v0.31.0

[aqua-bot]

🚀 What's new? 🚀

☁️ AWS cloud scanning 🩻

You can now scan live AWS accounts for misconfigurations with the trivy aws command.

trivy aws --region us-east-1

All the misconfiguration rules built into Trivy for IaC scanning are the same rules being used to scan AWS. This means the rules are consistent across, as a bonus, can be used to find the causes of AWS issues when infrastructure is defined with Terraform or CloudFormation. In addition to the existing rules we've added support for CIS AWS 1.2, and 1.4 is coming up next.

Authentication is done using all of the same mechanisms supported by the aws-cli, so you can likely get up and running simply by running the new trivy aws command.

See here for more detail.

⚠️ EXPERIMENTAL: This feature might change without preserving backwards compatibility.

🚢 SBOM generation without vulnerability scanning ⛓️

--format cyclonedx, --format spdx and --format json disables security checks by default so that you can just generate SBOM.

$ trivy image --format cyclonedx alpine:3.15
2022-08-15T11:45:30.527+0300    INFO    "--format cyclonedx" disables security checks. Specify "--security-checks vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.

📝 Support for vulnerability attestations

You can create a cosign vulnerability scan record attestation with --format cosign-vuln.

$ trivy image --format cosign-vuln -o vuln.json <IMAGE>
$ COSIGN_EXPERIMENTAL=1 cosign attest --type vuln --predicate vuln.json <IMAGE>

See here for more details.

🌀 Scan SBOM attestation for vulnerabilities 🧛

To create an SBOM attestation using cosign:

# The cyclonedx type is supported in Cosign v1.10.0 or later.
$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
$ COSIGN_EXPERIMENTAL=1 cosign attest --type cyclonedx --predicate sbom.cdx.json <IMAGE>

Now you can scan this SBOM attestation for vulnerabilities.

$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
$ trivy sbom ./sbom.cdx.intoto.jsonl

Compared to the previously supported SBOM scanning feature, this way helps you verify the authenticity and integrity of the SBOM that you are about to scan.

See here for more details.

🔐 Detect removed secrets in the intermediate layer 🙈

Previously Trivy could scan a container image for exposed secrets only in the resulting "merged" filesystem of the container. If a secret was added to a container and then removed in an upper layer, this would be missed in the merged filesystem. Now Trivy can find those exposed secrets in all intermediary layers.

💉 Provide external values to templated configuratoins 📜

When scanning Helm charts or Terraform plans, it's common to parameterize some values and provide them only at deployment time. This means scanning an incomplete configuration which might miss some issues. Now you can provide this missing information to Terraform and Helm scanning.

$ trivy config --tf-vars dev.terraform.tfvars <terraformCodeDir>

$ trivy conf --helm-values overrides.yaml ./charts/mySql

See here for more details.

🦀 Scan Rust binaries 🦀

If a binary is built by cargo-auditable, Trivy will extract dependencies of the binary and scan it for vulnerabilities.

# Install the tooling
$ cargo install cargo-auditable rust-audit-info
# Open your Rust project
$ cd your_project
# Build your project with dependency lists embedded in the binaries
$ cargo auditable build --release
# Build your container image with the binary
$ docker build -t test-rust -f - . <<EOF
FROM scratch
COPY target/release/your_binary .
EOF
# Scan the image
$ trivy image --security-checks vuln test-rust
2022-08-15T11:32:03.923+0300    INFO    Vulnerability scanning is enabled
2022-08-15T11:32:05.031+0300    INFO    Number of language-specific files: 1
2022-08-15T11:32:05.032+0300    INFO    Detecting rust-binary vulnerabilities...

your_binary (rust-binary)
=========================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────────────┬─────────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library     │    Vulnerability    │ Severity │ Installed Version │ Fixed Version │                       Title                       │
├─────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│    websocket    │    CVE-2022-35922   │ HIGH     │ 0.26.4            │ 0.26.5        │ Untrusted websocket connections can cause an      | 
│                 │                     │          │                   │               │ out-of-memory (OOM) process abort in a client     │
│                 │                     │          │                   │               │ or a server.                                      │
└─────────────────┴─────────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

Thanks to @tofay

🏷️ Support git branch, commit and tag in repository scanning 🌮

• Pass a --branch argument with a valid branch name on the remote repository provided:

$ trivy repo --branch <branch-name> <repo-name>

• Pass a --commit argument with a valid commit hash on the remote repository provided:

$ trivy repo --commit <commit-hash> <repo-name>

• Pass a --tag argument with a valid tag on the remote repository provided:

$ trivy repo --tag <tag-name> <repo-name>

Thanks to @ShubhamPalriwala

Provide a kubeconfig file to Kubernetes scanning

You can now override the default kubeconfig file when scanning Kubernetes cluster

$ trivy k8s --kubeconfig /path/to/kubeconfig

Thanks to @mgsh

Changelog

• 917f388 fix(flag): add error when there are no supported security checks (feat(flag): add error when there are no supported security checks #2713)
• aef02aa fix(vuln): continue scanning when no vuln found in the first application (fix(vuln): continue scanning when no vuln found in the first application #2712)
• ed1fa89 revert: add new classes for vulnerabilities (revert: add new classes for vulnerabilities #2701)
• a5d4f7f feat(secret): detect secrets removed or overwritten in upper layer (feat(secret): detect secrets removed or overwritten in upper layer #2611)
• ddffb1b fix(cli): secret scanning perf link fix (fix(cli): secret scanning perf link fix #2607)
• bc85441 chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.12.0 (chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.12.0 #2650)
• b259b25 feat: Add AWS Cloud scanning (feat: Add AWS Cloud scanning #2493)
• f8edda8 docs: specify the type when verifying an attestation (docs: specify the type when verifying an attestation #2697)
• 6879413 docs(sbom): improve SBOM docs by adding a description for scanning SBOM attestation (docs(sbom): improve SBOM docs by adding a description for scanning SBOM attestation #2690)
• babfb17 fix(rpc): scanResponse rpc conversion for custom resources (fix(server): scanResponse rpc conversion for custom resources #2692)
• 517d2e0 feat(rust): Add support for cargo-auditable (feat(rust): Add support for cargo-auditable #2675)
• 0112385 feat: Support passing value overrides for configuration checks (feat: Support passing value overrides for configuration checks #2679)
• 317a026 feat(sbom): add support for scanning a sbom attestation (feat(sbom): add support for scanning a sbom attestation #2652)
• 390c256 chore(image): skip symlinks and hardlinks from tar scan (chore(image): skip symlinks and hardlinks from tar scan #2634)
• 63c33bf fix(report): Update junit.tpl (fix(report): Update junit.tpl #2677)
• de365c8 fix(cyclonedx): add nil check to metadata.component (fix(cyclonedx): add nil check to metadata.component #2673)
• 50db7da docs(secret): fix missing and broken links (docs(secret): fix missing and broken links #2674)
• e848e6d refactor(cyclonedx): implement json.Unmarshaler (refactor(cyclonedx): implement json.Unmarshaler #2662)
• df0b5e4 chore(deps): bump github.com/aquasecurity/table from 1.6.0 to 1.7.2 (chore(deps): bump github.com/aquasecurity/table from 1.6.0 to 1.7.2 #2643)
• 006b8a5 chore(deps): bump github.com/Azure/go-autorest/autorest (chore(deps): bump github.com/Azure/go-autorest/autorest from 0.11.27 to 0.11.28 #2642)
• 8d10de8 feat(kubernetes): add option to specify kubeconfig file path (feat(kubernetes): add option to specify kubeconfig file path #2576)
• 169c55c docs: follow Debian's "instructions to connect to a third-party repository" (docs: follow Debian's "instructions to connect to a third-party repository" #2511)
• 9b21831 chore(deps): bump github.com/google/licenseclassifier/v2 (chore(deps): bump github.com/google/licenseclassifier/v2 from 2.0.0-pre5 to 2.0.0-pre6 #2644)
• 94db37e chore(deps): bump github.com/samber/lo from 1.24.0 to 1.27.0 (chore(deps): bump github.com/samber/lo from 1.24.0 to 1.27.0 #2645)
• d983805 chore(deps): bump github.com/Azure/go-autorest/autorest/adal (chore(deps): bump github.com/Azure/go-autorest/autorest/adal from 0.9.20 to 0.9.21 #2647)
• d8a9572 chore(deps): bump github.com/cheggaaa/pb/v3 from 3.0.8 to 3.1.0 (chore(deps): bump github.com/cheggaaa/pb/v3 from 3.0.8 to 3.1.0 #2646)
• 3ab3050 chore(deps): bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (chore(deps): bump sigstore/cosign-installer from 2.4.1 to 2.5.0 #2641)
• 75984f3 chore(deps): bump actions/cache from 3.0.4 to 3.0.5 (chore(deps): bump actions/cache from 3.0.4 to 3.0.5 #2640)
• 525c253 chore(deps): bump alpine from 3.16.0 to 3.16.1 (chore(deps): bump alpine from 3.16.0 to 3.16.1 #2639)
• 5e327e4 chore(deps): bump golang from 1.18.3 to 1.18.4 (chore(deps): bump golang from 1.18.3 to 1.18.4 #2638)
• 469d771 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.48 to 1.44.66 (chore(deps): bump github.com/aws/aws-sdk-go from 1.44.48 to 1.44.66 #2648)
• 6bc8c87 chore(deps): bump github.com/open-policy-agent/opa from 0.42.0 to 0.43.0 (chore(deps): bump github.com/open-policy-agent/opa from 0.42.0 to 0.43.0 #2649)
• 6ab832d chore(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (chore(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1 #2651)
• 3a10497 feat(alma): set AlmaLinux 9 EOL (feat(alma): set AlmaLinux 9 EOL #2653)
• 55825d7 fix(misconf): Allow quotes in Dockerfile WORKDIR when detecting relative dirs (fix(misconf): Allow quotes in Dockerfile WORKDIR when detecting relative dirs #2636)
• 6bb0e4b test(misconf): add tests for misconf handler for dockerfiles (test(misconf): add tests for misconf handler for dockerfiles #2621)
• 44d53be feat(oracle): set Oracle Linux 9 EOL (feat(oracle): set Oracle Linux 9 EOL #2635)
• f396c67 BREAKING: add new classes for vulnerabilities (BREAKING: add new classes for vulnerabilities #2541)
• 3cd88ab fix(secret): add newline escaping for asymmetric private key (fix(secret): add newline escaping for asymmetric private key #2532)
• ea91fb9 docs: improve formatting (docs: improve formatting #2572)
• d0ca610 feat(helm): allows users to define an existing secret for tokens (feat(helm): allows users to define an existing secret for tokens #2587)
• d0ba59a docs(mariner): use tdnf in fs usage example (docs(mariner): use tdnf in fs usage example #2616)
• d7742b6 docs: remove unnecessary double quotation marks (docs: remove unnecessary double quotation marks #2609)
• 27027cf fix: Fix --file-patterns flag (fix: Fix --file-patterns flag #2625)
• c2a7ad5 feat(report): add support for Cosign vulnerability attestation (feat(report): add support for Cosign vulnerability attestation #2567)
• dfb86f4 docs(mariner): use v2.0 in examples (docs(mariner): use v2.0 in examples #2602)
• 946ce16 feat(report): add secrets template for codequality report (feat(report): add secrets template for codequality report #2461)

---

This discussion was created from the release v0.31.0.