diff --git a/docs/community/credit.md b/docs/community/credit.md deleted file mode 100644 index be8b6688eea..00000000000 --- a/docs/community/credit.md +++ /dev/null @@ -1,10 +0,0 @@ -# Author - -[Teppei Fukuda][knqyf263] (knqyf263) - -# Contributors - -Thanks to all [contributors][contributors] - -[knqyf263]: https://github.com/knqyf263 -[contributors]: https://github.com/aquasecurity/trivy/graphs/contributors \ No newline at end of file diff --git a/docs/community/references.md b/docs/community/references.md deleted file mode 100644 index cde0b7bf730..00000000000 --- a/docs/community/references.md +++ /dev/null @@ -1,48 +0,0 @@ -# Additional References -There are external blogs and evaluations. - -## Blogs -- [Trivy Vulnerability Scanner Joins the Aqua Open-source Family][join] -- [Trivy Image Vulnerability Scanner Now Under Apache 2.0 License][license] -- [DevSecOps with Trivy and GitHub Actions][actions] -- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2] -- [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode] -- [the vulnerability remediation lifecycle of Alpine containers][alpine] -- [Continuous Container Vulnerability Testing with Trivy][semaphore] -- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up] -- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison] - -## Links -- [Research Spike: evaluate Trivy for scanning running containers][gitlab] -- [Istio evaluates scanners][istio] - -## Presentations -- Aqua Security YouTube Channel - - [Trivy - container image scanning][intro] - - [Using Trivy in client server mode][server] - - [Tweaking Trivy output to fit your workflow][tweaking] - - [How does a vulnerability scanner identify packages?][identify] -- CNCF Webinar 2020 - - [Trivy Open Source Scanner for Container Images – Just Download and Run!][cncf] -- KubeCon + CloudNativeCon Europe 2020 Virtual - - [Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security][kubecon] - -[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/ -[semaphore]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy -[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/ -[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/ -[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888 -[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417 - -[intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA -[cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ -[server]: https://www.youtube.com/watch?v=tNQ-VlahtYM -[kubecon]: https://www.youtube.com/watch?v=WKE2XNZ2zr4 -[identify]: https://www.youtube.com/watch?v=PaMnzeHBa8M -[tweaking]: https://www.youtube.com/watch?v=wFIGUjcRLnU - -[join]: https://blog.aquasec.com/trivy-vulnerability-scanner-joins-aqua-family -[license]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-apache2.0-license -[actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions -[actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy -[vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code \ No newline at end of file diff --git a/docs/community/tools.md b/docs/community/tools.md deleted file mode 100644 index 18b720ffa47..00000000000 --- a/docs/community/tools.md +++ /dev/null @@ -1,37 +0,0 @@ -# Community Tools -The open source community has been hard at work developing new tools for Trivy. You can check out some of them here. - -Have you created a tool that’s not listed? Add the name and description of your integration and open a pull request in the GitHub repository to get your change merged. - -## GitHub Actions - -| Actions | Description | -| ------------------------------------------ | -------------------------------------------------------------------------------- | -| [gitrivy][gitrivy] | GitHub Issue + Trivy | -| [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result | - -## Semaphore - -| Name | Description | -| -------------------------------------------------------| ----------------------------------------- | -| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. | - - -## CircleCI - -| Orb | Description | -| -----------------------------------------| ----------------------------------------- | -| [fifteen5/trivy-orb][fifteen5/trivy-orb] | Orb for running Trivy, a security scanner | - -## Others - -| Name | Description | -| -----------------------------------------| ----------------------------------------- | -| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links. | - - -[trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues -[fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb -[gitrivy]: https://github.com/marketplace/actions/trivy-action -[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/ -[semaphore-tutorial]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy diff --git a/docs/docs/index.md b/docs/docs/index.md index 10348975f85..48b46113c1a 100644 --- a/docs/docs/index.md +++ b/docs/docs/index.md @@ -1,28 +1,6 @@ # Docs -Trivy detects two types of security issues: - -- [Vulnerabilities][vuln] -- [Misconfigurations][misconf] - -Trivy can scan four different artifacts: - -- [Container Images][container] -- [Filesystem][filesystem] and [Rootfs][rootfs] -- [Git Repositories][repo] -- [Kubernetes][kubernetes] - -Trivy can be run in two different modes: - -- [Standalone][standalone] -- [Client/Server][client-server] - -Trivy can be run as a Kubernetes Operator: - -- [Kubernetes Operator][kubernetesoperator] - -It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily. -See [Integrations][integrations] for details. +This documentation details how to use Trivy to access the features listed below. ## Features @@ -67,7 +45,7 @@ See [Integrations][integrations] for details. Please see [LICENSE][license] for Trivy licensing information. -[installation]: ../getting-started/installation.md +[installation]: ../index.md [vuln]: ../docs/vulnerability/scanning/index.md [misconf]: ../docs/misconfiguration/scanning.md [kubernetesoperator]: ../docs/kubernetes/operator/index.md @@ -79,7 +57,7 @@ Please see [LICENSE][license] for Trivy licensing information. [standalone]: ../docs/references/modes/standalone.md [client-server]: ../docs/references/modes/client-server.md -[integrations]: ../docs/integrations/index.md +[integrations]: ../tutorials/integrations/index.md [os]: ../docs/vulnerability/detection/os.md [lang]: ../docs/vulnerability/detection/language.md @@ -91,4 +69,4 @@ Please see [LICENSE][license] for Trivy licensing information. [sbom]: ../docs/sbom/index.md [oci]: https://github.com/opencontainers/image-spec -[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE +[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE \ No newline at end of file diff --git a/docs/docs/kubernetes/cli/scanning.md b/docs/docs/kubernetes/cli/scanning.md index 0eefb5d35d8..fb3e5a111c0 100644 --- a/docs/docs/kubernetes/cli/scanning.md +++ b/docs/docs/kubernetes/cli/scanning.md @@ -5,7 +5,7 @@ The Trivy K8s CLI allows you to scan your Kubernetes cluster for Vulnerabilities, Secrets and Misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. The difference to the Trivy CLI is that the Trivy K8s CLI allows you to scan running workloads directly within your cluster. -If you are looking for continuous cluster audit scanning, have a look at the [Trivy K8s operator.](../operator/getting-started.md) +If you are looking for continuous cluster audit scanning, have a look at the [Trivy K8s operator.](../operator/index.md) Trivy uses your local kubectl configuration to access the API server to list artifacts. diff --git a/docs/docs/vulnerability/examples/others.md b/docs/docs/vulnerability/examples/others.md index 67e98fa7922..d63bced8b0f 100644 --- a/docs/docs/vulnerability/examples/others.md +++ b/docs/docs/vulnerability/examples/others.md @@ -18,7 +18,7 @@ $ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptio ## File patterns When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns. -The default file patterns are [here](../custom/index.md). +The default file patterns are [here](../../misconfiguration/custom/index.md). In addition to the default file patterns, the `--file-patterns` option takes regexp patterns to look for your files. For example, it may be useful when your file name of Dockerfile doesn't match the default patterns. diff --git a/docs/ecosystem/tools.md b/docs/ecosystem/tools.md new file mode 100644 index 00000000000..688495d63ec --- /dev/null +++ b/docs/ecosystem/tools.md @@ -0,0 +1,93 @@ +# Tools +This section includes several tools either added by the core maintainers from Aqua Security or the open source community. + +## Official Trivy Tools + +### GitHub Actions + +| Actions | Description | +| ---------------------------- | -------------------------------------------------------------- | +| [trivy-action][trivy-action] | GitHub Actions for integrating Trivy into your GitHub pipeline | + +### VSCode Extension + +| Orb | Description | +| ------------------ | --------------------------- | +| [vs-code][vs-code] | VS Code extension for trivy | + + +### Vim Plugin + +| Orb | Description | +| ---------------------- | -------------------- | +| [vim-trivy][vim-trivy] | Vim plugin for trivy | + + +### Docker Desktop Extension + +| Orb | Description | +| ---------------------------------| ----------------------------------------------------------------------------------------------------- | +| [docker-desktop][docker-desktop] | Trivy Docker Desktop extension for scanning container images for vulnerabilities and generating SBOMs | + + +### Azure DevOps Pipelines Task + +| Orb | Description | +| ---------------------------- | --------------------------------------------------------------- | +| [azure-devops][azure-devops] | An Azure DevOps Pipelines Task for Trivy, with an integrated UI | + + +### Trivy Kubernetes Operator + +| Orb | Description | +| ---------------------------------| ---------------------------------------- | +| [trivy-operator][trivy-operator] | Kubernetes Operator for installing Trivy | + + +### Kubernetes Lens Extension + +| Orb | Description | +| ---------------------------- | ----------------------------------- | +| [lens-extension][trivy-lens] | Trivy Extension for Kubernetes Lens | + +## Community Tools + +### GitHub Actions + +| Actions | Description | +| ------------------------------------------ | -------------------------------------------------------------------------------- | +| [gitrivy][gitrivy] | GitHub Issue + Trivy | +| [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result | + +### Semaphore + +| Name | Description | +| -------------------------------------------------------| ----------------------------------------- | +| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. | + + +### CircleCI + +| Orb | Description | +| -----------------------------------------| ----------------------------------------- | +| [fifteen5/trivy-orb][fifteen5/trivy-orb] | Orb for running Trivy, a security scanner | + + +### Others + +| Name | Description | +| -----------------------------------------| ----------------------------------------- | +| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links. | + +[trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues +[fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb +[gitrivy]: https://github.com/marketplace/actions/trivy-action +[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/ +[semaphore-tutorial]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy +[trivy-action]: https://github.com/aquasecurity/trivy-action +[vs-code]: https://github.com/aquasecurity/trivy-vscode-extension +[vim-trivy]: https://github.com/aquasecurity/vim-trivy +[docker-desktop]: https://github.com/aquasecurity/trivy-docker-extension +[azure-devops]: https://github.com/aquasecurity/trivy-azure-pipelines-task +[trivy-operator]: https://github.com/aquasecurity/trivy-operator +[trivy-lens]: https://github.com/aquasecurity/trivy-operator-lens-extension diff --git a/docs/getting-started/further.md b/docs/getting-started/further.md deleted file mode 100644 index fc75f3b5300..00000000000 --- a/docs/getting-started/further.md +++ /dev/null @@ -1,32 +0,0 @@ -# Further Reading - -## Presentations -- Aqua Security YouTube Channel - - [Trivy - container image scanning][intro] - - [Using Trivy in client server mode][server] - - [Tweaking Trivy output to fit your workflow][tweaking] - - [How does a vulnerability scanner identify packages?][identify] -- CNCF Webinar 2020 - - [Trivy Open Source Scanner for Container Images – Just Download and Run!][cncf] -- KubeCon + CloudNativeCon Europe 2020 Virtual - - [Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security][kubecon] - -## Blogs -- [Trivy Vulnerability Scanner Joins the Aqua Open-source Family][join] -- [Trivy Image Vulnerability Scanner Now Under Apache 2.0 License][license] -- [DevSecOps with Trivy and GitHub Actions][actions] -- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2] -- [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode] - -[intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA -[cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ -[server]: https://www.youtube.com/watch?v=tNQ-VlahtYM -[kubecon]: https://www.youtube.com/watch?v=WKE2XNZ2zr4 -[identify]: https://www.youtube.com/watch?v=PaMnzeHBa8M -[tweaking]: https://www.youtube.com/watch?v=wFIGUjcRLnU - -[join]: https://blog.aquasec.com/trivy-vulnerability-scanner-joins-aqua-family -[license]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-apache2.0-license -[actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions -[actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy -[vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code diff --git a/docs/getting-started/installation.md b/docs/getting-started/installation.md index 7965ee793d7..bc04bd7af1e 100644 --- a/docs/getting-started/installation.md +++ b/docs/getting-started/installation.md @@ -1,4 +1,4 @@ -# Installation +# CLI Installation ## RHEL/CentOS @@ -195,28 +195,6 @@ The same image is hosted on [Amazon ECR Public][ecr] as well. docker pull public.ecr.aws/aquasecurity/trivy:{{ git.tag[1:] }} ``` -## Helm - -### Installing from the Aqua Chart Repository - -``` -helm repo add aquasecurity https://aquasecurity.github.io/helm-charts/ -helm repo update -helm search repo trivy -helm install my-trivy aquasecurity/trivy -``` - -### Installing the Chart - -To install the chart with the release name `my-release`: - -``` -helm install my-release . -``` - -The command deploys Trivy on the Kubernetes cluster in the default configuration. The [Parameters][helm] -section lists the parameters that can be configured during installation. - ### AWS private registry permissions You may need to grant permissions to allow trivy to pull images from private registry (AWS ECR). @@ -250,6 +228,37 @@ podAnnotations: {} > **Tip**: List all releases using `helm list`. +## Other Tools to use and deploy Trivy + +For additional tools and ways to install and use Trivy in different envrionments such as in Docker Desktop and Kubernetes clusters, see the links in the [Ecosystem section](../ecosystem/tools.md). + + [ecr]: https://gallery.ecr.aws/aquasecurity/trivy [registry]: https://github.com/orgs/aquasecurity/packages/container/package/trivy [helm]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/helm/trivy +[slack]: https://slack.aquasec.com +[operator-docs]: https://aquasecurity.github.io/trivy-operator/latest/ + +[vuln]: ./docs/vulnerability/scanning/index.md +[misconf]: ./docs/misconfiguration/scanning.md +[kubernetesoperator]: ./docs/kubernetes/operator/index.md +[container]: ./docs/vulnerability/scanning/image.md +[rootfs]: ./docs/vulnerability/scanning/rootfs.md +[filesystem]: ./docs/vulnerability/scanning/filesystem.md +[repo]: ./docs/vulnerability/scanning/git-repository.md +[kubernetes]: ./docs/kubernetes/cli/scanning.md + +[standalone]: ./docs/references/modes/standalone.md +[client-server]: ./docs/references/modes/client-server.md +[integrations]: ./tutorials/integrations/index.md + +[os]: ./docs/vulnerability/detection/os.md +[lang]: ./docs/vulnerability/detection/language.md +[builtin]: ./docs/misconfiguration/policy/builtin.md +[quickstart]: ./getting-started/quickstart.md +[podman]: ./docs/advanced/container/podman.md + +[sbom]: ./docs/sbom/index.md + +[oci]: https://github.com/opencontainers/image-spec +[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE diff --git a/docs/getting-started/overview.md b/docs/getting-started/overview.md deleted file mode 100644 index e73a3937016..00000000000 --- a/docs/getting-started/overview.md +++ /dev/null @@ -1,44 +0,0 @@ -# Overview - -Trivy detects three types of security issues: - -- [Vulnerabilities][vuln] - - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless) - - [Language-specific packages][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, pnpm, Cargo, NuGet, Maven, and Go) -- [Misconfigurations][misconf] - - Kubernetes - - Docker - - Terraform - - CloudFormation - - more coming soon -- [Secrets][secret] - - AWS access key - - GCP service account - - GitHub personal access token - - etc. - -Trivy can scan three different artifacts: - -- [Container Images][container] -- [Filesystem][filesystem] -- [Git Repositories][repo] - -It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily. -See [Integrations][integrations] for details. - -[vuln]: ../docs/vulnerability/scanning/index.md -[os]: ../docs/vulnerability/detection/os.md -[lang]: ../docs/vulnerability/detection/language.md - -[misconf]: ../docs/misconfiguration/scanning.md - -[secret]: ../docs/secret/scanning.md - -[container]: ../docs/vulnerability/scanning/image.md -[rootfs]: ../docs/vulnerability/scanning/rootfs.md -[filesystem]: ../docs/vulnerability/scanning/filesystem.md -[repo]: ../docs/vulnerability/scanning/git-repository.md - -[integrations]: ../docs/integrations/index.md - -[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE diff --git a/docs/getting-started/quickstart.md b/docs/getting-started/quickstart.md index e5d3f14fc1c..e4055bdaf7d 100644 --- a/docs/getting-started/quickstart.md +++ b/docs/getting-started/quickstart.md @@ -1,5 +1,9 @@ # Quick Start +## Prerequisites + +- Make sure to have the Trivy [CLI installed][installation] + ## Scan image for vulnerabilities and secrets Simply specify an image name (and a tag). @@ -80,6 +84,7 @@ See https://avd.aquasec.com/misconfig/ds001 For more details, see [here][misconf]. +[installation]: ./installation.md [vulnerability]: ../docs/vulnerability/scanning/index.md [misconf]: ../docs/misconfiguration/scanning.md [secret]: ../docs/secret/scanning.md diff --git a/docs/imgs/argocd-ui.png b/docs/imgs/argocd-ui.png new file mode 100644 index 00000000000..f9e31a958ab Binary files /dev/null and b/docs/imgs/argocd-ui.png differ diff --git a/docs/imgs/docker-desktop.png b/docs/imgs/docker-desktop.png new file mode 100644 index 00000000000..3eafeb8e894 Binary files /dev/null and b/docs/imgs/docker-desktop.png differ diff --git a/docs/index.md b/docs/index.md index c39c375ad08..496ff71e6bd 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,26 +1,34 @@ --- hide: -- navigation - toc --- -![logo](imgs/logo.png){ align=left } +![logo](imgs/logo.png){ align=right } -`Trivy` (`tri` pronounced like **tri**gger, `vy` pronounced like en**vy**) is a simple and comprehensive [vulnerability][vulnerability]/[misconfiguration][misconf]/[secret][secret] scanner for containers and other artifacts. -`Trivy` detects vulnerabilities of [OS packages][os] (Alpine, RHEL, CentOS, etc.) and [language-specific packages][lang] (Bundler, Composer, npm, yarn, etc.). -In addition, `Trivy` scans [Infrastructure as Code (IaC) files][misconf] such as Terraform and Kubernetes, to detect potential configuration issues that expose your deployments to the risk of attack. -`Trivy` also scans [hardcoded secrets][secret] like passwords, API keys and tokens. -`Trivy` is easy to use. Just install the binary and you're ready to scan. -All you need to do for scanning is to specify a target such as an image name of the container. +Trivy (tri pronounced like trigger, vy pronounced like envy) is a comprehensive security scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it. -
- -
+Trivy has different scanners that look for different security issues, and different targets where it can find those issues. +Targets: -
-

Demo

-
+- Container Image +- Filesystem +- Git repository (remote) +- Kubernetes cluster or resource + +Scanners: + +- OS packages and software dependencies in use (SBOM) +- Known vulnerabilities (CVEs) +- IaC misconfigurations +- Sensitive information and secrets + +It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily. +See [Integrations][integrations] for details. + +Much more scanners and targets are coming up. [Join the Slack][slack] channel to stay up to date, ask questions, and let us know what features you would like to see. + +Please see [LICENSE][license] for Trivy licensing information.
---- - -Trivy is an [Aqua Security][aquasec] open source project. -Learn about our open source work and portfolio [here][oss]. -Contact us about any matter by opening a GitHub Discussion [here][discussions] - -[vulnerability]: docs/vulnerability/scanning/index.md -[misconf]: docs/misconfiguration/scanning.md -[secret]: docs/secret/scanning.md -[os]: docs/vulnerability/detection/os.md -[lang]: docs/vulnerability/detection/language.md - -[aquasec]: https://aquasec.com -[oss]: https://www.aquasec.com/products/open-source-projects/ -[discussions]: https://github.com/aquasecurity/trivy/discussions +[integrations]: ./tutorials/integrations/index.md +[slack]: https://slack.aquasec.com +[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE \ No newline at end of file diff --git a/docs/community/cks.md b/docs/tutorials/additional-resources/cks.md similarity index 55% rename from docs/community/cks.md rename to docs/tutorials/additional-resources/cks.md index a46c1bb76f0..859315bf1a1 100644 --- a/docs/community/cks.md +++ b/docs/tutorials/additional-resources/cks.md @@ -1,21 +1,26 @@ # CKS preparation resources -Community Resources +The [Certified Kubernetes Security Specialist (CKS) Exam](https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/) is offered by The Linux Foundation. It provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime. CKA certification is required to sit for this exam. + +### Community Resources - [Trivy Video overview (short)][overview] - [Example questions from the exam][exam] - [More example questions][questions] +- [CKS exam study guide](study-guide) +- [Docker Image Vulnerabilities & Trivy Image Scanning Demo | K21Academy](https://youtu.be/gHz10UsEdys) -Aqua Security Blog posts +### Aqua Security Blog posts to learn more - Supply chain security best [practices][supply-chain-best-practices] - Supply chain [attacks][supply-chain-attacks] -- + If you know of interesting resources, please start a PR to add those to the list. [overview]: https://youtu.be/2cjH6Zkieys [exam]: https://jonathan18186.medium.com/certified-kubernetes-security-specialist-cks-preparation-part-7-supply-chain-security-9cf62c34cf6a [questions]: https://github.com/kodekloudhub/certified-kubernetes-security-specialist-cks-course/blob/main/docs/06-Supply-Chain-Security/09-Scan-images-for-known-vulnerabilities-(Trivy).md +[study-guide]: https://devopscube.com/cks-exam-guide-tips/ [supply-chain-best-practices]: https://blog.aquasec.com/supply-chain-security-best-practices [supply-chain-attacks]: https://blog.aquasec.com/supply-chain-threats-using-container-images diff --git a/docs/tutorials/additional-resources/community.md b/docs/tutorials/additional-resources/community.md new file mode 100644 index 00000000000..9b24ae91c84 --- /dev/null +++ b/docs/tutorials/additional-resources/community.md @@ -0,0 +1,37 @@ +# Community References +Below is a list of additional resources from the community. + +## Vulnderability Scanning + +- [Detecting Spring4Shell with Trivy and Grype](https://youtu.be/mOfBcpJWwSs) + +## CI/CD Pipelines + +- [How to use Tekton to set up a CI pipeline with OpenShift Pipelines](https://www.redhat.com/architect/cicd-pipeline-openshift-tekton) +- [Continuous Container Vulnerability Testing with Trivy](https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy) +- [Getting Started With Trivy and Jenkins](https://youtu.be/MWe01VdwuMA) +- [How to use Tekton to set up a CI pipeline with OpenShift Pipelines](https://www.redhat.com/architect/cicd-pipeline-openshift-tekton) + +## Misconfiguration Scanning + +- [Identifying Misconfigurations in your Terraform](https://youtu.be/cps1V5fOHtE) +- [How to write custom policies for Trivy](https://blog.ediri.io/how-to-write-custom-policies-for-trivy) + +## SBOM, Attestation & related + +- [Attesting Image Scans With Kyverno](https://neonmirrors.net/post/2022-07/attesting-image-scans-kyverno/) + +## Trivy Kubernetes + +- [Using Trivy Kubernetes in OVHCloud documentation.](https://docs.ovh.com/gb/en/kubernetes/installing-trivy/) + +## Comparisons + +- [the vulnerability remediation lifecycle of Alpine containers](https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/) +- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy](https://boxboat.com/2020/04/24/image-scanning-tech-compared/) +- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy](https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/) + +### Evaluations + +- [Istio evaluating to use Trivy](https://github.com/istio/release-builder/pull/687#issuecomment-874938417) +- [Research Spike: evaluate Trivy for scanning running containers](https://gitlab.com/gitlab-org/gitlab/-/issues/270888) \ No newline at end of file diff --git a/docs/tutorials/additional-resources/references.md b/docs/tutorials/additional-resources/references.md new file mode 100644 index 00000000000..d53f40b4e4e --- /dev/null +++ b/docs/tutorials/additional-resources/references.md @@ -0,0 +1,38 @@ +# Additional Resources and Tutorials +Below is a list of additional resources from Aqua Security. + +## Announcements + +- [Trivy Vulnerability Scanner Joins the Aqua Open-source Family](https://blog.aquasec.com/trivy-vulnerability-scanner-joins-aqua-family) +- [Trivy Image Vulnerability Scanner Now Under Apache 2.0 License](https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-apache2.0-license) + +## Vulnderability Scanning + +- [Using Trivy to Discover Vulnerabilities in VS Code Projects](https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code) +- [How does a vulnerability scanner identify packages?](https://youtu.be/PaMnzeHBa8M) +- [Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security](https://youtu.be/WKE2XNZ2zr4) + +## CI/CD Pipelines + +- [DevSecOps with Trivy and GitHub Actions](https://blog.aquasec.com/devsecops-with-trivy-github-actions) +- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action](https://blog.aquasec.com/github-vulnerability-scanner-trivy) + +## Misconfiguration Scanning + +- [Identifying Misconfigurations in your Terraform](https://youtu.be/cps1V5fOHtE) + +## Client/Server + +- [Using Trivy in client server mode](https://youtu.be/tNQ-VlahtYM) + +## Workshops + +- [Trivy Live Demo & Q&A](https://youtu.be/6Vw0QgJ-k5o) +- [First Steps to Full Lifecycle Security with Open Source Tools - Rory McCune & Anais Urlichs](https://youtu.be/nwJ0366rs6s) + + +## Older Resources + +- [Webinar: Trivy Open Source Scanner for Container Images – Just Download and Run!](https://youtu.be/XnYxX9uueoQ) +- [Kubernetes Security through GitOps Best Practices: ArgoCD and Starboard](https://youtu.be/YvMY8to9aHI) +- [Get started with Kubernetes Security and Starboard](https://youtu.be/QgctrpTpJec) diff --git a/docs/docs/integrations/aws-codepipeline.md b/docs/tutorials/integrations/aws-codepipeline.md similarity index 100% rename from docs/docs/integrations/aws-codepipeline.md rename to docs/tutorials/integrations/aws-codepipeline.md diff --git a/docs/docs/integrations/aws-security-hub.md b/docs/tutorials/integrations/aws-security-hub.md similarity index 98% rename from docs/docs/integrations/aws-security-hub.md rename to docs/tutorials/integrations/aws-security-hub.md index c6b161e4e86..ed26458fd59 100644 --- a/docs/docs/integrations/aws-security-hub.md +++ b/docs/tutorials/integrations/aws-security-hub.md @@ -12,9 +12,11 @@ ASFF template needs AWS_REGION and AWS_ACCOUNT_ID from environment variables. The Product [ARN](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) field follows the pattern below to match what AWS requires for the [product resource type](https://github.com/awsdocs/aws-security-hub-user-guide/blob/master/doc_source/securityhub-partner-providers.md#aqua-security--aqua-cloud-native-security-platform-sends-findings). +{% raw %} ``` "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity", ``` +{% endraw %} In order to upload results you must first run [enable-import-findings-for-product](https://docs.aws.amazon.com/cli/latest/reference/securityhub/enable-import-findings-for-product.html) like: diff --git a/docs/docs/integrations/azure-devops.md b/docs/tutorials/integrations/azure-devops.md similarity index 100% rename from docs/docs/integrations/azure-devops.md rename to docs/tutorials/integrations/azure-devops.md diff --git a/docs/docs/integrations/bitbucket.md b/docs/tutorials/integrations/bitbucket.md similarity index 100% rename from docs/docs/integrations/bitbucket.md rename to docs/tutorials/integrations/bitbucket.md diff --git a/docs/docs/integrations/circleci.md b/docs/tutorials/integrations/circleci.md similarity index 100% rename from docs/docs/integrations/circleci.md rename to docs/tutorials/integrations/circleci.md diff --git a/docs/docs/integrations/github-actions.md b/docs/tutorials/integrations/github-actions.md similarity index 100% rename from docs/docs/integrations/github-actions.md rename to docs/tutorials/integrations/github-actions.md diff --git a/docs/docs/integrations/gitlab-ci.md b/docs/tutorials/integrations/gitlab-ci.md similarity index 100% rename from docs/docs/integrations/gitlab-ci.md rename to docs/tutorials/integrations/gitlab-ci.md diff --git a/docs/docs/integrations/index.md b/docs/tutorials/integrations/index.md similarity index 100% rename from docs/docs/integrations/index.md rename to docs/tutorials/integrations/index.md diff --git a/docs/docs/integrations/travis-ci.md b/docs/tutorials/integrations/travis-ci.md similarity index 100% rename from docs/docs/integrations/travis-ci.md rename to docs/tutorials/integrations/travis-ci.md diff --git a/docs/tutorials/kubernetes/cluster-scanning.md b/docs/tutorials/kubernetes/cluster-scanning.md new file mode 100644 index 00000000000..fc9f42db45f --- /dev/null +++ b/docs/tutorials/kubernetes/cluster-scanning.md @@ -0,0 +1,120 @@ +# Kubernetes Scanning Tutorial + +## Prerequisites + +To test the following commands yourself, make sure that you’re connected to a Kubernetes cluster. A simple kind, a Docker-Desktop or microk8s cluster will do. In our case, we’ll use a one-node kind cluster. + +Pro tip: The output of the commands will be even more interesting if you have some workloads running in your cluster. + +## Cluster Scanning + +Trivy K8s is great to get an overview of all the vulnerabilities and misconfiguration issues or to scan specific workloads that are running in your cluster. You would want to use the Trivy K8s command either on your own local cluster or in your CI/CD pipeline post deployments. + +The Trivy K8s command is part of the Trivy CLI: + + +With the following command, we can scan our entire Kubernetes cluster for vulnerabilities and get a summary of the scan: + +``` +trivy k8s --report=summary +``` + +To get detailed information for all your resources, just replace ‘summary’ with ‘all’: + +``` +trivy k8s --report=all +``` + +However, we recommend displaying all information only in case you scan a specific namespace or resource since you can get overwhelmed with additional details. + +Furthermore, we can specify the namespace that Trivy is supposed to scan to focus on specific resources in the scan result: + +``` +trivy k8s -n kube-system --report=summary +``` + +Again, if you’d like to receive additional details, use the ‘--report=all’ flag: + +``` +trivy k8s -n kube-system --report=all +``` + +Like with scanning for vulnerabilities, we can also filter in-cluster security issues by severity of the vulnerabilities: + +``` +trivy k8s --severity=CRITICAL --report=summary +``` + +Note that you can use any of the Trivy flags on the Trivy K8s command. + +With the Trivy K8s command, you can also scan specific workloads that are running within your cluster, such as our deployment: + +``` +trivy k8s –n app --report=summary deployments/react-application +``` + +## Trivy Operator + +The Trivy K8s command is an imperative model to scan resources. We wouldn’t want to manually scan each resource across different environments. The larger the cluster and the more workloads are running in it, the more error-prone this process would become. With the Trivy Operator, we can automate the scanning process after the deployment. + +The Trivy Operator follows the Kubernetes Operator Model. Operators automate human actions, and the result of the task is saved as custom resource definitions (CRDs) within your cluster. + +This has several benefits: + +- Trivy Operator is installed CRDs in our cluster. As a result, all our resources, including our security scanner and its scan results, are Kubernetes resources. This makes it much easier to integrate the Trivy Operator directly into our existing processes, such as connecting Trivy with Prometheus, a monitoring system. + +- The Trivy Operator will automatically scan your resources every six hours. You can set up automatic alerting in case new critical security issues are discovered. + +- The CRDs can be both machine and human-readable depending on which applications consume the CRDs. This allows for more versatile applications of the Trivy operator. + + +There are several ways that you can install the Trivy Operator in your cluster. In this guide, we’re going to use the Helm installation based on the [following documentation.](../../docs/kubernetes/operator/index.md) + +Make sure that you have the [Helm CLI installed.](https://helm.sh/docs/intro/install/) +Next, run the following commands. + +First, we are going to add the Aqua Security Helm repository to our Helm repository list: +``` +helm repo add aqua https://aquasecurity.github.io/helm-charts/ +``` + +Then, we will update all of our Helm repositories. Even if you have just added a new repository to your existing charts, this is generally good practice to have access to the latest changes: +``` +helm repo update +``` + +Lastly, we can install the Trivy operator Helm Chart to our cluster: +``` +helm install trivy-operator aqua/trivy-operator \ + --namespace trivy-system \ + --create-namespace \ + --set="trivy.ignoreUnfixed=true" \ + --version v0.0.3 +``` + +You can make sure that the operator is installed correctly via the following command: +``` +kubectl get deployment -n trivy-system +``` + +Trivy will automatically start scanning your Kubernetes resources. +For instance, you can view vulnerability reports with the following command: + +``` +kubectl get vulnerabilityreports --all-namespaces -o wide +``` + +And then you can access the details of a security scan: +``` +kubectl describe vulnerabilityreports +``` + +The same process can be applied to access Configauditreports: + +``` +kubectl get configauditreports --all-namespaces -o wide +``` + + + + diff --git a/docs/tutorials/kubernetes/gitops.md b/docs/tutorials/kubernetes/gitops.md new file mode 100644 index 00000000000..cfa38325c8a --- /dev/null +++ b/docs/tutorials/kubernetes/gitops.md @@ -0,0 +1,125 @@ +# Installing the Trivy-Operator through GitOps + +This tutorial shows you how to install the Trivy Operator through GitOps platforms, namely ArgoCD and FluxCD. + +## ArgoCD + +Make sure to have [ArgoCD installed](https://argo-cd.readthedocs.io/en/stable/getting_started/) and running in your Kubernetes cluster. + +You can either deploy the Trivy Operator through the argocd CLI or by applying a Kubernetes manifest. + +ArgoCD command: +``` +> kubectl create ns trivy-system +> argocd app create trivy-operator --repo https://github.com/aquasecurity/trivy-operator --path deploy/helm --dest-server https://kubernetes.default.svc --dest-namespace trivy-system +``` +Note that this installation is directly related to our official Helm Chart. If you want to change any of the value, we'd suggest you to create a separate values.yaml file. + +Kubernetes manifest `trivy-operator.yaml`: +``` +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: trivy-operator + namespace: argocd +spec: + project: default + source: + chart: trivy-operator + repoURL: https://aquasecurity.github.io/helm-charts/ + targetRevision: 0.0.3 + helm: + values: | + trivy: + ignoreUnfixed: true + destination: + server: https://kubernetes.default.svc + namespace: trivy-system + syncPolicy: + automated: + prune: true + selfHeal: true +``` + +The apply the Kubernetes manifest. If you have the manifest locally, you can use the following command through kubectl: +``` +> kubectl apply -f trivy-operator.yaml + +application.argoproj.io/trivy-operator created +``` + +If you have the manifest in a Git repository, you can apply it to your cluster through the following command: +``` +> kubectl apply -n argocd -f https://raw.githubusercontent.com/AnaisUrlichs/argocd-starboard/main/starboard/argocd-starboard.yaml +``` +The latter command would allow you to make changes to the YAML manifest that ArgoCD would register automatically. + +Once deployed, you want to tell ArgoCD to sync the application from the actual state to the desired state: +``` +argocd app sync trivy-operator +``` + +Now you can see the deployment in the ArgoCD UI. Have a look at the ArgoCD documentation to know how to access the UI. + +![ArgoCD UI after deploying the Trivy Operator](../../imgs/argocd-ui.png) + +Note that ArgoCD is unable to show the Trivy CRDs as synced. + + +## FluxCD + +Make sure to have [FluxCD installed](https://fluxcd.io/docs/installation/#install-the-flux-cli) and running in your Kubernetes cluster. + +You can either deploy the Trivy Operator through the Flux CLI or by applying a Kubernetes manifest. + +Flux command: +``` +> kubectl create ns trivy-system +> flux create source helm trivy-operator --url https://aquasecurity.github.io/helm-charts --namespace trivy-system +> flux create helmrelease trivy-operator --chart trivy-operator + --source HelmRepository/trivy-operator + --chart-version 0.0.3 + --namespace trivy-system +``` + +Kubernetes manifest `trivy-operator.yaml`: +``` +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: trivy-operator + namespace: flux-system +spec: + interval: 60m + url: https://aquasecurity.github.io/helm-charts/ + +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: trivy-operator + namespace: trivy-system +spec: + chart: + spec: + chart: trivy-operator + sourceRef: + kind: HelmRepository + name: trivy-operator + namespace: flux-system + version: 0.0.5 + interval: 60m +``` + +You can then apply the file to your Kubernetes cluster: +``` +kubectl apply -f trivy-operator.yaml +``` + +## After the installation + +After the install, you want to check that the Trivy operator is running in the trivy-system namespace: +``` +kubectl get deployment -n trivy-system +``` + diff --git a/docs/tutorials/kubernetes/kyverno.md b/docs/tutorials/kubernetes/kyverno.md new file mode 100644 index 00000000000..5c4fe1f613e --- /dev/null +++ b/docs/tutorials/kubernetes/kyverno.md @@ -0,0 +1,114 @@ +# Attesting Image Scans With Kyverno + +This tutorial is based on the following blog post by Chip Zoller: [Attesting Image Scans With Kyverno](https://neonmirrors.net/post/2022-07/attesting-image-scans-kyverno/) + +This tutorial details + +- Verify the container image has an attestation with Kyverno + +### Prerequisites +1. [Attestation of the vulnerability scan uploaded][vuln-attestation] +3. A running Kubernetes cluster that kubectl is connected to + +### Kyverno Policy to check attestation + +The following policy ensures that the attestation is no older than 168h: + +vuln-attestation.yaml + +{% raw %} + +```bash +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-vulnerabilities +spec: + validationFailureAction: enforce + webhookTimeoutSeconds: 10 + failurePolicy: Fail + rules: + - name: not-older-than-one-week + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "CONTAINER-REGISTRY/*:*" + attestations: + - predicateType: cosign.sigstore.dev/attestation/vuln/v1 + conditions: + - all: + - key: "{{ time_since('','{{metadata.scanFinishedOn}}','') }}" + operator: LessThanOrEquals + value: "168h" +``` + +{% endraw %} + +### Apply the policy to your Kubernetes cluster + +Ensure that you have Kyverno already deployed and running on your cluster -- for instance throught he Kyverno Helm Chart. + +Next, apply the above policy: +``` +kubectl apply -f vuln-attestation.yaml +``` + +To ensure that the policy worked, we can deploye an example deployment file with our container image: + +deployment.yaml +``` +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cns-website + namespace: app +spec: + replicas: 2 + selector: + matchLabels: + run: cns-website + template: + metadata: + labels: + run: cns-website + spec: + containers: + - name: cns-website + image: docker.io/anaisurlichs/cns-website:0.0.6 + ports: + - containerPort: 80 + imagePullPolicy: Always + resources: + limits: + memory: 512Mi + cpu: 200m + securityContext: + allowPrivilegeEscalation: false +``` + +Once we apply the deployment, it should pass since our attestation is available: +``` +kubectl apply -f deployment.yaml -n app +deployment.apps/cns-website created +``` + +However, if we try to deploy any other container image, our deployment will fail. We can verify this by replacing the image referenced in the deployment with `docker.io/anaisurlichs/cns-website:0.0.5` and applying the deployment: +``` +kubectl apply -f deployment-two.yaml + +Resource: "apps/v1, Resource=deployments", GroupVersionKind: "apps/v1, Kind=Deployment" +Name: "cns-website", Namespace: "app" +for: "deployment-two.yaml": admission webhook "mutate.kyverno.svc-fail" denied the request: + +resource Deployment/app/cns-website was blocked due to the following policies + +check-image: + autogen-check-image: | + failed to verify signature for docker.io/anaisurlichs/cns-website:0.0.5: .attestors[0].entries[0].keys: no matching signatures: +``` + +[vuln-attestation]: ../signing/vuln-attestation.md \ No newline at end of file diff --git a/docs/tutorials/overview.md b/docs/tutorials/overview.md new file mode 100644 index 00000000000..457adc751db --- /dev/null +++ b/docs/tutorials/overview.md @@ -0,0 +1,27 @@ +# Tutorials + +Tutorials are a great way to learn about use cases and integrations. We highly encourage community members to share their Trivy use cases with us in the documentation. + +There are two ways to contributor to the tutorials section + +1. If you are creating any external content on Trivy, we would love to have it as part of our list of [external community resources][community-resources] +2. If you are creating an end-to-end tutorial on a specific Trivy use-case, we would love to feature it in our tutorial section. Read below how you can contribute tutorials to the docs. + +## Process for adding new tutorials + +Requirements +- The tutorial has to provide an end-to-end set of instructions +- Ideally, tutorials should focus on a specific use case +- If the tutorial is featuring other tools, those should be open source, too +- Make sure to describe the expected outcome after each instruction + +**Tip:** Make sure that your tutorial is concise about a specific use case or integration. + +How to add a tutorial + +1. Simply create a new `.md` file in the tutorials folder of the docs +2. Add your content +3. Create a new index in the mkdocs.yaml file which is in the [root directory](https://github.com/aquasecurity/trivy) of the repository +4. Create a PR + +[community-resources]: additional-resources/community.md \ No newline at end of file diff --git a/docs/tutorials/signing/vuln-attestation.md b/docs/tutorials/signing/vuln-attestation.md new file mode 100644 index 00000000000..d0e86397e8a --- /dev/null +++ b/docs/tutorials/signing/vuln-attestation.md @@ -0,0 +1,36 @@ +# Vulnerability Scan Record Attestation + +This tutorial details + +- Scan your container image for vulnerabilities +- Generate an attestation with Cosign + +#### Prerequisites + +1. Trivy CLI installed +2. Cosign installed + +#### Scan Container Image for vulnerabilities + +Scan your container image for vulnerabilities and save the scan result to a scan.json file: +``` +trivy image --ignore-unfixed --format json --output scan.json anaisurlichs/cns-website:0.0.6 +``` + +* --ignore-unfixed: Ensures that only the vulnerabilities are displayed that have a already a fix available +* --output scan.json: The scan output is scaved to a scan.json file instead of being displayed in the terminal. + +Note: Replace the container image with the container image that you would like to scan. + +#### Attestation of the vulnerability scan with Cosign + +The following command generates an attestation for the vulnerability scan and uploads it to our container image: +``` +cosign attest --replace --predicate scan.json --type vuln anaisurlichs/cns-website:0.0.6 +``` + +Note: Replace the container image with the container image that you would like to scan. + +See [here][vuln-attestation] for more details. + +[vuln-attestation]: ../../docs/attestation/vuln.md \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index 1c5bf3d0146..744d037b256 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -7,13 +7,33 @@ repo_url: https://github.com/aquasecurity/trivy edit_uri: "" nav: - - HOME: index.md - - Getting started: - - Overview: getting-started/overview.md + - Getting Started: + - Overview: index.md - Installation: getting-started/installation.md - Quick Start: getting-started/quickstart.md - - Further Reading: getting-started/further.md - - Docs: + - Tutorials: + - Overview: tutorials/overview.md + - CI/CD: + - Overview: tutorials/integrations/index.md + - GitHub Actions: tutorials/integrations/github-actions.md + - CircleCI: tutorials/integrations/circleci.md + - Travis CI: tutorials/integrations/travis-ci.md + - GitLab CI: tutorials/integrations/gitlab-ci.md + - Bitbucket Pipelines: tutorials/integrations/bitbucket.md + - AWS CodePipeline: tutorials/integrations/aws-codepipeline.md + - AWS Security Hub: tutorials/integrations/aws-security-hub.md + - Azure: tutorials/integrations/azure-devops.md + - Signing: + - Vulnerability Scan Record Attestation: tutorials/signing/vuln-attestation.md + - Kubernetes: + - Cluster Scanning: tutorials/kubernetes/cluster-scanning.md + - Kyverno: tutorials/kubernetes/kyverno.md + - GitOps: tutorials/kubernetes/gitops.md + - Additional Resources: + - Additional Resources: tutorials/additional-resources/references.md + - Community References: tutorials/additional-resources/community.md + - CKS Reference: tutorials/additional-resources/cks.md + - CLI: - Overview: docs/index.md - Vulnerability: - Scanning: @@ -78,16 +98,6 @@ nav: - Attestation: - SBOM: docs/attestation/sbom.md - Cosign Vulnerability Scan Record: docs/attestation/vuln.md - - Integrations: - - Overview: docs/integrations/index.md - - GitHub Actions: docs/integrations/github-actions.md - - CircleCI: docs/integrations/circleci.md - - Travis CI: docs/integrations/travis-ci.md - - GitLab CI: docs/integrations/gitlab-ci.md - - Bitbucket Pipelines: docs/integrations/bitbucket.md - - AWS CodePipeline: docs/integrations/aws-codepipeline.md - - AWS Security Hub: docs/integrations/aws-security-hub.md - - Azure: docs/integrations/azure-devops.md - Advanced: - Modules: docs/advanced/modules.md - Plugins: docs/advanced/plugins.md @@ -120,15 +130,13 @@ nav: - Server: docs/references/cli/server.md - Plugin: docs/references/cli/plugin.md - SBOM: docs/references/cli/sbom.md + - Module: docs/references/cli/module.md - Modes: - Standalone: docs/references/modes/standalone.md - Client/Server: docs/references/modes/client-server.md - Troubleshooting: docs/references/troubleshooting.md - - Community: - - Tools: community/tools.md - - References: community/references.md - - CKS Reference: community/cks.md - - Credits: community/credit.md + - Ecosystem: ecosystem/tools.md + - Contributing: - How to contribute: - Issues: community/contribute/issue.md - Pull Requests: community/contribute/pr.md