New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: add info on adding compliance checks #6275
base: main
Are you sure you want to change the base?
docs: add info on adding compliance checks #6275
Conversation
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
|
||
The existing compliance specs in Trivy are located under the `trivy-policies/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-policies/tree/main/specs/compliance)). | ||
|
||
Create a new file under `trivy-policies/specs/compliance/` and name the file in the format of "provider-resource-spectype-version.yaml". For example, the file name for AWS CIS Benchmarks for EKS version 1.4 is: `aws-eks-cis-1.4.yaml`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's a good idea to define a naming convention.
"provider-resource" not sure this is the best terminology, also very cloud specific (and the compliance feature is not). I think in this case the entire "aws-eks" is the subject and there's no need to specify it's components in the generic template. another example there will be CIS specs for specific k8s flavor (like open shift), which this needs to appear in the name but I don't think in the template.
so I would suggest to simplify the template as subject-spec.yaml
which means: specify the subject of the compliance (what are we evaluating?). if it's a cloud service or another example of a subcomponent, include the parent too, for example aws-eks
. if the spec is specific to a version, optionally include it after the subject, e.g k8s-1.21
. spec is a short name for the compliance framework that people can identify, e.g cis
. if the spec is versioned, include the version too cis-1.1
. wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you mean with this sentence:
which this needs to appear in the name but I don't think in the template.
"provider-resource-spectype-version.yaml" the reasoning here was is that we call it provider and resource/service in other parts of the source code and docs
if it's a cloud service or another example of a subcomponent, include the parent too, for example aws-eks
The spec type is specific to a benchmark version e.g. CIS, I don't think it makes much sense to include the K8s version as that won't tell people more about the compliance scan and in some cases CIS
specs correspond to different k8s versions @chen-keinan thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you mean with this sentence
For example, that opehshift needs to appear in the file name, but doesn't have to have a placeholder in the naming convention template. we can ignore this sentence :)
we call it provider and resource/service in other parts of the source code and docs
I think this is true only to cloud. for example, I wrote a k8s compliance (PSS) and didn't have to know about service/provider in trivy and didn't use it in the name
I don't think it makes much sense to include the K8s version
OK, makes sense. but just to clarify, this isn't what text you quoted says "include the parent too, for example aws-eks"
|
||
Create a new file under `trivy-policies/specs/compliance/` and name the file in the format of "provider-resource-spectype-version.yaml". For example, the file name for AWS CIS Benchmarks for EKS version 1.4 is: `aws-eks-cis-1.4.yaml`. | ||
|
||
### Minimum spec structure |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO there's too much duplication with the general compliance documentation, this should be about how to upstream a compliance, not the complete guide to write a compliance.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this relate to line 19 or to the minimum spec structure?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have moved some to the normal compliance documentation but I am thinking about the following instead:
- divide the compliance docs into the following two separate sections in the table of content: built-in compliance and custom compliance. The custom compliance would then also detail how to contribute the custom compliance check to Trivy
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this relate to line 19 or to the minimum spec structure?
Minimum spec structure (and what follows)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- `checks.id` -- Required; this is the AVD ID or AVD IDs referenced that perform the Rego check for this compliance check, more information is provided below. | ||
- `severity` -- Required; more information provided below. | ||
|
||
### Populating the `control` section |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there's more to say about vulnerability checks and node checks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@chen-keinan I need your help here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@chen-keinan :) help
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@AnaisUrlichs look good, I have added few comments
@@ -0,0 +1,101 @@ | |||
# Custom Compliance Checks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Terminology could be confusing, could be Custom Compliance Specs
is more accurate ?
@@ -0,0 +1,101 @@ | |||
# Custom Compliance Checks | |||
|
|||
Trivy supports several different compliance checks. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../docs/compliance/compliance.md). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Trivy supports several different compliance checks. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../docs/compliance/compliance.md). | |
Trivy supports several different compliance specs. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../docs/compliance/compliance.md). |
# Custom Compliance Checks | ||
|
||
Trivy supports several different compliance checks. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../docs/compliance/compliance.md). | ||
All of the Compliance Checks currently available in Trivy can be found in the `trivy-policies/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-policies/tree/main/specs/compliance)). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
trivy-policies
repo on github name has been changed to trivy-checks
, change should apply to all references in doc
|
||
``` | ||
- id: 2.1.1 | ||
name: Enable audit Logs (Automated) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in example I would put (Manual) as there is no check (nil)
Adding documentation to the contributing section on writing Compliance Checks