add docs

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
aquasecurity · Aug 9, 2024 · aaef1b3 · aaef1b3
1 parent 3e3e1bd
commit aaef1b3
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 1 deletion.
diff --git a/docs/docs/coverage/iac/index.md b/docs/docs/coverage/iac/index.md
@@ -17,6 +17,9 @@ Trivy scans Infrastructure as Code (IaC) files for
 | [CloudFormation](cloudformation.md) | \*.yml, \*.yaml, \*.json                      |
 | [Azure ARM Template](azure-arm.md)  | \*.json                                       |
 | [Helm](helm.md)                     | \*.yaml, \*.tpl, \*.tar.gz, etc.              |
+| [YAML][json-and-yaml]               | \*.yaml, \*.yml                               |
+| [JSON][json-and-yaml]               | \*.json                                       |
 
 [misconf]: ../../scanner/misconfiguration/index.md
 [secret]: ../../scanner/secret.md
+[json-and-yaml]: ../../scanner/misconfiguration/index.md#scan-arbitrary-json-and-yaml-configurations
diff --git a/docs/docs/references/configuration/config-file.md b/docs/docs/references/configuration/config-file.md
@@ -386,6 +386,9 @@ misconfiguration:
     # Same as '--cf-params'
     params: []
 
+  # Same as '--config-file-schemas'
+  config-file-schemas: []
+
   helm:
     # Same as '--helm-api-versions'
     api-versions: []

diff --git a/docs/docs/scanner/misconfiguration/index.md b/docs/docs/scanner/misconfiguration/index.md
@@ -107,7 +107,7 @@ $ trivy conf --severity HIGH,CRITICAL ./iac
 <details>
 <summary>Result</summary>
 
-```
+```bash
 2022-06-06T11:01:21.142+0100	INFO	Detected config files: 8
 
 Dockerfile (dockerfile)
@@ -340,6 +340,59 @@ For more details, see [Custom Checks](./custom/index.md).
 !!! tip
 You also need to specify `--namespaces` option.
 
+
+### Scan arbitrary JSON and YAML configurations
+By default, scanning JSON and YAML configurations is disabled, since Trivy does not contain built-in checks for these configurations. To enable it, pass the `json` or `yaml` to `--misconfig-scanners`. See [Enabling a subset of misconfiguration scanners](#enabling-a-subset-of-misconfiguration-scanners) for more information. Trivy will pass each file as is to the checks input.
+
+
+!!! example
+```bash
+$ cat iac/serverless.yaml
+service: serverless-rest-api-with-pynamodb
+
+frameworkVersion: ">=2.24.0"
+
+plugins:
+  - serverless-python-requirements
+...
+
+$ cat serverless.rego
+# METADATA
+# title: Serverless Framework service name not starting with "aws-"
+# description: Ensure that Serverless Framework service names start with "aws-"
+# schemas:
+#   - input: schema["serverless-schema"]
+# custom:
+#   id: SF001
+#   severity: LOW
+package user.serverless001
+
+deny[res] {
+    not startswith(input.service, "aws-")
+    res := result.new(
+        sprintf("Service name %q is not allowed", [input.service]),
+        input.service
+    )
+}
+
+$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user ./iac
+serverless.yaml (yaml)
+
+Tests: 4 (SUCCESSES: 3, FAILURES: 1, EXCEPTIONS: 0)
+Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+
+LOW: Service name "serverless-rest-api-with-pynamodb" is not allowed
+═════════════════════════════════════════════════════════════════════════════════════════════════════════
+Ensure that Serverless Framework service names start with "aws-"
+```
+
+You can also pass schemas using the `config-file-schemas` flag. Trivy will use these schemas for file filtering and type checking in Rego checks. If the file does not match any of the passed schemas, it will be ignored.
+
+!!! example
+```bash
+$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user --config-file-schemas ./serverless-schema.json ./iac
+```
+
 ### Passing custom data
 You can pass directories including your custom data through `--data` option.
 This can be repeated for specifying multiple directories.