Documentation
¶
Index ¶
- Constants
- Variables
- type BySeverity
- type Compliance
- type DetectedLicense
- type DetectedMisconfiguration
- type DetectedVulnerability
- type Format
- type Library
- type Metadata
- type MisconfStatus
- type MisconfSummary
- type Report
- type Result
- type ResultClass
- type Results
- type SBOM
- type SBOMSource
- type ScanOptions
- type ScanTarget
- type Scanner
- type Scanners
- type VulnType
Constants ¶
View Source
const ( ClassUnknown ResultClass = "unknown" ClassOSPkg ResultClass = "os-pkgs" // For detected packages and vulnerabilities in OS packages ClassLangPkg ResultClass = "lang-pkgs" // For detected packages and vulnerabilities in language-specific packages ClassConfig ResultClass = "config" // For detected misconfigurations ClassSecret ResultClass = "secret" // For detected secrets ClassLicense ResultClass = "license" // For detected package licenses ClassLicenseFile ResultClass = "license-file" // For detected licenses in files ClassCustom ResultClass = "custom" ComplianceK8sNsa = Compliance("k8s-nsa") ComplianceK8sCIS = Compliance("k8s-cis") ComplianceK8sPSSBaseline = Compliance("k8s-pss-baseline") ComplianceK8sPSSRestricted = Compliance("k8s-pss-restricted") ComplianceAWSCIS12 = Compliance("aws-cis-1.2") ComplianceAWSCIS14 = Compliance("aws-cis-1.4") ComplianceDockerCIS = Compliance("docker-cis") FormatTable Format = "table" FormatJSON Format = "json" FormatTemplate Format = "template" FormatSarif Format = "sarif" FormatCycloneDX Format = "cyclonedx" FormatSPDX Format = "spdx" FormatSPDXJSON Format = "spdx-json" FormatGitHub Format = "github" FormatCosignVuln Format = "cosign-vuln" )
View Source
const ( SBOMSourceOCI = SBOMSource("oci") SBOMSourceRekor = SBOMSource("rekor") )
View Source
const ( // VulnTypeUnknown is a vulnerability type of unknown VulnTypeUnknown = VulnType("unknown") // VulnTypeOS is a vulnerability type of OS packages VulnTypeOS = VulnType("os") // VulnTypeLibrary is a vulnerability type of programming language dependencies VulnTypeLibrary = VulnType("library") // UnknownScanner is the scanner of unknown UnknownScanner = Scanner("unknown") // NoneScanner is the scanner of none NoneScanner = Scanner("none") // VulnerabilityScanner is the scanner of vulnerabilities VulnerabilityScanner = Scanner("vuln") // MisconfigScanner is the scanner of misconfigurations MisconfigScanner = Scanner("misconfig") // SecretScanner is the scanner of secrets SecretScanner = Scanner("secret") // RBACScanner is the scanner of rbac assessment RBACScanner = Scanner("rbac") // LicenseScanner is the scanner of licenses LicenseScanner = Scanner("license") )
Variables ¶
View Source
var ( SupportedFormats = []Format{ FormatTable, FormatJSON, FormatTemplate, FormatSarif, FormatCycloneDX, FormatSPDX, FormatSPDXJSON, FormatGitHub, FormatCosignVuln, } SupportedSBOMFormats = []Format{ FormatCycloneDX, FormatSPDX, FormatSPDXJSON, FormatGitHub, } SupportedCompliances = []string{ ComplianceK8sNsa, ComplianceK8sCIS, ComplianceK8sPSSBaseline, ComplianceK8sPSSRestricted, ComplianceAWSCIS12, ComplianceAWSCIS14, ComplianceDockerCIS, } )
View Source
var ( VulnTypes = []string{ VulnTypeOS, VulnTypeLibrary, } AllScanners = Scanners{ VulnerabilityScanner, MisconfigScanner, RBACScanner, SecretScanner, LicenseScanner, NoneScanner, } // AllImageConfigScanners has a list of available scanners on container image config. // The container image in container registries consists of manifest, config and layers. // Trivy is also able to detect security issues on the image config. AllImageConfigScanners = Scanners{ MisconfigScanner, SecretScanner, NoneScanner, } )
View Source
var ( SBOMSources = []string{ SBOMSourceOCI, SBOMSourceRekor, } )
Functions ¶
This section is empty.
Types ¶
type BySeverity ¶ added in v0.13.0
type BySeverity []DetectedVulnerability
BySeverity implements sort.Interface based on the Severity field.
func (BySeverity) Len ¶ added in v0.13.0
func (v BySeverity) Len() int
Len returns the length of DetectedVulnerabilities
func (BySeverity) Less ¶ added in v0.13.0
func (v BySeverity) Less(i, j int) bool
Less compares 2 DetectedVulnerabilities based on package name, severity, vulnerabilityID and package path
func (BySeverity) Swap ¶ added in v0.13.0
func (v BySeverity) Swap(i, j int)
Swap swaps 2 vulnerability
type Compliance ¶ added in v0.33.0
type Compliance = string
type DetectedLicense ¶ added in v0.30.0
type DetectedLicense struct {
// Severity is the consistent parameter indicating how severe the issue is
Severity string
// Category holds the license category such as "forbidden"
Category types.LicenseCategory
// PkgName holds a package name of the license.
// It will be empty if FilePath is filled.
PkgName string
// PkgName holds a file path of the license.
// It will be empty if PkgName is filled.
FilePath string // for file license
// Name holds a detected license name
Name string
// Confidence is level of the match. The confidence level is between 0.0 and 1.0, with 1.0 indicating an
// exact match and 0.0 indicating a complete mismatch
Confidence float64
// Link is a SPDX link of the license
Link string
}
type DetectedMisconfiguration ¶ added in v0.19.0
type DetectedMisconfiguration struct {
Type string `json:",omitempty"`
ID string `json:",omitempty"`
AVDID string `json:",omitempty"`
Title string `json:",omitempty"`
Description string `json:",omitempty"`
Message string `json:",omitempty"`
Namespace string `json:",omitempty"`
Query string `json:",omitempty"`
Resolution string `json:",omitempty"`
Severity string `json:",omitempty"`
PrimaryURL string `json:",omitempty"`
References []string `json:",omitempty"`
Status MisconfStatus `json:",omitempty"`
Layer ftypes.Layer `json:",omitempty"`
CauseMetadata ftypes.CauseMetadata `json:",omitempty"`
// For debugging
Traces []string `json:",omitempty"`
}
DetectedMisconfiguration holds detected misconfigurations
func (*DetectedMisconfiguration) GetID ¶ added in v0.33.0
func (mc *DetectedMisconfiguration) GetID() string
GetID retrun misconfig ID
type DetectedVulnerability ¶ added in v0.2.0
type DetectedVulnerability struct {
VulnerabilityID string `json:",omitempty"`
VendorIDs []string `json:",omitempty"`
PkgID string `json:",omitempty"` // It is used to construct dependency graph.
PkgName string `json:",omitempty"`
PkgPath string `json:",omitempty"` // This field is populated in the case of language-specific packages such as egg/wheel and gemspec
InstalledVersion string `json:",omitempty"`
FixedVersion string `json:",omitempty"`
Status types.Status `json:",omitempty"`
Layer ftypes.Layer `json:",omitempty"`
SeveritySource types.SourceID `json:",omitempty"`
PrimaryURL string `json:",omitempty"`
// PkgRef is populated only when scanning SBOM and contains the reference ID used in the SBOM.
// It could be PURL, UUID, etc.
// e.g.
// - pkg:npm/acme/component@1.0.0
// - b2a46a4b-8367-4bae-9820-95557cfe03a8
PkgRef string `json:",omitempty"`
// DataSource holds where the advisory comes from
DataSource *types.DataSource `json:",omitempty"`
// Custom is for extensibility and not supposed to be used in OSS
Custom interface{} `json:",omitempty"`
// Embed vulnerability details
types.Vulnerability
}
DetectedVulnerability holds the information of detected vulnerabilities
func (*DetectedVulnerability) GetID ¶ added in v0.33.0
func (vuln *DetectedVulnerability) GetID() string
GetID retrun Vulnerability ID
type Metadata ¶ added in v0.24.0
type Metadata struct {
Size int64 `json:",omitempty"`
OS *ftypes.OS `json:",omitempty"`
// Container image
ImageID string `json:",omitempty"`
DiffIDs []string `json:",omitempty"`
RepoTags []string `json:",omitempty"`
RepoDigests []string `json:",omitempty"`
ImageConfig v1.ConfigFile `json:",omitempty"`
}
Metadata represents a metadata of artifact
type MisconfStatus ¶ added in v0.19.0
type MisconfStatus string
MisconfStatus represents a status of misconfiguration
const ( // StatusPassed represents successful status StatusPassed MisconfStatus = "PASS" // StatusFailure represents failure status StatusFailure MisconfStatus = "FAIL" // StatusException Passed represents the status of exception StatusException MisconfStatus = "EXCEPTION" )
type MisconfSummary ¶ added in v0.24.0
func (MisconfSummary) Empty ¶ added in v0.24.0
func (s MisconfSummary) Empty() bool
type Report ¶ added in v0.24.0
type Report struct {
SchemaVersion int `json:",omitempty"`
CreatedAt time.Time `json:",omitempty"`
ArtifactName string `json:",omitempty"`
ArtifactType ftypes.ArtifactType `json:",omitempty"`
Metadata Metadata `json:",omitempty"`
Results Results `json:",omitempty"`
// SBOM
CycloneDX *ftypes.CycloneDX `json:"-"` // Just for internal usage, not exported in JSON
}
Report represents a scan result
type Result ¶ added in v0.24.0
type Result struct {
Target string `json:"Target"`
Class ResultClass `json:"Class,omitempty"`
Type ftypes.TargetType `json:"Type,omitempty"`
Packages []ftypes.Package `json:"Packages,omitempty"`
Vulnerabilities []DetectedVulnerability `json:"Vulnerabilities,omitempty"`
MisconfSummary *MisconfSummary `json:"MisconfSummary,omitempty"`
Misconfigurations []DetectedMisconfiguration `json:"Misconfigurations,omitempty"`
Secrets []ftypes.SecretFinding `json:"Secrets,omitempty"`
Licenses []DetectedLicense `json:"Licenses,omitempty"`
CustomResources []ftypes.CustomResource `json:"CustomResources,omitempty"`
}
Result holds a target and detected vulnerabilities
type ResultClass ¶ added in v0.24.0
type ResultClass string
type SBOM ¶ added in v0.33.0
type SBOM struct {
OS types.OS
Packages []types.PackageInfo
Applications []types.Application
CycloneDX *types.CycloneDX
SPDX *stypes.Document
}
type SBOMSource ¶ added in v0.32.0
type SBOMSource = string
type ScanOptions ¶
type ScanOptions struct {
VulnType []string
Scanners Scanners
ImageConfigScanners Scanners // Scanners for container image configuration
ScanRemovedPackages bool
ListAllPackages bool
LicenseCategories map[types.LicenseCategory][]string
FilePatterns []string
IncludeDevDeps bool
}
ScanOptions holds the attributes for scanning vulnerabilities
type ScanTarget ¶ added in v0.47.0
type ScanTarget struct {
Name string // container image name, file path, etc
OS types.OS
Repository *types.Repository
Packages types.Packages
Applications []types.Application
Misconfigurations []types.Misconfiguration
Secrets []types.Secret
Licenses []types.LicenseFile
// CustomResources hold analysis results from custom analyzers.
// It is for extensibility and not used in OSS.
CustomResources []types.CustomResource
}
ScanTarget holds the attributes for scanning.
type Scanner ¶ added in v0.37.0
type Scanner string
Scanner represents the type of security scanning
type Scanners ¶ added in v0.37.0
type Scanners []Scanner
Scanners is a slice of scanners
func (Scanners) AnyEnabled ¶ added in v0.37.0
AnyEnabled returns true if any of the passed scanners is included.
Source Files
Click to show internal directories.
Click to hide internal directories.