feat: support for custom schemas

Signed-off-by: nikpivkin <[email protected]>

pkg/commands/artifact/run.go

@@ -4,7 +4,10 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"io/fs"
+	"path/filepath"
 	"slices"
+	"strings"
 
 	"github.com/hashicorp/go-multierror"
 	"github.com/samber/lo"
@@ -501,43 +504,13 @@ func (r *runner) initScannerConfig(opts flag.Options) (ScannerConfig, types.Scan
 		log.WithPrefix(log.PrefixVulnerability).Info("Vulnerability scanning is enabled")
 	}
 
-	// ScannerOption is filled only when config scanning is enabled.
+	// Misconfig ScannerOption is filled only when config scanning is enabled.
 	var configScannerOptions misconf.ScannerOption
 	if opts.Scanners.Enabled(types.MisconfigScanner) || opts.ImageConfigScanners.Enabled(types.MisconfigScanner) {
-		logger := log.WithPrefix(log.PrefixMisconfiguration)
-		logger.Info("Misconfiguration scanning is enabled")
-
-		var downloadedPolicyPaths []string
-		var disableEmbedded bool
-
-		downloadedPolicyPaths, err := operation.InitBuiltinPolicies(context.Background(), opts.CacheDir, opts.Quiet, opts.SkipCheckUpdate, opts.MisconfOptions.ChecksBundleRepository, opts.RegistryOpts())
+		var err error
+		configScannerOptions, err = initMisconfScannerOption(opts)
 		if err != nil {
-			if !opts.SkipCheckUpdate {
-				logger.Error("Falling back to embedded checks", log.Err(err))
-			}
-		} else {
-			logger.Debug("Policies successfully loaded from disk")
-			disableEmbedded = true
-		}
-		configScannerOptions = misconf.ScannerOption{
-			Debug:                    opts.Debug,
-			Trace:                    opts.Trace,
-			Namespaces:               append(opts.CheckNamespaces, rego.BuiltinNamespaces()...),
-			PolicyPaths:              append(opts.CheckPaths, downloadedPolicyPaths...),
-			DataPaths:                opts.DataPaths,
-			HelmValues:               opts.HelmValues,
-			HelmValueFiles:           opts.HelmValueFiles,
-			HelmFileValues:           opts.HelmFileValues,
-			HelmStringValues:         opts.HelmStringValues,
-			HelmAPIVersions:          opts.HelmAPIVersions,
-			HelmKubeVersion:          opts.HelmKubeVersion,
-			TerraformTFVars:          opts.TerraformTFVars,
-			CloudFormationParamVars:  opts.CloudFormationParamVars,
-			K8sVersion:               opts.K8sVersion,
-			DisableEmbeddedPolicies:  disableEmbedded,
-			DisableEmbeddedLibraries: disableEmbedded,
-			IncludeDeprecatedChecks:  opts.IncludeDeprecatedChecks,
-			TfExcludeDownloaded:      opts.TfExcludeDownloaded,
+			return ScannerConfig{}, types.ScanOptions{}, err
 		}
 	}
 
@@ -650,3 +623,73 @@ func (r *runner) scan(ctx context.Context, opts flag.Options, initializeScanner
 	}
 	return report, nil
 }
+
+func initMisconfScannerOption(opts flag.Options) (misconf.ScannerOption, error) {
+	logger := log.WithPrefix(log.PrefixMisconfiguration)
+	logger.Info("Misconfiguration scanning is enabled")
+
+	var downloadedPolicyPaths []string
+	var disableEmbedded bool
+
+	downloadedPolicyPaths, err := operation.InitBuiltinPolicies(context.Background(), opts.CacheDir, opts.Quiet, opts.SkipCheckUpdate, opts.MisconfOptions.ChecksBundleRepository, opts.RegistryOpts())
+	if err != nil {
+		if !opts.SkipCheckUpdate {
+			logger.Error("Falling back to embedded checks", log.Err(err))
+		}
+	} else {
+		logger.Debug("Policies successfully loaded from disk")
+		disableEmbedded = true
+	}
+
+	configSchemas, err := loadConfigSchemas(opts.ConfigFileSchemas)
+	if err != nil {
+		return misconf.ScannerOption{}, xerrors.Errorf("load schemas error: %w", err)
+	}
+
+	return misconf.ScannerOption{
+		Debug:                    opts.Debug,
+		Trace:                    opts.Trace,
+		Namespaces:               append(opts.CheckNamespaces, rego.BuiltinNamespaces()...),
+		PolicyPaths:              append(opts.CheckPaths, downloadedPolicyPaths...),
+		DataPaths:                opts.DataPaths,
+		HelmValues:               opts.HelmValues,
+		HelmValueFiles:           opts.HelmValueFiles,
+		HelmFileValues:           opts.HelmFileValues,
+		HelmStringValues:         opts.HelmStringValues,
+		HelmAPIVersions:          opts.HelmAPIVersions,
+		HelmKubeVersion:          opts.HelmKubeVersion,
+		TerraformTFVars:          opts.TerraformTFVars,
+		CloudFormationParamVars:  opts.CloudFormationParamVars,
+		K8sVersion:               opts.K8sVersion,
+		DisableEmbeddedPolicies:  disableEmbedded,
+		DisableEmbeddedLibraries: disableEmbedded,
+		IncludeDeprecatedChecks:  opts.IncludeDeprecatedChecks,
+		TfExcludeDownloaded:      opts.TfExcludeDownloaded,
+		FilePatterns:             opts.FilePatterns,
+		ConfigFileSchemas:        configSchemas,
+	}, nil
+}
+
+func loadConfigSchemas(paths []string) ([]*misconf.ConfigFileSchema, error) {
+	var configSchemas []*misconf.ConfigFileSchema
+	for _, path := range paths {
+		filepath.WalkDir(path, func(path string, info fs.DirEntry, err error) error {
+			if err != nil {
+				return err
+			}
+			if info.IsDir() || !strings.HasSuffix(info.Name(), ".json") {
+				return nil
+			}
+
+			schema, err := misconf.NewConfigFileSchema(path)
+			if err != nil {
+				return xerrors.Errorf("load config file schema: %w", err)
+			}
+
+			configSchemas = append(configSchemas, schema)
+			return nil
+		})
+	}
+
+	return configSchemas, nil
+}

pkg/fanal/analyzer/config/azurearm/azurearm.go

@@ -6,7 +6,7 @@ import (
 
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config"
-	"github.com/aquasecurity/trivy/pkg/misconf"
+	"github.com/aquasecurity/trivy/pkg/iac/detection"
 )
 
 const (
@@ -25,7 +25,7 @@ type azureARMConfigAnalyzer struct {
 }
 
 func newAzureARMConfigAnalyzer(opts analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, error) {
-	a, err := config.NewAnalyzer(analyzerType, version, misconf.NewAzureARMScanner, opts)
+	a, err := config.NewAnalyzer(analyzerType, version, detection.FileTypeAzureARM, opts)
 	if err != nil {
 		return nil, err
 	}

pkg/fanal/analyzer/config/cloudformation/cloudformation.go

@@ -3,7 +3,7 @@ package cloudformation
 import (
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config"
-	"github.com/aquasecurity/trivy/pkg/misconf"
+	"github.com/aquasecurity/trivy/pkg/iac/detection"
 )
 
 const (
@@ -22,7 +22,7 @@ type cloudFormationConfigAnalyzer struct {
 }
 
 func newCloudFormationConfigAnalyzer(opts analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, error) {
-	a, err := config.NewAnalyzer(analyzerType, version, misconf.NewCloudFormationScanner, opts)
+	a, err := config.NewAnalyzer(analyzerType, version, detection.FileTypeCloudFormation, opts)
 	if err != nil {
 		return nil, err
 	}

pkg/fanal/analyzer/config/config.go

@@ -9,6 +9,7 @@ import (
 	"k8s.io/utils/strings/slices"
 
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
+	"github.com/aquasecurity/trivy/pkg/iac/detection"
 	"github.com/aquasecurity/trivy/pkg/misconf"
 )
 
@@ -26,10 +27,8 @@ type Analyzer struct {
 	scanner *misconf.Scanner
 }
 
-type NewScanner func([]string, misconf.ScannerOption) (*misconf.Scanner, error)
-
-func NewAnalyzer(t analyzer.Type, version int, newScanner NewScanner, opts analyzer.AnalyzerOptions) (*Analyzer, error) {
-	s, err := newScanner(opts.FilePatterns, opts.MisconfScannerOption)
+func NewAnalyzer(t analyzer.Type, version int, fileType detection.FileType, opts analyzer.AnalyzerOptions) (*Analyzer, error) {
+	s, err := misconf.NewScanner(fileType, opts.MisconfScannerOption)
 	if err != nil {
 		return nil, xerrors.Errorf("%s scanner init error: %w", t, err)
 	}

pkg/fanal/analyzer/config/config_test.go

@@ -12,14 +12,15 @@ import (
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config"
 	"github.com/aquasecurity/trivy/pkg/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/iac/detection"
 	"github.com/aquasecurity/trivy/pkg/misconf"
 )
 
 func TestAnalyzer_PostAnalyze(t *testing.T) {
 	type fields struct {
-		typ        analyzer.Type
-		newScanner config.NewScanner
-		opts       analyzer.AnalyzerOptions
+		typ      analyzer.Type
+		fileType detection.FileType
+		opts     analyzer.AnalyzerOptions
 	}
 	tests := []struct {
 		name    string
@@ -31,8 +32,8 @@ func TestAnalyzer_PostAnalyze(t *testing.T) {
 		{
 			name: "dockerfile",
 			fields: fields{
-				typ:        analyzer.TypeDockerfile,
-				newScanner: misconf.NewDockerfileScanner,
+				typ:      analyzer.TypeDockerfile,
+				fileType: detection.FileTypeDockerfile,
 				opts: analyzer.AnalyzerOptions{
 					MisconfScannerOption: misconf.ScannerOption{
 						Namespaces:              []string{"user"},
@@ -74,8 +75,8 @@ func TestAnalyzer_PostAnalyze(t *testing.T) {
 		{
 			name: "non-existent dir",
 			fields: fields{
-				typ:        analyzer.TypeDockerfile,
-				newScanner: misconf.NewDockerfileScanner,
+				typ:      analyzer.TypeDockerfile,
+				fileType: detection.FileTypeDockerfile,
 				opts: analyzer.AnalyzerOptions{
 					MisconfScannerOption: misconf.ScannerOption{
 						Namespaces:              []string{"user"},
@@ -90,7 +91,7 @@ func TestAnalyzer_PostAnalyze(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			a, err := config.NewAnalyzer(tt.fields.typ, 0, tt.fields.newScanner, tt.fields.opts)
+			a, err := config.NewAnalyzer(tt.fields.typ, 0, tt.fields.fileType, tt.fields.opts)
 			require.NoError(t, err)
 
 			got, err := a.PostAnalyze(context.Background(), analyzer.PostAnalysisInput{

pkg/fanal/analyzer/config/dockerfile/docker.go

@@ -7,7 +7,7 @@ import (
 
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config"
-	"github.com/aquasecurity/trivy/pkg/misconf"
+	"github.com/aquasecurity/trivy/pkg/iac/detection"
 )
 
 const (
@@ -28,7 +28,7 @@ type dockerConfigAnalyzer struct {
 }
 
 func newDockerfileConfigAnalyzer(opts analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, error) {
-	a, err := config.NewAnalyzer(analyzerType, version, misconf.NewDockerfileScanner, opts)
+	a, err := config.NewAnalyzer(analyzerType, version, detection.FileTypeDockerfile, opts)
 	if err != nil {
 		return nil, err
 	}

pkg/fanal/analyzer/config/helm/helm.go

@@ -7,7 +7,7 @@ import (
 
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config"
-	"github.com/aquasecurity/trivy/pkg/misconf"
+	"github.com/aquasecurity/trivy/pkg/iac/detection"
 )
 
 const (
@@ -29,7 +29,7 @@ type helmConfigAnalyzer struct {
 }
 
 func newHelmConfigAnalyzer(opts analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, error) {
-	a, err := config.NewAnalyzer(analyzerType, version, misconf.NewHelmScanner, opts)
+	a, err := config.NewAnalyzer(analyzerType, version, detection.FileTypeHelm, opts)
 	if err != nil {
 		return nil, err
 	}

pkg/fanal/analyzer/config/json/json.go

@@ -6,7 +6,7 @@ import (
 
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config"
-	"github.com/aquasecurity/trivy/pkg/misconf"
+	"github.com/aquasecurity/trivy/pkg/iac/detection"
 )
 
 const (
@@ -24,7 +24,7 @@ type jsonConfigAnalyzer struct {
 }
 
 func newJSONConfigAnalyzer(opts analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, error) {
-	a, err := config.NewAnalyzer(analyzerType, version, misconf.NewJSONScanner, opts)
+	a, err := config.NewAnalyzer(analyzerType, version, detection.FileTypeJSON, opts)
 	if err != nil {
 		return nil, err
 	}

pkg/fanal/analyzer/config/k8s/k8s.go

@@ -3,7 +3,7 @@ package k8s
 import (
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config"
-	"github.com/aquasecurity/trivy/pkg/misconf"
+	"github.com/aquasecurity/trivy/pkg/iac/detection"
 )
 
 const (
@@ -22,7 +22,7 @@ type kubernetesConfigAnalyzer struct {
 }
 
 func newKubernetesConfigAnalyzer(opts analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, error) {
-	a, err := config.NewAnalyzer(analyzerType, version, misconf.NewKubernetesScanner, opts)
+	a, err := config.NewAnalyzer(analyzerType, version, detection.FileTypeKubernetes, opts)
 	if err != nil {
 		return nil, err
 	}

pkg/fanal/analyzer/config/terraform/terraform.go

@@ -6,7 +6,6 @@ import (
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config"
 	"github.com/aquasecurity/trivy/pkg/iac/detection"
-	"github.com/aquasecurity/trivy/pkg/misconf"
 )
 
 const (
@@ -25,7 +24,7 @@ type terraformConfigAnalyzer struct {
 }
 
 func newTerraformConfigAnalyzer(opts analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, error) {
-	a, err := config.NewAnalyzer(analyzerType, version, misconf.NewTerraformScanner, opts)
+	a, err := config.NewAnalyzer(analyzerType, version, detection.FileTypeTerraform, opts)
 	if err != nil {
 		return nil, err
 	}

pkg/fanal/analyzer/config/terraformplan/json/json.go

@@ -8,7 +8,7 @@ import (
 
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config"
-	"github.com/aquasecurity/trivy/pkg/misconf"
+	"github.com/aquasecurity/trivy/pkg/iac/detection"
 )
 
 const (
@@ -31,7 +31,7 @@ type terraformPlanConfigAnalyzer struct {
 }
 
 func newTerraformPlanJSONConfigAnalyzer(opts analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, error) {
-	a, err := config.NewAnalyzer(analyzerType, version, misconf.NewTerraformPlanJSONScanner, opts)
+	a, err := config.NewAnalyzer(analyzerType, version, detection.FileTypeTerraformPlanJSON, opts)
 	if err != nil {
 		return nil, err
 	}

pkg/fanal/analyzer/config/terraformplan/snapshot/snapshot.go

@@ -6,7 +6,7 @@ import (
 
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config"
-	"github.com/aquasecurity/trivy/pkg/misconf"
+	"github.com/aquasecurity/trivy/pkg/iac/detection"
 )
 
 const (
@@ -25,7 +25,7 @@ type terraformPlanConfigAnalyzer struct {
 }
 
 func newTerraformPlanSnapshotConfigAnalyzer(opts analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, error) {
-	a, err := config.NewAnalyzer(analyzerType, version, misconf.NewTerraformPlanSnapshotScanner, opts)
+	a, err := config.NewAnalyzer(analyzerType, version, detection.FileTypeTerraformPlanSnapshot, opts)
 	if err != nil {
 		return nil, err
 	}

pkg/fanal/analyzer/config/yaml/yaml.go

@@ -6,7 +6,7 @@ import (
 
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config"
-	"github.com/aquasecurity/trivy/pkg/misconf"
+	"github.com/aquasecurity/trivy/pkg/iac/detection"
 )
 
 const (
@@ -24,7 +24,7 @@ type yamlConfigAnalyzer struct {
 }
 
 func newYAMLConfigAnalyzer(opts analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, error) {
-	a, err := config.NewAnalyzer(analyzerType, version, misconf.NewYAMLScanner, opts)
+	a, err := config.NewAnalyzer(analyzerType, version, detection.FileTypeYAML, opts)
 	if err != nil {
 		return nil, err
 	}

pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go

@@ -11,6 +11,7 @@ import (
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/image"
 	"github.com/aquasecurity/trivy/pkg/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/iac/detection"
 	"github.com/aquasecurity/trivy/pkg/mapfs"
 	"github.com/aquasecurity/trivy/pkg/misconf"
 )
@@ -26,7 +27,7 @@ type historyAnalyzer struct {
 }
 
 func newHistoryAnalyzer(opts analyzer.ConfigAnalyzerOptions) (analyzer.ConfigAnalyzer, error) {
-	s, err := misconf.NewDockerfileScanner(opts.FilePatterns, opts.MisconfScannerOption)
+	s, err := misconf.NewScanner(detection.FileTypeDockerfile, opts.MisconfScannerOption)
 	if err != nil {
 		return nil, xerrors.Errorf("misconfiguration scanner error: %w", err)
 	}