Adding whitelist for policy #7814
Answered
by
nikpivkin
DanielCastronovo
asked this question in
Q&A
-
DescriptionHello, i would like to use a whitelist instead ignore file. TargetFilesystem ScannerMisconfiguration |
Beta Was this translation helpful? Give feedback.
Answered by
nikpivkin
Oct 29, 2024
Replies: 1 comment
-
|
Hi @DanielCastronovo ! You can use Rego to create a whitelist of checks. The rule below ignores all checks that are not allowed. package trivy
import rego.v1
allowed_checks = {
"AVD-AWS-0089"
}
default ignore = false
ignore if not is_check_allowed
is_check_allowed if input.AVDID in allowed_checksOutput: trivy conf main.tf --ignore-policy whitelist.rego
2024-10-29T21:03:35+06:00 INFO [misconfig] Misconfiguration scanning is enabled
2024-10-29T21:03:36+06:00 INFO [terraform scanner] Scanning root module file_path="."
2024-10-29T21:03:36+06:00 INFO Detected config files num=2
main.tf (terraform)
Tests: 9 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 8)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
LOW: Bucket has logging disabled
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensures S3 bucket logging is enabled for S3 buckets
See https://avd.aquasec.com/misconfig/s3-bucket-logging
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.tf:1-3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "this" {
2 │ bucket = "test"
3 └ }
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── |
Beta Was this translation helpful? Give feedback.
0 replies
Answer selected by
simar7
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi @DanielCastronovo !
You can use Rego to create a whitelist of checks. The rule below ignores all checks that are not allowed.
Output:
trivy conf main.tf --ignore-policy whitelist.rego 2024-10-29T21:03:35+06:00 INFO [misconfig] Misconfiguration scanning is enabled 2024-10-29T21:03:36+06:00 INFO [terraform scanner] Scanning root module file_path="." 2024-10-29T21:03:36+06:00 INFO Detected config files num=2 main.tf (terraform) Tests: 9 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: …