com/hashicorp/go-uuid v1.0.3 // indirect
github.com/hashicorp/go-version v1.4.0 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/hashicorp/hcl/v2 v2.13.0 // indirect
github.com/hhatto/gorst v0.0.0-20181029133204-ca9f730cac5b // indirect
github.com/huandu/xstrings v1.3.2 // indirect
Expand All @@ -182,7 +235,7 @@ require (
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
github.com/jdkato/prose v1.1.0 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/jmoiron/sqlx v1.3.4 // indirect
github.com/jmoiron/sqlx v1.3.5 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
Expand All @@ -194,7 +247,7 @@ require (
github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
github.com/liamg/iamgo v0.0.9 // indirect
github.com/liamg/jfather v0.0.7 // indirect
github.com/lib/pq v1.10.4 // indirect
github.com/lib/pq v1.10.6 // indirect
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
github.com/magiconair/properties v1.8.6 // indirect
github.com/mattn/go-colorable v0.1.12 // indirect
Expand Down Expand Up @@ -241,7 +294,6 @@ require (
github.com/rivo/uniseg v0.2.0 // indirect
github.com/rubenv/sql-migrate v1.1.1 // indirect
github.com/russross/blackfriday v1.6.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/saracen/walker v0.0.0-20191201085201-324a081bae7e
github.com/sergi/go-diff v1.1.0 // indirect
github.com/shogo82148/go-shuffle v0.0.0-20170808115208-59829097ff3b // indirect
Expand Down Expand Up @@ -274,11 +326,10 @@ require (
golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 // indirect
golang.org/x/term v0.0.0-20220526004731-065cf7ba2467
golang.org/x/text v0.3.7
golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect
golang.org/x/tools v0.1.10-0.20220218145154-897bd77cd717 // indirect
gonum.org/v1/gonum v0.7.0 // indirect
google.golang.org/api v0.81.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f // indirect
Expand All @@ -292,11 +343,11 @@ require (
gopkg.in/yaml.v2 v2.4.0 // indirect
gotest.tools v2.2.0+incompatible
gotest.tools/v3 v3.2.0 // indirect
helm.sh/helm/v3 v3.9.0 // indirect
helm.sh/helm/v3 v3.9.2 // indirect
k8s.io/api v0.25.0-alpha.2 // indirect
k8s.io/apiextensions-apiserver v0.24.0 // indirect
k8s.io/apiextensions-apiserver v0.24.2 // indirect
k8s.io/apimachinery v0.25.0-alpha.2 // indirect
k8s.io/apiserver v0.24.1 // indirect
k8s.io/apiserver v0.24.2 // indirect
k8s.io/cli-runtime v0.24.3 // indirect
k8s.io/client-go v0.25.0-alpha.2 // indirect
k8s.io/component-base v0.24.3 // indirect
Expand Down
Loading

0 comments on commit b259b25

Please sign in to comment.