aquasecurity · knqyf263 · Aug 9, 2024 · Jul 14, 2024 · Jul 15, 2024 · Jul 16, 2024
@@ -119,10 +119,13 @@ cp /path/to/trivy.db /path/to/metadata.json ${TRIVY_CACHE_DIR}/db/
 ### Java DB
 
 For Java DB the process is the same, except for the following:
+
 1. Image location is `ghcr.io/aquasecurity/trivy-java-db:1`
 2. Archive file name is `javadb.tar.gz`
 3. DB file name is `trivy-java.db`
 
 ## Misconfigurations scanning
 
 Note that the misconfigurations database is also embedded in the Trivy binary (at build time), and will be used as a fallback if the external database is not available. This means that you can still scan for misconfigurations in an air-gapped environment using the Checks from the time of the Trivy release you are using.
+
+The misconfiguration can be configured to load checks from a local directory, using the `--config-check` flag. In an air-gapped scenario you can copy the checks library from [Trivy checks repository](https://github.com/aquasecurity/trivy-checks) into a local directory, and load it with this flag. See more in the [Misconfiguration scanner documentation](../scanner/misconfiguration/index.md).
@@ -35,7 +35,7 @@ Additional information is provided below.
 
 #### 1. Referencing a check that is already part of Trivy
 
-Trivy has a comprehensive list of checks as part of its misconfiguration scanning. These can be found in the `trivy-policies/checks` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). If the check is present, the `AVD_ID` and other information from the check has to be used.
+Trivy has a comprehensive list of checks as part of its misconfiguration scanning. These can be found in the `trivy-checks/checks` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). If the check is present, the `AVD_ID` and other information from the check has to be used.
 
 Note: Take a look at the more generic compliance specs that are already available in Trivy. If you are adding new compliance spec to Kubernetes e.g. AWS EKS CIS Benchmarks, chances are high that the check you would like to add to the new spec has already been defined in the general `k8s-ci-v.000.yaml` compliance spec. The same applies for creating specific Cloud Provider Compliance Specs and the [generic compliance specs](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance) available. 
 

@@ -6,7 +6,7 @@ Trivy checks are mainly written in [Rego][rego], while some checks are written i
 See [here](../../../coverage/iac/index.md) for the list of supported config types.
 
 ## Checks Bundle
-When performing a misconfiguration scan, Trivy will automatically downloads the relevant Checks bundle. The bundle is cached locally and Trivy will reuse it for subsequent scans on the same machine. Trivy takes care of updating the cache automatically so normally can be oblivious to it.
+When performing a misconfiguration scan, Trivy will automatically download the relevant Checks bundle. The bundle is cached locally and Trivy will reuse it for subsequent scans on the same machine. Trivy takes care of updating the cache automatically, so normally users can be oblivious to it.
 
 For CLI flags related to the database, please refer to [this page](../configuration/db.md).
 

@@ -31,5 +31,5 @@ Then, you need to pass data paths through `--data` option.
 Trivy recursively searches the specified paths for JSON (`*.json`) and YAML (`*.yaml`) files.
 
 ```bash
-$ trivy conf --policy ./policy --data data --namespaces user ./configs
+$ trivy conf --config-check ./checks --data ./data --namespaces user ./configs
 ```
@@ -2,10 +2,10 @@
 
 ## Overview
 You can write custom checks in [Rego][rego].
-Once you finish writing custom checks, you can pass the policy files or the directory where those policies are stored with `--policy` option.
+Once you finish writing custom checks, you can pass the policy files or the directory where those checks are stored with --config-check` option.
 
 ``` bash
-trivy conf --policy /path/to/policy.rego --policy /path/to/custom_policies --namespaces user /path/to/config_dir
+trivy conf --config-check /path/to/policy.rego --config-check /path/to/custom_checks --namespaces user /path/to/config_dir
 ```
 
 As for `--namespaces` option, the detail is described as below.
@@ -93,7 +93,7 @@ By default, only `builtin.*` packages will be evaluated.
 If you define custom packages, you have to specify the package prefix via `--namespaces` option. By default, Trivy only runs in its own namespace, unless specified by the user. Note that the custom namespace does not have to be `user` as in this example. It could be anything user-defined.
 
 ``` bash
-trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir
+trivy conf --config-check /path/to/custom_checks --namespaces user /path/to/config_dir
 ```
 
 In this case, `user.*` will be evaluated.
@@ -135,7 +135,7 @@ correct and do not reference incorrect properties/values.
 
 #### custom.avd_id and custom.id
 
-The AVD_ID can be used to link the check to the Aqua Vulnerability Database (AVD) entry. For example, the `avd_id` `AVD-AWS-0176` is the ID of the check in the [AWS Vulnerability Database](https://avd.aquasec.com/). If you are [contributing your check to trivy-policies](../../../../community/contribute/checks/overview.md), you need to generate an ID using `make id` in the [trivy-checks](https://github.com/aquasecurity/trivy-checks) repository. The output of the command will provide you the next free IDs for the different providers in Trivy.
+The AVD_ID can be used to link the check to the Aqua Vulnerability Database (AVD) entry. For example, the `avd_id` `AVD-AWS-0176` is the ID of the check in the [AWS Vulnerability Database](https://avd.aquasec.com/). If you are [contributing your check to trivy-checks](../../../../community/contribute/checks/overview.md), you need to generate an ID using `make id` in the [trivy-checks](https://github.com/aquasecurity/trivy-checks) repository. The output of the command will provide you the next free IDs for the different providers in Trivy.
 
 The ID is based on the AVD_ID. For instance if the `avd_id` is `AVD-AWS-0176`, the ID is `ID0176`.
 

@@ -1,7 +1,7 @@
 # Input Schema
 
 ## Overview
-Policies can be defined with custom schemas that allow inputs to be verified against them. Adding a policy schema
+Checks can be defined with custom schemas that allow inputs to be verified against them. Adding a policy schema
 enables Trivy to show more detailed error messages when an invalid input is encountered.
 
 In Trivy we have been able to define a schema for a [Dockerfile](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/rego/schemas)

@@ -326,13 +326,13 @@ trivy config --misconfig-scanners=terraform,dockerfile .
 
 Will only scan for misconfigurations that pertain to Terraform and Dockerfiles.
 
-### Passing custom checks
-You can pass policy files or directories including your custom checks through `--policy` option.
+### Loading custom checks
+You can load policy files or directories including your custom checks through `--config-check` flag.
 This can be repeated for specifying multiple files or directories.
 
 ```bash
 cd examplex/misconf/
-trivy conf --policy custom-policy/policy --policy combine/policy --policy policy.rego --namespaces user misconf/mixed
+trivy conf --config-check custom-policy/policy --config-check combine/policy --config-check policy.rego --namespaces user misconf/mixed
 ```
 
 For more details, see [Custom Checks](./custom/index.md).
@@ -346,7 +346,7 @@ This can be repeated for specifying multiple directories.
 
 ```bash
 cd examples/misconf/custom-data
-trivy conf --policy ./policy --data ./data --namespaces user ./configs
+trivy conf --config-check ./policy --data ./data --namespaces user ./configs
 ```
 
 For more details, see [Custom Data](./custom/data.md).
@@ -357,7 +357,7 @@ If you want to evaluate custom checks in other packages, you have to specify pac
 This can be repeated for specifying multiple packages.
 
 ``` bash
-trivy conf --policy ./policy --namespaces main --namespaces user ./configs
+trivy conf --config-check ./policy --namespaces main --namespaces user ./configs
 ```
 
 ### Private terraform registries

@@ -160,7 +160,7 @@ Trivy can detect vulnerabilities in Kubernetes clusters and components by scanni
 
 ## Databases
 Trivy utilizes several databases containing information relevant for vulnerability scanning.  
-When performing a vulnerability scan, Trivy will automatically downloads the relevant databases. The databases are cached locally and Trivy will reuse them for subsequent scans on the same machine. Trivy takes care of updating the databases cache automatically so normally can be oblivious to it.
+When performing a vulnerability scan, Trivy will automatically downloads the relevant databases. The databases are cached locally and Trivy will reuse them for subsequent scans on the same machine. Trivy takes care of updating the databases cache automatically, so normally users can be oblivious to it.
 
 For CLI flags related to the database, please refer to [this page](../configuration/db.md).
 

@@ -93,7 +93,7 @@ Note that Rego
 Ensure that you have Trivy installed and run the following command:
 
 ```bash
-trivy fs --scanners misconf --policy ./docker-check.rego --namespaces custom ./Dockerfile
+trivy fs --scanners misconf --config-check ./docker-check.rego --namespaces custom ./Dockerfile
 ```
 
 Please replace: