You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/docs/scanner/misconfiguration/custom/index.md
+13-13Lines changed: 13 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -121,18 +121,18 @@ Trivy supports extra fields in the `custom` section as described below.
121
121
If you are creating checks for your Trivy misconfiguration scans, some fields are optional as referenced in the table below. The `schemas` field should be used to enable policy validation using a built-in schema. It is recommended to use this to ensure your checks are
122
122
correct and do not reference incorrect properties/values.
123
123
124
-
| Field name | Allowed values | Default value | In table | In JSON |
IaC configurations from cloud providers such as Terraform, CloudFormation, and ARM are converted into a unified structure that is exported to Rego. Checks are developed only for the unified structure, not for each configuration type with its own structure. This avoids duplication and simplifies maintenance. Using the unified structure has a limitation: it is not possible to create checks for resources or attributes that are not exported.
316
+
317
+
The `--raw-config-scanners` flag allows scanning the raw configuration — that is, evaluated but not converted into the unified structure. Currently, only `terraform` is supported.
318
+
319
+
!!! note
320
+
The raw configuration scanner does not work on its own. To use `--raw-config-scanners`, you must also specify the corresponding `--misconfig-scanners`. The report will include results from both scanners.
321
+
322
+
For more information on custom checks and exported data schemas, see [here](../misconfiguration/custom/index.md).
323
+
324
+
Example check:
325
+
```rego
326
+
# METADATA
327
+
# title: AWS required resource tags
328
+
# description: Ensure required tags are set on AWS resources
329
+
# scope: package
330
+
# schemas:
331
+
# - input: schema["terraform-raw"]
332
+
# custom:
333
+
# id: USR-TFRAW-0001
334
+
# severity: CRITICAL
335
+
# short_code: required-aws-resource-tags
336
+
# recommended_actions: Add the required tags to AWS resources.
337
+
# input:
338
+
# selector:
339
+
# - type: terraform-raw
340
+
package user.terraform.required_aws_tags
341
+
342
+
import rego.v1
343
+
344
+
resource_types_to_check := {"aws_s3_bucket"}
345
+
346
+
resources_to_check := {block |
347
+
some module in input.modules
348
+
some block in module.blocks
349
+
block.kind == "resource"
350
+
block.type in resource_types_to_check
351
+
}
352
+
353
+
required_tags := {"Access", "Owner"}
354
+
355
+
deny contains res if {
356
+
some block in resources_to_check
357
+
not block.attributes.tags
358
+
res := result.new(
359
+
sprintf("The resource %q does not contain the following required tags: %v", [block.type, required_tags]),
360
+
block,
361
+
)
362
+
}
363
+
364
+
deny contains res if {
365
+
some block in resources_to_check
366
+
tags_attr := block.attributes.tags
367
+
tags := object.keys(tags_attr.value)
368
+
missing_tags := required_tags - tags
369
+
count(missing_tags) > 0
370
+
res := result.new(
371
+
sprintf("The resource %q does not contain the following required tags: %v", [block.type, missing_tags]),
Trivy needs to connect to the internet to download the checks bundle. If you are running Trivy in an air-gapped environment, or an tightly controlled network, please refer to the [Advanced Network Scenarios document](../../advanced/air-gap.md).
0 commit comments