Skip to content

Policy

Pass custom policies

You can pass directories including your custom policies through --policy option. This can be repeated for specifying multiple directories.

cd examplex/misconf/
trivy conf --policy custom-policy/policy --policy combine/policy --namespaces user misconf/mixed

For more details, see Custom Policies.

Tip

You also need to specify --namespaces option.

Pass custom data

You can pass directories including your custom data through --data option. This can be repeated for specifying multiple directories.

cd examples/misconf/custom-data
trivy conf --policy ./policy --data ./data --namespaces user ./configs

For more details, see Custom Data.

Pass namespaces

By default, Trivy evaluate policies defined in appshield.*. If you want to evaluate custom policies in other packages, you have to specify package prefixes through --namespaces option. This can be repeated for specifying multiple packages.

trivy conf --policy ./policy --namespaces main --namespaces user ./configs

Skip update of built-in policies

Trivy downloads built-in policies when it starts operating. Then, it checks for updates every 24 hours. You can use the --skip-policy-update option to skip it. If you skip it the first time, the built-in policies will not be loaded.

Note

Even if you specify the option the first time, it will be loaded as Terraform policies are written in Go.

trivy conf --skip-policy-update examples/misconf/mixed                                                                                           [~/src/github.com/aquasecurity/trivy]
Result
2021-07-10T18:04:19.083+0300    INFO    No builtin policies were loaded
2021-07-10T18:04:19.174+0300    INFO    Detected config files: 2

configs/main.tf (terraform)
===========================
Tests: 19 (SUCCESSES: 11, FAILURES: 8, EXCEPTIONS: 0)
Failures: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 1)

+------------------------------------------+------------+------------------------------------------+----------+------------------------------------------+
|                   TYPE                   | MISCONF ID |                  CHECK                   | SEVERITY |                 MESSAGE                  |
+------------------------------------------+------------+------------------------------------------+----------+------------------------------------------+
|   Terraform Security Check powered by    |   AWS004   | Use of plain HTTP.                       | CRITICAL | Resource                                 |
|                  tfsec                   |            |                                          |          | 'aws_alb_listener.my-alb-listener'       |
|                                          |            |                                          |          | uses plain HTTP instead of HTTPS.        |
|                                          |            |                                          |          | -->tfsec.dev/docs/aws/AWS004/            |
+                                          +------------+------------------------------------------+----------+------------------------------------------+
|                                          |   AWS006   | An ingress security group rule allows    |  MEDIUM  | Resource                                 |
|                                          |            | traffic from /0.                         |          | 'aws_security_group_rule.my-rule'        |
|                                          |            |                                          |          | defines a fully open                     |
|                                          |            |                                          |          | ingress security group rule.             |
|                                          |            |                                          |          | -->tfsec.dev/docs/aws/AWS006/            |
+                                          +------------+------------------------------------------+----------+------------------------------------------+
|                                          |   AZU003   | Unencrypted managed disk.                |   HIGH   | Resource 'azurerm_managed_disk.source'   |
|                                          |            |                                          |          | defines an unencrypted managed disk.     |
|                                          |            |                                          |          | -->tfsec.dev/docs/azure/AZU003/          |
+------------------------------------------+------------+------------------------------------------+----------+------------------------------------------+

configs/variables.tf (terraform)
================================
Tests: 1 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 0)
Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)