diff --git a/avd_docs/kubernetes/general/AVD-KSV-0004/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0004/docs.md new file mode 100644 index 00000000..445bd794 --- /dev/null +++ b/avd_docs/kubernetes/general/AVD-KSV-0004/docs.md @@ -0,0 +1,13 @@ + +Security best practices require containers to run with minimal required capabilities. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/ + + diff --git a/avd_docs/kubernetes/general/AVD-KSV-0034/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0034/docs.md new file mode 100644 index 00000000..65dfcb33 --- /dev/null +++ b/avd_docs/kubernetes/general/AVD-KSV-0034/docs.md @@ -0,0 +1,10 @@ + +Container images must not start with an empty prefix or a defined public registry domain. + +### Impact + + + +{{ remediationActions }} + + diff --git a/avd_docs/kubernetes/general/AVD-KSV-0040/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0040/docs.md new file mode 100644 index 00000000..ab892640 --- /dev/null +++ b/avd_docs/kubernetes/general/AVD-KSV-0040/docs.md @@ -0,0 +1,13 @@ + +ensure resource quota policy has configure in order to limit aggregate resource usage within namespace + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/ + + diff --git a/cmd/avd_generator/main.go b/cmd/avd_generator/main.go index a4d808d7..f0d7c1c7 100644 --- a/cmd/avd_generator/main.go +++ b/cmd/avd_generator/main.go @@ -12,7 +12,7 @@ import ( "text/template" "github.com/aquasecurity/defsec/pkg/framework" - "github.com/aquasecurity/trivy-policies/rules" + policies "github.com/aquasecurity/trivy-policies" _ "github.com/aquasecurity/trivy-iac/pkg/rego" registered "github.com/aquasecurity/trivy-iac/pkg/rules" @@ -120,7 +120,7 @@ func fail(msg string, args ...interface{}) { func readFileFromPolicyFS(path string) (io.Reader, error) { path = strings.TrimPrefix(path, "rules/") - return rules.EmbeddedPolicyFileSystem.Open(path) + return policies.EmbeddedPolicyFileSystem.Open(path) } diff --git a/go.mod b/go.mod index e42852a0..8dd00276 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/Masterminds/semver v1.5.0 github.com/apparentlymart/go-cidr v1.1.0 github.com/aquasecurity/defsec v0.93.2-0.20231208181342-318642ac6f08 - github.com/aquasecurity/trivy-policies v0.6.1-0.20231120231532-f6f2330bf842 + github.com/aquasecurity/trivy-policies v0.7.1-0.20231207002917-be424204ba52 github.com/aws/smithy-go v1.19.0 github.com/bmatcuk/doublestar/v4 v4.6.0 github.com/google/uuid v1.4.0 @@ -27,7 +27,7 @@ require ( github.com/zclconf/go-cty v1.13.0 github.com/zclconf/go-cty-yaml v1.0.3 golang.org/x/crypto v0.16.0 - golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea + golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 golang.org/x/text v0.14.0 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.13.3 @@ -122,7 +122,7 @@ require ( github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/kevinburke/ssh_config v1.2.0 // indirect - github.com/klauspost/compress v1.16.0 // indirect + github.com/klauspost/compress v1.16.6 // indirect github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect github.com/lib/pq v1.10.9 // indirect @@ -159,7 +159,7 @@ require ( github.com/rivo/uniseg v0.2.0 // indirect github.com/rubenv/sql-migrate v1.5.2 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect - github.com/sergi/go-diff v1.1.0 // indirect + github.com/sergi/go-diff v1.2.0 // indirect github.com/shopspring/decimal v1.3.1 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/skeema/knownhosts v1.2.1 // indirect @@ -179,7 +179,7 @@ require ( go.opentelemetry.io/otel/sdk v1.19.0 // indirect go.opentelemetry.io/otel/trace v1.19.0 // indirect go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect - golang.org/x/mod v0.12.0 // indirect + golang.org/x/mod v0.13.0 // indirect golang.org/x/net v0.19.0 // indirect golang.org/x/oauth2 v0.11.0 // indirect golang.org/x/sync v0.4.0 // indirect diff --git a/go.sum b/go.sum index ee36a843..25a47a09 100644 --- a/go.sum +++ b/go.sum @@ -238,8 +238,8 @@ github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= github.com/aquasecurity/defsec v0.93.2-0.20231208181342-318642ac6f08 h1:mjQvKTiKYXWGxHU5pw37q1n6deky0KcJq5JJwtuVrF4= github.com/aquasecurity/defsec v0.93.2-0.20231208181342-318642ac6f08/go.mod h1:NBF6hvbQSc4s/WCHdKV5sNNxLl258M2OiIFoUfgEn/k= -github.com/aquasecurity/trivy-policies v0.6.1-0.20231120231532-f6f2330bf842 h1:RnxM3eTcwPlA/WBwnmaEpeEk3WOCDcnz7yTIFxVL7us= -github.com/aquasecurity/trivy-policies v0.6.1-0.20231120231532-f6f2330bf842/go.mod h1:BmEeSFgmBjo3avCli71736sy0veGcSUzGATupp1MCgA= +github.com/aquasecurity/trivy-policies v0.7.1-0.20231207002917-be424204ba52 h1:aOSSJeEtLqJHxcCvKtni0bEr6Cliaf1GFw+CRO4UKEw= +github.com/aquasecurity/trivy-policies v0.7.1-0.20231207002917-be424204ba52/go.mod h1:qiERvJlaS1O6aSZ9Z5VqTDFuwAODiP8yoefviP3+Etw= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= @@ -578,8 +578,8 @@ github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM= -github.com/klauspost/compress v1.16.0 h1:iULayQNOReoYUe+1qtKOqw9CwJv3aNQu8ivo7lw1HU4= -github.com/klauspost/compress v1.16.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= +github.com/klauspost/compress v1.16.6 h1:91SKEy4K37vkp255cJ8QesJhjyRO0hn9i9G0GoUwLsk= +github.com/klauspost/compress v1.16.6/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= @@ -720,8 +720,8 @@ github.com/rubenv/sql-migrate v1.5.2 h1:bMDqOnrJVV/6JQgQ/MxOpU+AdO8uzYYA/TxFUBzF github.com/rubenv/sql-migrate v1.5.2/go.mod h1:H38GW8Vqf8F0Su5XignRyaRcbXbJunSWxs+kmzlg0Is= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= -github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= +github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8= github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= @@ -833,8 +833,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea h1:vLCWI/yYrdEHyN2JzIzPO3aaQJHQdp89IZBA/+azVC4= -golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w= +golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 h1:k/i9J1pBpvlfR+9QsetwPyERsqu1GIbi967PQMq3Ivc= +golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -862,8 +862,8 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= -golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY= +golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= diff --git a/internal/rules/register.go b/internal/rules/register.go index 4a60ab29..f6ef02fe 100755 --- a/internal/rules/register.go +++ b/internal/rules/register.go @@ -8,7 +8,7 @@ import ( "github.com/aquasecurity/defsec/pkg/framework" "github.com/aquasecurity/defsec/pkg/scan" dftypes "github.com/aquasecurity/defsec/pkg/types" - "github.com/aquasecurity/trivy-policies/rules/specs" + "github.com/aquasecurity/trivy-policies/specs" "github.com/aquasecurity/trivy-iac/pkg/types" ) diff --git a/pkg/rego/embed.go b/pkg/rego/embed.go index 8de856a3..ac497e8b 100644 --- a/pkg/rego/embed.go +++ b/pkg/rego/embed.go @@ -7,7 +7,7 @@ import ( "strings" "github.com/aquasecurity/trivy-iac/pkg/rules" - rules2 "github.com/aquasecurity/trivy-policies/rules" + policies "github.com/aquasecurity/trivy-policies" "github.com/open-policy-agent/opa/ast" ) @@ -61,11 +61,11 @@ func RegisterRegoRules(modules map[string]*ast.Module) { } func LoadEmbeddedPolicies() (map[string]*ast.Module, error) { - return LoadPoliciesFromDirs(rules2.EmbeddedPolicyFileSystem, ".") + return LoadPoliciesFromDirs(policies.EmbeddedPolicyFileSystem, ".") } func LoadEmbeddedLibraries() (map[string]*ast.Module, error) { - return LoadPoliciesFromDirs(rules2.EmbeddedLibraryFileSystem, ".") + return LoadPoliciesFromDirs(policies.EmbeddedLibraryFileSystem, ".") } func LoadPoliciesFromDirs(target fs.FS, paths ...string) (map[string]*ast.Module, error) { @@ -79,7 +79,7 @@ func LoadPoliciesFromDirs(target fs.FS, paths ...string) (map[string]*ast.Module return nil } - if strings.HasSuffix(filepath.Dir(filepath.ToSlash(path)), "policies/advanced/optional") { + if strings.HasSuffix(filepath.Dir(filepath.ToSlash(path)), "advanced/optional") { return fs.SkipDir } diff --git a/pkg/rego/embed_test.go b/pkg/rego/embed_test.go index 1465e73f..f5ce5ad2 100644 --- a/pkg/rego/embed_test.go +++ b/pkg/rego/embed_test.go @@ -4,7 +4,7 @@ import ( "testing" "github.com/aquasecurity/trivy-iac/pkg/rules" - rules2 "github.com/aquasecurity/trivy-policies/rules" + policies "github.com/aquasecurity/trivy-policies" "github.com/open-policy-agent/opa/ast" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -102,7 +102,7 @@ deny[res]{ for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { - policies, err := LoadPoliciesFromDirs(rules2.EmbeddedLibraryFileSystem, ".") + policies, err := LoadPoliciesFromDirs(policies.EmbeddedLibraryFileSystem, ".") require.NoError(t, err) newRule, err := ast.ParseModuleWithOpts("/rules/newrule.rego", tc.inputPolicy, ast.ParserOptions{ ProcessAnnotation: true, diff --git a/pkg/rules/rules.go b/pkg/rules/rules.go index 3ea9a161..1cbd54b8 100644 --- a/pkg/rules/rules.go +++ b/pkg/rules/rules.go @@ -1,78 +1,78 @@ package rules import ( + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/accessanalyzer" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/apigateway" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/athena" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/cloudfront" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/cloudtrail" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/cloudwatch" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/codebuild" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/config" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/documentdb" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/dynamodb" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/ec2" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/ecr" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/ecs" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/efs" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/eks" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/elasticache" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/elasticsearch" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/elb" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/emr" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/iam" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/kinesis" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/kms" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/lambda" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/mq" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/msk" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/neptune" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/rds" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/redshift" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/s3" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/sam" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/sns" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/sqs" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/ssm" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/workspaces" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/appservice" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/authorization" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/compute" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/container" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/database" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/datafactory" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/datalake" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/keyvault" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/monitor" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/network" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/securitycenter" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/storage" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/synapse" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/cloudstack/compute" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/digitalocean/compute" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/digitalocean/spaces" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/github/actions" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/github/branch_protections" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/github/repositories" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/google/bigquery" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/google/compute" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/google/dns" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/google/gke" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/google/iam" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/google/kms" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/google/sql" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/google/storage" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/nifcloud/computing" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/nifcloud/dns" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/nifcloud/nas" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/nifcloud/network" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/nifcloud/rdb" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/nifcloud/sslcertificate" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/openstack/compute" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/openstack/networking" + _ "github.com/aquasecurity/trivy-policies/checks/cloud/oracle/compute" + _ "github.com/aquasecurity/trivy-policies/checks/kubernetes/network" trules "github.com/aquasecurity/trivy-policies/pkg/rules" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/accessanalyzer" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/apigateway" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/athena" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/cloudfront" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/cloudtrail" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/cloudwatch" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/codebuild" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/config" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/documentdb" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/dynamodb" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/ec2" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/ecr" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/ecs" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/efs" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/eks" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/elasticache" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/elasticsearch" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/elb" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/emr" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/iam" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/kinesis" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/kms" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/lambda" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/mq" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/msk" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/neptune" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/rds" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/redshift" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/s3" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/sam" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/sns" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/sqs" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/ssm" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/workspaces" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/azure/appservice" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/azure/authorization" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/azure/compute" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/azure/container" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/azure/database" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/azure/datafactory" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/azure/datalake" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/azure/keyvault" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/azure/monitor" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/azure/network" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/azure/securitycenter" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/azure/storage" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/azure/synapse" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/cloudstack/compute" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/digitalocean/compute" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/digitalocean/spaces" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/github/actions" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/github/branch_protections" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/github/repositories" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/google/bigquery" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/google/compute" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/google/dns" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/google/gke" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/google/iam" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/google/kms" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/google/sql" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/google/storage" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/nifcloud/computing" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/nifcloud/dns" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/nifcloud/nas" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/nifcloud/network" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/nifcloud/rdb" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/nifcloud/sslcertificate" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/openstack/compute" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/openstack/networking" - _ "github.com/aquasecurity/trivy-policies/rules/cloud/policies/oracle/compute" - _ "github.com/aquasecurity/trivy-policies/rules/kubernetes/network" ) func init() { diff --git a/test/module_test.go b/test/module_test.go index ffe4141d..12730cb8 100644 --- a/test/module_test.go +++ b/test/module_test.go @@ -16,7 +16,7 @@ import ( "github.com/aquasecurity/trivy-iac/pkg/scanners/terraform/executor" "github.com/aquasecurity/trivy-iac/pkg/scanners/terraform/parser" "github.com/aquasecurity/trivy-iac/test/testutil" - "github.com/aquasecurity/trivy-policies/rules/cloud/policies/aws/iam" + "github.com/aquasecurity/trivy-policies/checks/cloud/aws/iam" "github.com/stretchr/testify/require" ) diff --git a/test/rego_test.go b/test/rego_test.go index 4676d99c..d13f9ca9 100644 --- a/test/rego_test.go +++ b/test/rego_test.go @@ -16,10 +16,10 @@ import ( trivyRego "github.com/aquasecurity/trivy-iac/pkg/rego" "github.com/aquasecurity/trivy-iac/pkg/rego/schemas" - "github.com/aquasecurity/trivy-policies/rules" + policies "github.com/aquasecurity/trivy-policies" ) -var embeddedFilesystems = []fs.FS{rules.EmbeddedLibraryFileSystem, rules.EmbeddedPolicyFileSystem} +var embeddedFilesystems = []fs.FS{policies.EmbeddedLibraryFileSystem, policies.EmbeddedPolicyFileSystem} type walkDirFunc func(fs.FS) fs.WalkDirFunc @@ -65,7 +65,7 @@ func Test_AllRegoCloudRulesMatchSchema(t *testing.T) { } } - require.NoError(t, walkOverFilesystems("cloud", walkDirFunc, rules.EmbeddedPolicyFileSystem)) + require.NoError(t, walkOverFilesystems("checks/cloud", walkDirFunc, policies.EmbeddedPolicyFileSystem)) var schema interface{} require.NoError(t, json.Unmarshal([]byte(schemas.Cloud), &schema))