docs: add info on adding compliance checks #6275
Conversation
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
AnaisUrlichs
changed the title
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
|
|
||
| The existing compliance specs in Trivy are located under the `trivy-policies/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-policies/tree/main/specs/compliance)). | ||
|
|
||
| Create a new file under `trivy-policies/specs/compliance/` and name the file in the format of "provider-resource-spectype-version.yaml". For example, the file name for AWS CIS Benchmarks for EKS version 1.4 is: `aws-eks-cis-1.4.yaml`. |
There was a problem hiding this comment.
it's a good idea to define a naming convention.
"provider-resource" not sure this is the best terminology, also very cloud specific (and the compliance feature is not). I think in this case the entire "aws-eks" is the subject and there's no need to specify it's components in the generic template. another example there will be CIS specs for specific k8s flavor (like open shift), which this needs to appear in the name but I don't think in the template.
so I would suggest to simplify the template as subject-spec.yaml which means: specify the subject of the compliance (what are we evaluating?). if it's a cloud service or another example of a subcomponent, include the parent too, for example aws-eks. if the spec is specific to a version, optionally include it after the subject, e.g k8s-1.21. spec is a short name for the compliance framework that people can identify, e.g cis. if the spec is versioned, include the version too cis-1.1. wdyt?
There was a problem hiding this comment.
What do you mean with this sentence:
which this needs to appear in the name but I don't think in the template.
"provider-resource-spectype-version.yaml" the reasoning here was is that we call it provider and resource/service in other parts of the source code and docs
if it's a cloud service or another example of a subcomponent, include the parent too, for example aws-eks
The spec type is specific to a benchmark version e.g. CIS, I don't think it makes much sense to include the K8s version as that won't tell people more about the compliance scan and in some cases CIS
specs correspond to different k8s versions @chen-keinan thoughts?
recent CIS specs for reference
There was a problem hiding this comment.
What do you mean with this sentence
For example, that opehshift needs to appear in the file name, but doesn't have to have a placeholder in the naming convention template. we can ignore this sentence :)
we call it provider and resource/service in other parts of the source code and docs
I think this is true only to cloud. for example, I wrote a k8s compliance (PSS) and didn't have to know about service/provider in trivy and didn't use it in the name
I don't think it makes much sense to include the K8s version
OK, makes sense. but just to clarify, this isn't what text you quoted says "include the parent too, for example aws-eks"
|
|
||
| Create a new file under `trivy-policies/specs/compliance/` and name the file in the format of "provider-resource-spectype-version.yaml". For example, the file name for AWS CIS Benchmarks for EKS version 1.4 is: `aws-eks-cis-1.4.yaml`. | ||
|
|
||
| ### Minimum spec structure |
There was a problem hiding this comment.
IMO there's too much duplication with the general compliance documentation, this should be about how to upstream a compliance, not the complete guide to write a compliance.
There was a problem hiding this comment.
Does this relate to line 19 or to the minimum spec structure?
There was a problem hiding this comment.
I have moved some to the normal compliance documentation but I am thinking about the following instead:
- divide the compliance docs into the following two separate sections in the table of content: built-in compliance and custom compliance. The custom compliance would then also detail how to contribute the custom compliance check to Trivy
There was a problem hiding this comment.
Does this relate to line 19 or to the minimum spec structure?
Minimum spec structure (and what follows)
There was a problem hiding this comment.
table of content: built-in compliance and custom compliance
not sure I understand how your suggestion is different than existing?
| - `checks.id` -- Required; this is the AVD ID or AVD IDs referenced that perform the Rego check for this compliance check, more information is provided below. | ||
| - `severity` -- Required; more information provided below. | ||
|
|
||
| ### Populating the `control` section |
There was a problem hiding this comment.
there's more to say about vulnerability checks and node checks
There was a problem hiding this comment.
@chen-keinan I need your help here
There was a problem hiding this comment.
@chen-keinan :) help
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
| @@ -0,0 +1,101 @@ | |||
| # Custom Compliance Checks | |||
There was a problem hiding this comment.
Terminology could be confusing, could be Custom Compliance Specs is more accurate ?
| @@ -0,0 +1,101 @@ | |||
| # Custom Compliance Checks | |||
|
|
|||
| Trivy supports several different compliance checks. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../docs/compliance/compliance.md). | |||
There was a problem hiding this comment.
| Trivy supports several different compliance checks. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../docs/compliance/compliance.md). | |
| Trivy supports several different compliance specs. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../docs/compliance/compliance.md). |
| # Custom Compliance Checks | ||
|
|
||
| Trivy supports several different compliance checks. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../docs/compliance/compliance.md). | ||
| All of the Compliance Checks currently available in Trivy can be found in the `trivy-policies/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-policies/tree/main/specs/compliance)). |
There was a problem hiding this comment.
trivy-policies repo on github name has been changed to trivy-checks, change should apply to all references in doc
|
|
||
| ``` | ||
| - id: 2.1.1 | ||
| name: Enable audit Logs (Automated) |
There was a problem hiding this comment.
in example I would put (Manual) as there is no check (nil)
Adding documentation to the contributing section on writing Compliance Checks