refactor(misconf): Update refactored dependencies (#5245)

Signed-off-by: Simar <[email protected]>
aquasecurity · Nov 9, 2023 · e7f6a5c · e7f6a5c
1 parent 2f5afa5
commit e7f6a5c
Show file tree

Hide file tree

Showing 27 changed files with 252 additions and 332 deletions.
diff --git a/docs/docs/coverage/iac/index.md b/docs/docs/coverage/iac/index.md
@@ -9,7 +9,7 @@ Trivy scans Infrastructure as Code (IaC) files for
 ## Supported configurations
 
 | Config type                         | File patterns                 |
-| ----------------------------------- | ----------------------------- |
+|-------------------------------------|-------------------------------|
 | [Kubernetes](kubernetes.md)         | *.yml, *.yaml, *.json         |
 | [Docker](docker.md)                 | Dockerfile, Containerfile     |
 | [Terraform](terraform.md)           | *.tf, *.tf.json, *.tfvars,    |

diff --git a/docs/docs/coverage/iac/terraform.md b/docs/docs/coverage/iac/terraform.md
@@ -2,14 +2,14 @@
 Trivy supports the scanners listed in the table below.
 
 |     Scanner      | Supported |
-| :--------------: | :-------: |
+|:----------------:|:---------:|
 | Misconfiguration |     ✓     |
 |      Secret      |     ✓     |
 
 It supports the following formats:
 
 |  Format   | Supported |
-| :-------: | :-------: |
+|:---------:|:---------:|
 |   JSON    |     ✓     |
 |    HCL    |     ✓     |
 | Plan JSON |     ✓     |

diff --git a/docs/docs/index.md b/docs/docs/index.md
@@ -1,5 +1,5 @@
 # Docs
 
-In this section you can find the complete reference documentation for all of the different features and settings that Trivy has to offer.
+In this section you can find the complete reference documentation for all the different features and settings that Trivy has to offer.
 
 👈 Please use the side-navigation on the left in order to browse the different topics.
diff --git a/docs/docs/references/configuration/cli/trivy_aws.md b/docs/docs/references/configuration/cli/trivy_aws.md
@@ -85,7 +85,7 @@ trivy aws [flags]
       --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
       --max-cache-age duration            The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s)
   -o, --output string                     output file name
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
+      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
       --policy-namespaces strings         Rego namespaces
       --region string                     AWS Region to scan
       --report string                     specify a report format for the output (all,summary) (default "all")

diff --git a/docs/docs/references/configuration/cli/trivy_config.md b/docs/docs/references/configuration/cli/trivy_config.md
@@ -31,7 +31,7 @@ trivy config [flags] DIR
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
   -o, --output string                     output file name
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
+      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
       --policy-namespaces strings         Rego namespaces
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend

diff --git a/docs/docs/references/configuration/cli/trivy_filesystem.md b/docs/docs/references/configuration/cli/trivy_filesystem.md
@@ -55,7 +55,7 @@ trivy filesystem [flags] PATH
       --offline-scan                      do not issue API requests to identify dependencies
   -o, --output string                     output file name
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
+      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
       --policy-namespaces strings         Rego namespaces
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend

diff --git a/docs/docs/references/configuration/cli/trivy_image.md b/docs/docs/references/configuration/cli/trivy_image.md
@@ -75,7 +75,7 @@ trivy image [flags] IMAGE_NAME
   -o, --output string                     output file name
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
       --platform string                   set platform in the form os/arch if image is multi-platform capable
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
+      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
       --policy-namespaces strings         Rego namespaces
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend

diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md
@@ -67,7 +67,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
   -o, --output string                     output file name
       --parallel int                      number (between 1-20) of goroutines enabled for parallel scanning (default 5)
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
+      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
       --policy-namespaces strings         Rego namespaces
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend

diff --git a/docs/docs/references/configuration/cli/trivy_repository.md b/docs/docs/references/configuration/cli/trivy_repository.md
@@ -55,7 +55,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --offline-scan                      do not issue API requests to identify dependencies
   -o, --output string                     output file name
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
+      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
       --policy-namespaces strings         Rego namespaces
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend

diff --git a/docs/docs/references/configuration/cli/trivy_rootfs.md b/docs/docs/references/configuration/cli/trivy_rootfs.md
@@ -57,7 +57,7 @@ trivy rootfs [flags] ROOTDIR
       --offline-scan                      do not issue API requests to identify dependencies
   -o, --output string                     output file name
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
+      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
       --policy-namespaces strings         Rego namespaces
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend

diff --git a/docs/docs/references/configuration/cli/trivy_vm.md b/docs/docs/references/configuration/cli/trivy_vm.md
@@ -51,7 +51,7 @@ trivy vm [flags] VM_IMAGE
       --no-progress                       suppress progress bar
       --offline-scan                      do not issue API requests to identify dependencies
   -o, --output string                     output file name
-      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
+      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend
       --redis-key string                  redis key file location, if using redis as cache backend

diff --git a/docs/docs/scanner/misconfiguration/custom/index.md b/docs/docs/scanner/misconfiguration/custom/index.md
@@ -14,7 +14,7 @@ As for `--namespaces` option, the detail is described as below.
 If a file name matches the following file patterns, Trivy will parse the file and pass it as input to your Rego policy.
 
 | File format   | File pattern                                              |
-| ------------- | --------------------------------------------------------- |
+|---------------|-----------------------------------------------------------|
 | JSON          | `*.json`                                                  |
 | YAML          | `*.yaml` and `*.yml`                                      |
 | Dockerfile    | `Dockerfile`, `Dockerfile.*`, and `*.Dockerfile`          |
@@ -125,7 +125,7 @@ schema that will be used is based on the input document type. It is recommended
 correct and do not reference incorrect properties/values.
 
 | Field name                 | Allowed values                                                    |        Default value         |     In table     |     In JSON      |
-| -------------------------- | ----------------------------------------------------------------- | :--------------------------: | :--------------: | :--------------: |
+|----------------------------|-------------------------------------------------------------------|:----------------------------:|:----------------:|:----------------:|
 | title                      | Any characters                                                    |             N/A              | :material-check: | :material-check: |
 | description                | Any characters                                                    |                              | :material-close: | :material-check: |
 | schemas.input              | `schema["kubernetes"]`, `schema["dockerfile"]`, `schema["cloud"]` | (applied to all input types) | :material-close: | :material-close: |

diff --git a/docs/docs/scanner/misconfiguration/custom/schema.md b/docs/docs/scanner/misconfiguration/custom/schema.md
@@ -4,7 +4,7 @@
 Policies can be defined with custom schemas that allow inputs to be verified against them. Adding a policy schema
 enables Trivy to show more detailed error messages when an invalid input is encountered.
 
-In Trivy we have been able to define a schema for a [Dockerfile](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/dockerfile.json).
+In Trivy we have been able to define a schema for a [Dockerfile](https://github.com/aquasecurity/trivy-iac/blob/main/pkg/rego/schemas/dockerfile.json)
 Without input schemas, a policy would be as follows:
 
 !!! example
@@ -50,9 +50,9 @@ Now if this policy is evaluated against, a more descriptive error will be availa
 
 Currently, out of the box the following schemas are supported natively:
 
-1. [Docker](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/dockerfile.json)
-2. [Kubernetes](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/kubernetes.json)
-3. [Cloud](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/cloud.json)
+1. [Docker](https://github.com/aquasecurity/trivy-iac/blob/main/pkg/rego/schemas/dockerfile.json)
+2. [Kubernetes](https://github.com/aquasecurity/trivy-iac/blob/main/pkg/rego/schemas/kubernetes.json)
+3. [Cloud](https://github.com/aquasecurity/trivy-iac/blob/main/pkg/rego/schemas/cloud.json)
 
 
 ## Custom Policies with Custom Schemas

diff --git a/docs/docs/scanner/misconfiguration/custom/testing.md b/docs/docs/scanner/misconfiguration/custom/testing.md
@@ -22,7 +22,7 @@ For more details, see [Policy Testing][opa-testing].
     }
     ```
 
-To write tests for custom policies, you can refer to existing tests under [defsec][defsec].
+To write tests for custom policies, you can refer to existing tests under [trivy-policies][trivy-policies].
 
 ## Go testing
 [Fanal][fanal] which is a core library of Trivy can be imported as a Go library.
@@ -85,6 +85,6 @@ The following example stores allowed and denied configuration files in a directo
 `Dockerfile.allowed` has one successful result in `Successes`, while `Dockerfile.denied` has one failure result in `Failures`.
 
 [opa-testing]: https://www.openpolicyagent.org/docs/latest/policy-testing/
-[defsec]: https://github.com/aquasecurity/defsec
+[defsec]: https://github.com/aquasecurity/trivy-policies/tree/main
 [table]: https://github.com/golang/go/wiki/TableDrivenTests
 [fanal]: https://github.com/aquasecurity/fanal
diff --git a/docs/docs/scanner/misconfiguration/policy/builtin.md b/docs/docs/scanner/misconfiguration/policy/builtin.md
@@ -2,13 +2,13 @@
 
 ## Policy Sources
 Built-in policies are mainly written in [Rego][rego] and Go.
-Those policies are managed under [defsec repository][defsec].
+Those policies are managed under [trivy-policies repository][trivy-policies].
 See [here](../../../coverage/iac/index.md) for the list of supported config types.
 
-For suggestions or issues regarding policy content, please open an issue under the [defsec][defsec] repository.
+For suggestions or issues regarding policy content, please open an issue under the [trivy-policies][trivy-policies] repository.
 
 ## Policy Distribution
-defsec policies are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
+Trivy policies are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
 When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache.
 Those policies are then loaded into Trivy OPA engine and used for detecting misconfigurations.
 If Trivy is unable to pull down newer policies, it will use the embedded set of policies as a fallback. This is also the case in air-gap environments where `--skip-policy-update` might be passed.
@@ -18,7 +18,7 @@ Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if th
 
 [rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
 
-[kubernetes-policies]: https://github.com/aquasecurity/defsec/tree/master/rules/kubernetes/policies
-[docker-policies]: https://github.com/aquasecurity/defsec/tree/master/rules/docker/policies
-[defsec]: https://github.com/aquasecurity/defsec
-[ghcr]: https://github.com/aquasecurity/defsec/pkgs/container/defsec
+[kubernetes-policies]: https://github.com/aquasecurity/trivy-policies/tree/main/rules/kubernetes/policies
+[docker-policies]: https://github.com/aquasecurity/trivy-policies/tree/main/rules/docker/policies
+[trivy-policies]: https://github.com/aquasecurity/trivy-policies
+[ghcr]: https://github.com/aquasecurity/trivy-policies/pkgs/container/trivy-policies
diff --git a/docs/docs/scanner/misconfiguration/policy/exceptions.md b/docs/docs/scanner/misconfiguration/policy/exceptions.md
@@ -87,12 +87,12 @@ If you want to apply rule-based exceptions to built-in policies, you have to def
     }
     ```
 
-This exception is applied to [KSV012][ksv012] in defsec.
-You can get the package names in the [defsec repository][defsec] or the JSON output from Trivy.
+This exception is applied to [KSV012][ksv012] in trivy-policies.
+You can get the package names in the [trivy-policies repository][trivy-policies] or the JSON output from Trivy.
 
 For more details, see [an example][rule-example].
 
 [ns-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/namespace-exception
 [rule-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/rule-exception
-[ksv012]: https://github.com/aquasecurity/defsec/blob/master/internal/rules/kubernetes/policies/pss/restricted/3_runs_as_root.rego
-[defsec]: https://github.com/aquasecurity/defsec/
+[ksv012]: https://github.com/aquasecurity/trivy-policies/blob/main/rules/kubernetes/policies/pss/restricted/3_runs_as_root.rego 
+[trivy-policies]: https://github.com/aquasecurity/trivy-policies/