Skip to content

Built-in Policies

Policy Sources

Built-in policies are mainly written in Rego and Go. Those policies are managed under defsec repository.

Config type Source
Kubernetes defsec
Dockerfile, Containerfile defsec
Terraform defsec
CloudFormation defsec
Azure ARM Template defsec
Helm Chart defsec

For suggestions or issues regarding policy content, please open an issue under the defsec repository.

Helm Chart scanning will resolve the chart to Kubernetes manifests then run the kubernetes checks.

Policy Distribution

defsec policies are distributed as an OPA bundle on GitHub Container Registry (GHCR). When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache. Those policies are then loaded into Trivy OPA engine and used for detecting misconfigurations. If Trivy is unable to pull down newer policies, it will use the embedded set of policies as a fallback. This is also the case in air-gap environments where --skip-policy-update might be passed.

Update Interval

Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.