Documentation
¶
Index ¶
- Constants
- Variables
- func GetDockerOption(insecureTlsSkip bool, Platform string) (types.DockerOption, error)
- type BySeverity
- type Compliance
- type DetectedLicense
- type DetectedMisconfiguration
- type DetectedVulnerability
- type DockerConfig
- type Library
- type Metadata
- type MisconfStatus
- type MisconfSummary
- type Report
- type Result
- type ResultClass
- type Results
- type SBOM
- type SBOMSource
- type ScanOptions
- type Scanner
- type Scanners
- type VulnType
Constants ¶
View Source
const ( ClassOSPkg = "os-pkgs" // For detected packages and vulnerabilities in OS packages ClassLangPkg = "lang-pkgs" // For detected packages and vulnerabilities in language-specific packages ClassConfig = "config" // For detected misconfigurations ClassSecret = "secret" // For detected secrets ClassLicense = "license" // For detected package licenses ClassLicenseFile = "license-file" // For detected licenses in files ClassCustom = "custom" // ComplianceNsa is the compliance checks for nsa ComplianceK8sNsa = Compliance("k8s-nsa") ComplianceK8sCIS = Compliance("k8s-cis") ComplianceAWSCIS12 = Compliance("aws-cis-1.2") ComplianceAWSCIS14 = Compliance("aws-cis-1.4") ComplianceDockerCIS = Compliance("docker-cis") )
View Source
const ( // VulnTypeUnknown is a vulnerability type of unknown VulnTypeUnknown = VulnType("unknown") // VulnTypeOS is a vulnerability type of OS packages VulnTypeOS = VulnType("os") // VulnTypeLibrary is a vulnerability type of programming language dependencies VulnTypeLibrary = VulnType("library") // UnknownScanner is the scanner of unknown UnknownScanner = Scanner("unknown") // NoneScanner is the scanner of none NoneScanner = Scanner("none") // VulnerabilityScanner is the scanner of vulnerabilities VulnerabilityScanner = Scanner("vuln") // MisconfigScanner is the scanner of misconfigurations MisconfigScanner = Scanner("config") // SecretScanner is the scanner of secrets SecretScanner = Scanner("secret") // RBACScanner is the scanner of rbac assessment RBACScanner = Scanner("rbac") // LicenseScanner is the scanner of licenses LicenseScanner = Scanner("license") )
View Source
const (
SBOMSourceRekor = SBOMSource("rekor")
)
Variables ¶
View Source
var ( VulnTypes = []string{ VulnTypeOS, VulnTypeLibrary, } AllScanners = Scanners{ VulnerabilityScanner, MisconfigScanner, RBACScanner, SecretScanner, LicenseScanner, NoneScanner, } // AllImageConfigScanners has a list of available scanners on container image config. // The container image in container registries consists of manifest, config and layers. // cvescan is also able to detect security issues on the image config. AllImageConfigScanners = Scanners{ MisconfigScanner, SecretScanner, NoneScanner, } )
View Source
var Compliances = []string{ ComplianceK8sNsa, ComplianceK8sCIS, ComplianceAWSCIS12, ComplianceAWSCIS14, ComplianceDockerCIS, }
View Source
var ( SBOMSources = []string{ SBOMSourceRekor, } )
Functions ¶
func GetDockerOption ¶
func GetDockerOption(insecureTlsSkip bool, Platform string) (types.DockerOption, error)
GetDockerOption returns the Docker scanning options using DockerConfig
Types ¶
type BySeverity ¶
type BySeverity []DetectedVulnerability
BySeverity implements sort.Interface based on the Severity field.
func (BySeverity) Len ¶
func (v BySeverity) Len() int
Len returns the length of DetectedVulnerabilities
func (BySeverity) Less ¶
func (v BySeverity) Less(i, j int) bool
Less compares 2 DetectedVulnerabilities based on package name, severity, vulnerabilityID and package path
type Compliance ¶
type Compliance = string
type DetectedLicense ¶
type DetectedLicense struct {
// Severity is the consistent parameter indicating how severe the issue is
Severity string
// Category holds the license category such as "forbidden"
Category types.LicenseCategory
// PkgName holds a package name of the license.
// It will be empty if FilePath is filled.
PkgName string
// PkgName holds a file path of the license.
// It will be empty if PkgName is filled.
FilePath string // for file license
// Name holds a detected license name
Name string
// Confidence is level of the match. The confidence level is between 0.0 and 1.0, with 1.0 indicating an
// exact match and 0.0 indicating a complete mismatch
Confidence float64
// Link is a SPDX link of the license
Link string
}
type DetectedMisconfiguration ¶
type DetectedMisconfiguration struct {
Type string `json:",omitempty"`
ID string `json:",omitempty"`
AVDID string `json:",omitempty"`
Title string `json:",omitempty"`
Description string `json:",omitempty"`
Message string `json:",omitempty"`
Namespace string `json:",omitempty"`
Query string `json:",omitempty"`
Resolution string `json:",omitempty"`
Severity string `json:",omitempty"`
PrimaryURL string `json:",omitempty"`
References []string `json:",omitempty"`
Status MisconfStatus `json:",omitempty"`
Layer ftypes.Layer `json:",omitempty"`
CauseMetadata ftypes.CauseMetadata `json:",omitempty"`
// For debugging
Traces []string `json:",omitempty"`
}
DetectedMisconfiguration holds detected misconfigurations
func (*DetectedMisconfiguration) GetID ¶
func (mc *DetectedMisconfiguration) GetID() string
GetID retrun misconfig ID
type DetectedVulnerability ¶
type DetectedVulnerability struct {
VulnerabilityID string `json:",omitempty"`
VendorIDs []string `json:",omitempty"`
PkgID string `json:",omitempty"` // It is used to construct dependency graph.
PkgName string `json:",omitempty"`
PkgPath string `json:",omitempty"` // It will be filled in the case of language-specific packages such as egg/wheel and gemspec
InstalledVersion string `json:",omitempty"`
FixedVersion string `json:",omitempty"`
Layer ftypes.Layer `json:",omitempty"`
SeveritySource types.SourceID `json:",omitempty"`
PrimaryURL string `json:",omitempty"`
Ref string `json:",omitempty"`
// DataSource holds where the advisory comes from
DataSource *types.DataSource `json:",omitempty"`
// Custom is for extensibility and not supposed to be used in OSS
Custom interface{} `json:",omitempty"`
// Embed vulnerability details
types.Vulnerability
}
DetectedVulnerability holds the information of detected vulnerabilities
func (*DetectedVulnerability) GetID ¶
func (vuln *DetectedVulnerability) GetID() string
GetID retrun Vulnerability ID
type DockerConfig ¶
type DockerConfig struct {
UserName string `env:"TRIVY_USERNAME"`
Password string `env:"TRIVY_PASSWORD"`
RegistryToken string `env:"TRIVY_REGISTRY_TOKEN"`
NonSSL bool `env:"TRIVY_NON_SSL" envDefault:"false"`
}
DockerConfig holds the config of Docker
type Metadata ¶
type Metadata struct {
Size int64 `json:",omitempty"`
OS *ftypes.OS `json:",omitempty"`
// Container image
ImageID string `json:",omitempty"`
DiffIDs []string `json:",omitempty"`
RepoTags []string `json:",omitempty"`
RepoDigests []string `json:",omitempty"`
ImageConfig v1.ConfigFile `json:",omitempty"`
}
Metadata represents a metadata of artifact
type MisconfStatus ¶
type MisconfStatus string
MisconfStatus represents a status of misconfiguration
const ( // StatusPassed represents successful status StatusPassed MisconfStatus = "PASS" // StatusFailure represents failure status StatusFailure MisconfStatus = "FAIL" // StatusException Passed represents the status of exception StatusException MisconfStatus = "EXCEPTION" )
type MisconfSummary ¶
func (MisconfSummary) Empty ¶
func (s MisconfSummary) Empty() bool
type Report ¶
type Report struct {
SchemaVersion int `json:",omitempty"`
ArtifactName string `json:",omitempty"`
ArtifactType ftypes.ArtifactType `json:",omitempty"`
Metadata Metadata `json:",omitempty"`
Results Results `json:",omitempty"`
// SBOM
CycloneDX *ftypes.CycloneDX `json:"-"` // Just for internal usage, not exported in JSON
}
Report represents a scan result
type Result ¶
type Result struct {
Target string `json:"Target"`
Class ResultClass `json:"Class,omitempty"`
Type string `json:"Type,omitempty"`
Packages []ftypes.Package `json:"Packages,omitempty"`
Vulnerabilities []DetectedVulnerability `json:"Vulnerabilities,omitempty"`
MisconfSummary *MisconfSummary `json:"MisconfSummary,omitempty"`
Misconfigurations []DetectedMisconfiguration `json:"Misconfigurations,omitempty"`
Secrets []ftypes.SecretFinding `json:"Secrets,omitempty"`
Licenses []DetectedLicense `json:"Licenses,omitempty"`
CustomResources []ftypes.CustomResource `json:"CustomResources,omitempty"`
}
Result holds a target and detected vulnerabilities
func (*Result) MarshalJSON ¶
type ResultClass ¶
type ResultClass string
type SBOM ¶
type SBOM struct {
OS types.OS
Packages []types.PackageInfo
Applications []types.Application
CycloneDX *types.CycloneDX
SPDX *stypes.Document2_2
}
type SBOMSource ¶
type SBOMSource = string
type ScanOptions ¶
type ScanOptions struct {
VulnType []string
Scanners Scanners
ImageConfigScanners Scanners // Scanners for container image configuration
ScanRemovedPackages bool
Platform string
ListAllPackages bool
LicenseCategories map[types.LicenseCategory][]string
FilePatterns []string
}
ScanOptions holds the attributes for scanning vulnerabilities
type Scanners ¶
type Scanners []Scanner
Scanners is a slice of scanners
func (Scanners) AnyEnabled ¶
AnyEnabled returns true if any of the passed scanners is included.
func (Scanners) StringSlice ¶
Source Files
Click to show internal directories.
Click to hide internal directories.