Documentation ¶
Index ¶
- Constants
- Variables
- func GetDockerOption(insecureTlsSkip bool, Platform string) (types.DockerOption, error)
- type BySeverity
- type Compliance
- type DetectedLicense
- type DetectedMisconfiguration
- type DetectedVulnerability
- type DockerConfig
- type Library
- type Metadata
- type MisconfStatus
- type MisconfSummary
- type Report
- type Result
- type ResultClass
- type Results
- type SBOM
- type SBOMSource
- type ScanOptions
- type Scanner
- type Scanners
- type VulnType
Constants ¶
const ( ClassOSPkg = "os-pkgs" // For detected packages and vulnerabilities in OS packages ClassLangPkg = "lang-pkgs" // For detected packages and vulnerabilities in language-specific packages ClassConfig = "config" // For detected misconfigurations ClassSecret = "secret" // For detected secrets ClassLicense = "license" // For detected package licenses ClassLicenseFile = "license-file" // For detected licenses in files ClassCustom = "custom" // ComplianceNsa is the compliance checks for nsa ComplianceK8sNsa = Compliance("k8s-nsa") ComplianceK8sCIS = Compliance("k8s-cis") ComplianceAWSCIS12 = Compliance("aws-cis-1.2") ComplianceAWSCIS14 = Compliance("aws-cis-1.4") ComplianceDockerCIS = Compliance("docker-cis") )
const ( // VulnTypeUnknown is a vulnerability type of unknown VulnTypeUnknown = VulnType("unknown") // VulnTypeOS is a vulnerability type of OS packages VulnTypeOS = VulnType("os") // VulnTypeLibrary is a vulnerability type of programming language dependencies VulnTypeLibrary = VulnType("library") // UnknownScanner is the scanner of unknown UnknownScanner = Scanner("unknown") // NoneScanner is the scanner of none NoneScanner = Scanner("none") // VulnerabilityScanner is the scanner of vulnerabilities VulnerabilityScanner = Scanner("vuln") // MisconfigScanner is the scanner of misconfigurations MisconfigScanner = Scanner("config") // SecretScanner is the scanner of secrets SecretScanner = Scanner("secret") // RBACScanner is the scanner of rbac assessment RBACScanner = Scanner("rbac") // LicenseScanner is the scanner of licenses LicenseScanner = Scanner("license") )
const (
SBOMSourceRekor = SBOMSource("rekor")
)
Variables ¶
var ( VulnTypes = []string{ VulnTypeOS, VulnTypeLibrary, } AllScanners = Scanners{ VulnerabilityScanner, MisconfigScanner, RBACScanner, SecretScanner, LicenseScanner, NoneScanner, } // AllImageConfigScanners has a list of available scanners on container image config. // The container image in container registries consists of manifest, config and layers. // cvescan is also able to detect security issues on the image config. AllImageConfigScanners = Scanners{ MisconfigScanner, SecretScanner, NoneScanner, } )
var Compliances = []string{ ComplianceK8sNsa, ComplianceK8sCIS, ComplianceAWSCIS12, ComplianceAWSCIS14, ComplianceDockerCIS, }
var ( SBOMSources = []string{ SBOMSourceRekor, } )
Functions ¶
func GetDockerOption ¶
func GetDockerOption(insecureTlsSkip bool, Platform string) (types.DockerOption, error)
GetDockerOption returns the Docker scanning options using DockerConfig
Types ¶
type BySeverity ¶
type BySeverity []DetectedVulnerability
BySeverity implements sort.Interface based on the Severity field.
func (BySeverity) Len ¶
func (v BySeverity) Len() int
Len returns the length of DetectedVulnerabilities
func (BySeverity) Less ¶
func (v BySeverity) Less(i, j int) bool
Less compares 2 DetectedVulnerabilities based on package name, severity, vulnerabilityID and package path
type Compliance ¶
type Compliance = string
type DetectedLicense ¶
type DetectedLicense struct { // Severity is the consistent parameter indicating how severe the issue is Severity string // Category holds the license category such as "forbidden" Category types.LicenseCategory // PkgName holds a package name of the license. // It will be empty if FilePath is filled. PkgName string // PkgName holds a file path of the license. // It will be empty if PkgName is filled. FilePath string // for file license // Name holds a detected license name Name string // Confidence is level of the match. The confidence level is between 0.0 and 1.0, with 1.0 indicating an // exact match and 0.0 indicating a complete mismatch Confidence float64 // Link is a SPDX link of the license Link string }
type DetectedMisconfiguration ¶
type DetectedMisconfiguration struct { Type string `json:",omitempty"` ID string `json:",omitempty"` AVDID string `json:",omitempty"` Title string `json:",omitempty"` Description string `json:",omitempty"` Message string `json:",omitempty"` Namespace string `json:",omitempty"` Query string `json:",omitempty"` Resolution string `json:",omitempty"` Severity string `json:",omitempty"` PrimaryURL string `json:",omitempty"` References []string `json:",omitempty"` Status MisconfStatus `json:",omitempty"` Layer ftypes.Layer `json:",omitempty"` CauseMetadata ftypes.CauseMetadata `json:",omitempty"` // For debugging Traces []string `json:",omitempty"` }
DetectedMisconfiguration holds detected misconfigurations
func (*DetectedMisconfiguration) GetID ¶
func (mc *DetectedMisconfiguration) GetID() string
GetID retrun misconfig ID
type DetectedVulnerability ¶
type DetectedVulnerability struct { VulnerabilityID string `json:",omitempty"` VendorIDs []string `json:",omitempty"` PkgID string `json:",omitempty"` // It is used to construct dependency graph. PkgName string `json:",omitempty"` PkgPath string `json:",omitempty"` // It will be filled in the case of language-specific packages such as egg/wheel and gemspec InstalledVersion string `json:",omitempty"` FixedVersion string `json:",omitempty"` Layer ftypes.Layer `json:",omitempty"` SeveritySource types.SourceID `json:",omitempty"` PrimaryURL string `json:",omitempty"` Ref string `json:",omitempty"` // DataSource holds where the advisory comes from DataSource *types.DataSource `json:",omitempty"` // Custom is for extensibility and not supposed to be used in OSS Custom interface{} `json:",omitempty"` // Embed vulnerability details types.Vulnerability }
DetectedVulnerability holds the information of detected vulnerabilities
func (*DetectedVulnerability) GetID ¶
func (vuln *DetectedVulnerability) GetID() string
GetID retrun Vulnerability ID
type DockerConfig ¶
type DockerConfig struct { UserName string `env:"TRIVY_USERNAME"` Password string `env:"TRIVY_PASSWORD"` RegistryToken string `env:"TRIVY_REGISTRY_TOKEN"` NonSSL bool `env:"TRIVY_NON_SSL" envDefault:"false"` }
DockerConfig holds the config of Docker
type Metadata ¶
type Metadata struct { Size int64 `json:",omitempty"` OS *ftypes.OS `json:",omitempty"` // Container image ImageID string `json:",omitempty"` DiffIDs []string `json:",omitempty"` RepoTags []string `json:",omitempty"` RepoDigests []string `json:",omitempty"` ImageConfig v1.ConfigFile `json:",omitempty"` }
Metadata represents a metadata of artifact
type MisconfStatus ¶
type MisconfStatus string
MisconfStatus represents a status of misconfiguration
const ( // StatusPassed represents successful status StatusPassed MisconfStatus = "PASS" // StatusFailure represents failure status StatusFailure MisconfStatus = "FAIL" // StatusException Passed represents the status of exception StatusException MisconfStatus = "EXCEPTION" )
type MisconfSummary ¶
func (MisconfSummary) Empty ¶
func (s MisconfSummary) Empty() bool
type Report ¶
type Report struct { SchemaVersion int `json:",omitempty"` ArtifactName string `json:",omitempty"` ArtifactType ftypes.ArtifactType `json:",omitempty"` Metadata Metadata `json:",omitempty"` Results Results `json:",omitempty"` // SBOM CycloneDX *ftypes.CycloneDX `json:"-"` // Just for internal usage, not exported in JSON }
Report represents a scan result
type Result ¶
type Result struct { Target string `json:"Target"` Class ResultClass `json:"Class,omitempty"` Type string `json:"Type,omitempty"` Packages []ftypes.Package `json:"Packages,omitempty"` Vulnerabilities []DetectedVulnerability `json:"Vulnerabilities,omitempty"` MisconfSummary *MisconfSummary `json:"MisconfSummary,omitempty"` Misconfigurations []DetectedMisconfiguration `json:"Misconfigurations,omitempty"` Secrets []ftypes.SecretFinding `json:"Secrets,omitempty"` Licenses []DetectedLicense `json:"Licenses,omitempty"` CustomResources []ftypes.CustomResource `json:"CustomResources,omitempty"` }
Result holds a target and detected vulnerabilities
func (*Result) MarshalJSON ¶
type ResultClass ¶
type ResultClass string
type SBOM ¶
type SBOM struct { OS types.OS Packages []types.PackageInfo Applications []types.Application CycloneDX *types.CycloneDX SPDX *stypes.Document2_2 }
type SBOMSource ¶
type SBOMSource = string
type ScanOptions ¶
type ScanOptions struct { VulnType []string Scanners Scanners ImageConfigScanners Scanners // Scanners for container image configuration ScanRemovedPackages bool Platform string ListAllPackages bool LicenseCategories map[types.LicenseCategory][]string FilePatterns []string }
ScanOptions holds the attributes for scanning vulnerabilities
type Scanners ¶
type Scanners []Scanner
Scanners is a slice of scanners
func (Scanners) AnyEnabled ¶
AnyEnabled returns true if any of the passed scanners is included.