image-scanner-with-trivy 0.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.gitattributes +26 -0
- package/.jsii +3950 -0
- package/.prettierignore +1 -0
- package/.prettierrc.json +8 -0
- package/.projenrc.ts +80 -0
- package/API.md +521 -0
- package/LICENSE +202 -0
- package/README.md +49 -0
- package/assets/lambda/Dockerfile +32 -0
- package/assets/lambda/dist/index.js +7 -0
- package/assets/lambda/index.ts +73 -0
- package/lib/index.d.ts +186 -0
- package/lib/index.js +92 -0
- package/lib/integ.d.ts +1 -0
- package/lib/integ.js +25 -0
- package/package.json +103 -0
package/.prettierignore
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
# ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen".
|
package/.prettierrc.json
ADDED
package/.projenrc.ts
ADDED
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
import { awscdk } from 'projen';
|
|
2
|
+
import { TrailingComma, Transform } from 'projen/lib/javascript';
|
|
3
|
+
const project = new awscdk.AwsCdkConstructLibrary({
|
|
4
|
+
author: 'go-to-k',
|
|
5
|
+
authorAddress: '24818752+go-to-k@users.noreply.github.com',
|
|
6
|
+
// TODO: major version
|
|
7
|
+
// majorVersion: 1,
|
|
8
|
+
minNodeVersion: '18.0.0',
|
|
9
|
+
cdkVersion: '2.95.1',
|
|
10
|
+
defaultReleaseBranch: 'main',
|
|
11
|
+
jsiiVersion: '~5.0.0',
|
|
12
|
+
name: 'image-scanner-with-trivy',
|
|
13
|
+
projenrcTs: true,
|
|
14
|
+
repositoryUrl: 'https://github.com/go-to-k/image-scanner-with-trivy',
|
|
15
|
+
prettier: true,
|
|
16
|
+
prettierOptions: {
|
|
17
|
+
settings: {
|
|
18
|
+
singleQuote: true,
|
|
19
|
+
jsxSingleQuote: true,
|
|
20
|
+
trailingComma: TrailingComma.ALL,
|
|
21
|
+
semi: true,
|
|
22
|
+
printWidth: 100,
|
|
23
|
+
},
|
|
24
|
+
},
|
|
25
|
+
eslintOptions: {
|
|
26
|
+
dirs: ['src'],
|
|
27
|
+
prettier: true,
|
|
28
|
+
ignorePatterns: [
|
|
29
|
+
'example/**/*',
|
|
30
|
+
'lambda/**/*',
|
|
31
|
+
'test/assets/**/*',
|
|
32
|
+
'test/*.snapshot/**/*',
|
|
33
|
+
'*.d.ts',
|
|
34
|
+
],
|
|
35
|
+
},
|
|
36
|
+
jestOptions: {
|
|
37
|
+
configFilePath: 'jest.config.json',
|
|
38
|
+
jestConfig: {
|
|
39
|
+
testEnvironment: 'node',
|
|
40
|
+
roots: ['<rootDir>/test'],
|
|
41
|
+
testMatch: ['**/*.test.ts'],
|
|
42
|
+
transform: {
|
|
43
|
+
'^.+\\.tsx?$': new Transform('ts-jest'),
|
|
44
|
+
},
|
|
45
|
+
snapshotSerializers: ['<rootDir>/test/snapshot-plugin.ts'],
|
|
46
|
+
},
|
|
47
|
+
},
|
|
48
|
+
license: 'Apache-2.0',
|
|
49
|
+
keywords: [
|
|
50
|
+
'aws',
|
|
51
|
+
'cdk',
|
|
52
|
+
'aws-cdk',
|
|
53
|
+
'docker',
|
|
54
|
+
'trivy',
|
|
55
|
+
'ecs',
|
|
56
|
+
'ecr',
|
|
57
|
+
'fargate',
|
|
58
|
+
'container',
|
|
59
|
+
'security',
|
|
60
|
+
],
|
|
61
|
+
gitignore: ['*.js', '*.d.ts', 'cdk.out/'],
|
|
62
|
+
bin: {
|
|
63
|
+
0: './assets',
|
|
64
|
+
},
|
|
65
|
+
// deps: [], /* Runtime dependencies of this module. */
|
|
66
|
+
// description: undefined, /* The description is just a string that helps people understand the purpose of the package. */
|
|
67
|
+
// devDeps: [], /* Build dependencies for this module. */
|
|
68
|
+
// packageName: undefined, /* The "name" in package.json. */
|
|
69
|
+
});
|
|
70
|
+
project.tsconfigDev.addInclude('assets/lambda/**/*.ts');
|
|
71
|
+
project.setScript('cdk', 'cdk');
|
|
72
|
+
project.setScript('integ:deploy', "cdk deploy --app='./lib/integ.js'");
|
|
73
|
+
project.setScript('integ:destroy', "cdk destroy --app='./lib/integ.js'");
|
|
74
|
+
project.projectBuild.compileTask.prependExec(
|
|
75
|
+
'yarn install --non-interactive --frozen-lockfile && yarn build',
|
|
76
|
+
{
|
|
77
|
+
cwd: 'assets/lambda',
|
|
78
|
+
},
|
|
79
|
+
);
|
|
80
|
+
project.synth();
|
package/API.md
ADDED
|
@@ -0,0 +1,521 @@
|
|
|
1
|
+
# image-scanner-with-trivy
|
|
2
|
+
|
|
3
|
+
## What is
|
|
4
|
+
|
|
5
|
+
This is an AWS CDK Construct that allows you to **scan a container image in CDK deployment layer with trivy**.
|
|
6
|
+
|
|
7
|
+
If it detects vulnerabilities, it can **prevent the image from being pushed to the ECR for the application**.
|
|
8
|
+
|
|
9
|
+
Since it takes an `imageUri` for ECR as an argument, it can also be used to **simply scan an existing image in the repository**.
|
|
10
|
+
|
|
11
|
+
## Trivy
|
|
12
|
+
|
|
13
|
+
[Trivy](https://github.com/aquasecurity/trivy) is a comprehensive and versatile security scanner.
|
|
14
|
+
|
|
15
|
+
## Usage
|
|
16
|
+
|
|
17
|
+
- Install
|
|
18
|
+
|
|
19
|
+
```sh
|
|
20
|
+
npm install image-scanner-with-trivy
|
|
21
|
+
```
|
|
22
|
+
|
|
23
|
+
- CDK Code
|
|
24
|
+
|
|
25
|
+
```ts
|
|
26
|
+
import { ImageScannerWithTrivy } from 'image-scanner-with-trivy';
|
|
27
|
+
|
|
28
|
+
const repository = new Repository(this, 'ImageRepository', {
|
|
29
|
+
removalPolicy: RemovalPolicy.DESTROY,
|
|
30
|
+
autoDeleteImages: true,
|
|
31
|
+
});
|
|
32
|
+
|
|
33
|
+
const image = new DockerImageAsset(this, 'DockerImage', {
|
|
34
|
+
directory: resolve(__dirname, './'),
|
|
35
|
+
});
|
|
36
|
+
|
|
37
|
+
// Please grant the necessary options on a case-by-case basis.
|
|
38
|
+
const imageScanner = new ImageScannerWithTrivy(this, 'ImageScannerWithTrivy', {
|
|
39
|
+
imageUri: image.imageUri,
|
|
40
|
+
repository: image.repository,
|
|
41
|
+
});
|
|
42
|
+
|
|
43
|
+
// By adding `addDependency`, if the vulnerabilities are detected by `ImageScannerWithTrivy`, the following `ECRDeployment` will not be executed, deployment will fail.
|
|
44
|
+
const ecrDeployment = new ECRDeployment(this, 'DeployImage', {
|
|
45
|
+
src: new DockerImageName(image.imageUri),
|
|
46
|
+
dest: new DockerImageName(`${repository.repositoryUri}:latest`),
|
|
47
|
+
});
|
|
48
|
+
ecrDeployment.node.addDependency(imageScanner);
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
# API Reference <a name="API Reference" id="api-reference"></a>
|
|
52
|
+
|
|
53
|
+
## Constructs <a name="Constructs" id="Constructs"></a>
|
|
54
|
+
|
|
55
|
+
### ImageScannerWithTrivy <a name="ImageScannerWithTrivy" id="image-scanner-with-trivy.ImageScannerWithTrivy"></a>
|
|
56
|
+
|
|
57
|
+
#### Initializers <a name="Initializers" id="image-scanner-with-trivy.ImageScannerWithTrivy.Initializer"></a>
|
|
58
|
+
|
|
59
|
+
```typescript
|
|
60
|
+
import { ImageScannerWithTrivy } from 'image-scanner-with-trivy'
|
|
61
|
+
|
|
62
|
+
new ImageScannerWithTrivy(scope: Construct, id: string, props: ImageScannerWithTrivyProps)
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
| **Name** | **Type** | **Description** |
|
|
66
|
+
| --- | --- | --- |
|
|
67
|
+
| <code><a href="#image-scanner-with-trivy.ImageScannerWithTrivy.Initializer.parameter.scope">scope</a></code> | <code>constructs.Construct</code> | *No description.* |
|
|
68
|
+
| <code><a href="#image-scanner-with-trivy.ImageScannerWithTrivy.Initializer.parameter.id">id</a></code> | <code>string</code> | *No description.* |
|
|
69
|
+
| <code><a href="#image-scanner-with-trivy.ImageScannerWithTrivy.Initializer.parameter.props">props</a></code> | <code><a href="#image-scanner-with-trivy.ImageScannerWithTrivyProps">ImageScannerWithTrivyProps</a></code> | *No description.* |
|
|
70
|
+
|
|
71
|
+
---
|
|
72
|
+
|
|
73
|
+
##### `scope`<sup>Required</sup> <a name="scope" id="image-scanner-with-trivy.ImageScannerWithTrivy.Initializer.parameter.scope"></a>
|
|
74
|
+
|
|
75
|
+
- *Type:* constructs.Construct
|
|
76
|
+
|
|
77
|
+
---
|
|
78
|
+
|
|
79
|
+
##### `id`<sup>Required</sup> <a name="id" id="image-scanner-with-trivy.ImageScannerWithTrivy.Initializer.parameter.id"></a>
|
|
80
|
+
|
|
81
|
+
- *Type:* string
|
|
82
|
+
|
|
83
|
+
---
|
|
84
|
+
|
|
85
|
+
##### `props`<sup>Required</sup> <a name="props" id="image-scanner-with-trivy.ImageScannerWithTrivy.Initializer.parameter.props"></a>
|
|
86
|
+
|
|
87
|
+
- *Type:* <a href="#image-scanner-with-trivy.ImageScannerWithTrivyProps">ImageScannerWithTrivyProps</a>
|
|
88
|
+
|
|
89
|
+
---
|
|
90
|
+
|
|
91
|
+
#### Methods <a name="Methods" id="Methods"></a>
|
|
92
|
+
|
|
93
|
+
| **Name** | **Description** |
|
|
94
|
+
| --- | --- |
|
|
95
|
+
| <code><a href="#image-scanner-with-trivy.ImageScannerWithTrivy.toString">toString</a></code> | Returns a string representation of this construct. |
|
|
96
|
+
|
|
97
|
+
---
|
|
98
|
+
|
|
99
|
+
##### `toString` <a name="toString" id="image-scanner-with-trivy.ImageScannerWithTrivy.toString"></a>
|
|
100
|
+
|
|
101
|
+
```typescript
|
|
102
|
+
public toString(): string
|
|
103
|
+
```
|
|
104
|
+
|
|
105
|
+
Returns a string representation of this construct.
|
|
106
|
+
|
|
107
|
+
#### Static Functions <a name="Static Functions" id="Static Functions"></a>
|
|
108
|
+
|
|
109
|
+
| **Name** | **Description** |
|
|
110
|
+
| --- | --- |
|
|
111
|
+
| <code><a href="#image-scanner-with-trivy.ImageScannerWithTrivy.isConstruct">isConstruct</a></code> | Checks if `x` is a construct. |
|
|
112
|
+
|
|
113
|
+
---
|
|
114
|
+
|
|
115
|
+
##### ~~`isConstruct`~~ <a name="isConstruct" id="image-scanner-with-trivy.ImageScannerWithTrivy.isConstruct"></a>
|
|
116
|
+
|
|
117
|
+
```typescript
|
|
118
|
+
import { ImageScannerWithTrivy } from 'image-scanner-with-trivy'
|
|
119
|
+
|
|
120
|
+
ImageScannerWithTrivy.isConstruct(x: any)
|
|
121
|
+
```
|
|
122
|
+
|
|
123
|
+
Checks if `x` is a construct.
|
|
124
|
+
|
|
125
|
+
###### `x`<sup>Required</sup> <a name="x" id="image-scanner-with-trivy.ImageScannerWithTrivy.isConstruct.parameter.x"></a>
|
|
126
|
+
|
|
127
|
+
- *Type:* any
|
|
128
|
+
|
|
129
|
+
Any object.
|
|
130
|
+
|
|
131
|
+
---
|
|
132
|
+
|
|
133
|
+
#### Properties <a name="Properties" id="Properties"></a>
|
|
134
|
+
|
|
135
|
+
| **Name** | **Type** | **Description** |
|
|
136
|
+
| --- | --- | --- |
|
|
137
|
+
| <code><a href="#image-scanner-with-trivy.ImageScannerWithTrivy.property.node">node</a></code> | <code>constructs.Node</code> | The tree node. |
|
|
138
|
+
|
|
139
|
+
---
|
|
140
|
+
|
|
141
|
+
##### `node`<sup>Required</sup> <a name="node" id="image-scanner-with-trivy.ImageScannerWithTrivy.property.node"></a>
|
|
142
|
+
|
|
143
|
+
```typescript
|
|
144
|
+
public readonly node: Node;
|
|
145
|
+
```
|
|
146
|
+
|
|
147
|
+
- *Type:* constructs.Node
|
|
148
|
+
|
|
149
|
+
The tree node.
|
|
150
|
+
|
|
151
|
+
---
|
|
152
|
+
|
|
153
|
+
|
|
154
|
+
## Structs <a name="Structs" id="Structs"></a>
|
|
155
|
+
|
|
156
|
+
### ImageScannerWithTrivyProps <a name="ImageScannerWithTrivyProps" id="image-scanner-with-trivy.ImageScannerWithTrivyProps"></a>
|
|
157
|
+
|
|
158
|
+
#### Initializer <a name="Initializer" id="image-scanner-with-trivy.ImageScannerWithTrivyProps.Initializer"></a>
|
|
159
|
+
|
|
160
|
+
```typescript
|
|
161
|
+
import { ImageScannerWithTrivyProps } from 'image-scanner-with-trivy'
|
|
162
|
+
|
|
163
|
+
const imageScannerWithTrivyProps: ImageScannerWithTrivyProps = { ... }
|
|
164
|
+
```
|
|
165
|
+
|
|
166
|
+
#### Properties <a name="Properties" id="Properties"></a>
|
|
167
|
+
|
|
168
|
+
| **Name** | **Type** | **Description** |
|
|
169
|
+
| --- | --- | --- |
|
|
170
|
+
| <code><a href="#image-scanner-with-trivy.ImageScannerWithTrivyProps.property.imageUri">imageUri</a></code> | <code>string</code> | Image URI for scan target. |
|
|
171
|
+
| <code><a href="#image-scanner-with-trivy.ImageScannerWithTrivyProps.property.repository">repository</a></code> | <code>aws-cdk-lib.aws_ecr.IRepository</code> | Repository including the image URI for scan target. |
|
|
172
|
+
| <code><a href="#image-scanner-with-trivy.ImageScannerWithTrivyProps.property.exitCode">exitCode</a></code> | <code>number</code> | Exit Code. |
|
|
173
|
+
| <code><a href="#image-scanner-with-trivy.ImageScannerWithTrivyProps.property.exitOnEol">exitOnEol</a></code> | <code>number</code> | Exit on EOL. |
|
|
174
|
+
| <code><a href="#image-scanner-with-trivy.ImageScannerWithTrivyProps.property.ignoreUnfixed">ignoreUnfixed</a></code> | <code>boolean</code> | The unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution. |
|
|
175
|
+
| <code><a href="#image-scanner-with-trivy.ImageScannerWithTrivyProps.property.imageConfigScanners">imageConfigScanners</a></code> | <code><a href="#image-scanner-with-trivy.ImageConfigScanners">ImageConfigScanners</a>[]</code> | Enum for ImageConfigScanners. |
|
|
176
|
+
| <code><a href="#image-scanner-with-trivy.ImageScannerWithTrivyProps.property.memorySize">memorySize</a></code> | <code>number</code> | Custom Resource Memory Size (MB). |
|
|
177
|
+
| <code><a href="#image-scanner-with-trivy.ImageScannerWithTrivyProps.property.platform">platform</a></code> | <code>string</code> | Scan Image on a specific Architecture and OS. |
|
|
178
|
+
| <code><a href="#image-scanner-with-trivy.ImageScannerWithTrivyProps.property.scanners">scanners</a></code> | <code><a href="#image-scanner-with-trivy.Scanners">Scanners</a>[]</code> | Enable/Disable Scanners. |
|
|
179
|
+
| <code><a href="#image-scanner-with-trivy.ImageScannerWithTrivyProps.property.severity">severity</a></code> | <code><a href="#image-scanner-with-trivy.Severity">Severity</a>[]</code> | Severity Selection. |
|
|
180
|
+
| <code><a href="#image-scanner-with-trivy.ImageScannerWithTrivyProps.property.trivyIgnore">trivyIgnore</a></code> | <code>string[]</code> | By Finding IDs. |
|
|
181
|
+
|
|
182
|
+
---
|
|
183
|
+
|
|
184
|
+
##### `imageUri`<sup>Required</sup> <a name="imageUri" id="image-scanner-with-trivy.ImageScannerWithTrivyProps.property.imageUri"></a>
|
|
185
|
+
|
|
186
|
+
```typescript
|
|
187
|
+
public readonly imageUri: string;
|
|
188
|
+
```
|
|
189
|
+
|
|
190
|
+
- *Type:* string
|
|
191
|
+
|
|
192
|
+
Image URI for scan target.
|
|
193
|
+
|
|
194
|
+
---
|
|
195
|
+
|
|
196
|
+
##### `repository`<sup>Required</sup> <a name="repository" id="image-scanner-with-trivy.ImageScannerWithTrivyProps.property.repository"></a>
|
|
197
|
+
|
|
198
|
+
```typescript
|
|
199
|
+
public readonly repository: IRepository;
|
|
200
|
+
```
|
|
201
|
+
|
|
202
|
+
- *Type:* aws-cdk-lib.aws_ecr.IRepository
|
|
203
|
+
|
|
204
|
+
Repository including the image URI for scan target.
|
|
205
|
+
|
|
206
|
+
Because of grantPull to CustomResourceLambda.
|
|
207
|
+
|
|
208
|
+
---
|
|
209
|
+
|
|
210
|
+
##### `exitCode`<sup>Optional</sup> <a name="exitCode" id="image-scanner-with-trivy.ImageScannerWithTrivyProps.property.exitCode"></a>
|
|
211
|
+
|
|
212
|
+
```typescript
|
|
213
|
+
public readonly exitCode: number;
|
|
214
|
+
```
|
|
215
|
+
|
|
216
|
+
- *Type:* number
|
|
217
|
+
- *Default:* 1
|
|
218
|
+
|
|
219
|
+
Exit Code.
|
|
220
|
+
|
|
221
|
+
Use the `exitCode` option if you want to exit with a non-zero exit code.
|
|
222
|
+
|
|
223
|
+
You can specify 0 if you do not want to exit even when vulnerabilities are detected.
|
|
224
|
+
|
|
225
|
+
It defaults to 1 IN THIS CONSTRUCT for safety in CI/CD. In the original trivy, it is 0.
|
|
226
|
+
|
|
227
|
+
> [https://aquasecurity.github.io/trivy/latest/docs/configuration/others/#exit-code](https://aquasecurity.github.io/trivy/latest/docs/configuration/others/#exit-code)
|
|
228
|
+
|
|
229
|
+
---
|
|
230
|
+
|
|
231
|
+
##### `exitOnEol`<sup>Optional</sup> <a name="exitOnEol" id="image-scanner-with-trivy.ImageScannerWithTrivyProps.property.exitOnEol"></a>
|
|
232
|
+
|
|
233
|
+
```typescript
|
|
234
|
+
public readonly exitOnEol: number;
|
|
235
|
+
```
|
|
236
|
+
|
|
237
|
+
- *Type:* number
|
|
238
|
+
- *Default:* 1
|
|
239
|
+
|
|
240
|
+
Exit on EOL.
|
|
241
|
+
|
|
242
|
+
Sometimes you may surprisingly get 0 vulnerabilities in an old image:
|
|
243
|
+
- Enabling --ignore-unfixed option while all packages have no fixed versions.
|
|
244
|
+
- Scanning a rather outdated OS (e.g. Ubuntu 10.04).
|
|
245
|
+
|
|
246
|
+
An OS at the end of service/life (EOL) usually gets into this situation, which is definitely full of vulnerabilities.
|
|
247
|
+
`exitOnEol` can fail scanning on EOL OS with a non-zero code.
|
|
248
|
+
|
|
249
|
+
It defaults to 1 IN THIS CONSTRUCT for safety in CI/CD. In the original trivy, it is 0.
|
|
250
|
+
|
|
251
|
+
> [https://aquasecurity.github.io/trivy/latest/docs/configuration/others/#exit-on-eol](https://aquasecurity.github.io/trivy/latest/docs/configuration/others/#exit-on-eol)
|
|
252
|
+
|
|
253
|
+
---
|
|
254
|
+
|
|
255
|
+
##### `ignoreUnfixed`<sup>Optional</sup> <a name="ignoreUnfixed" id="image-scanner-with-trivy.ImageScannerWithTrivyProps.property.ignoreUnfixed"></a>
|
|
256
|
+
|
|
257
|
+
```typescript
|
|
258
|
+
public readonly ignoreUnfixed: boolean;
|
|
259
|
+
```
|
|
260
|
+
|
|
261
|
+
- *Type:* boolean
|
|
262
|
+
- *Default:* false
|
|
263
|
+
|
|
264
|
+
The unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution.
|
|
265
|
+
|
|
266
|
+
To hide unfixed/unfixable vulnerabilities, you can use the `--ignore-unfixed` flag.
|
|
267
|
+
|
|
268
|
+
> [https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#unfixed-vulnerabilities](https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#unfixed-vulnerabilities)
|
|
269
|
+
|
|
270
|
+
---
|
|
271
|
+
|
|
272
|
+
##### `imageConfigScanners`<sup>Optional</sup> <a name="imageConfigScanners" id="image-scanner-with-trivy.ImageScannerWithTrivyProps.property.imageConfigScanners"></a>
|
|
273
|
+
|
|
274
|
+
```typescript
|
|
275
|
+
public readonly imageConfigScanners: ImageConfigScanners[];
|
|
276
|
+
```
|
|
277
|
+
|
|
278
|
+
- *Type:* <a href="#image-scanner-with-trivy.ImageConfigScanners">ImageConfigScanners</a>[]
|
|
279
|
+
- *Default:* []
|
|
280
|
+
|
|
281
|
+
Enum for ImageConfigScanners.
|
|
282
|
+
|
|
283
|
+
Container images have configuration. docker inspect and `docker history` show the information according to the configuration.
|
|
284
|
+
Trivy scans the configuration of container images for
|
|
285
|
+
|
|
286
|
+
- Misconfigurations
|
|
287
|
+
- Secrets
|
|
288
|
+
|
|
289
|
+
They are disabled by default. You can enable them with `imageConfigScanners`.
|
|
290
|
+
|
|
291
|
+
> [https://aquasecurity.github.io/trivy/latest/docs/target/container_image/#container-image-metadata](https://aquasecurity.github.io/trivy/latest/docs/target/container_image/#container-image-metadata)
|
|
292
|
+
|
|
293
|
+
---
|
|
294
|
+
|
|
295
|
+
##### `memorySize`<sup>Optional</sup> <a name="memorySize" id="image-scanner-with-trivy.ImageScannerWithTrivyProps.property.memorySize"></a>
|
|
296
|
+
|
|
297
|
+
```typescript
|
|
298
|
+
public readonly memorySize: number;
|
|
299
|
+
```
|
|
300
|
+
|
|
301
|
+
- *Type:* number
|
|
302
|
+
- *Default:* 3008
|
|
303
|
+
|
|
304
|
+
Custom Resource Memory Size (MB).
|
|
305
|
+
|
|
306
|
+
You can specify between `3008` and `10240`.
|
|
307
|
+
|
|
308
|
+
If this Construct execution terminates abnormally due to SIGKILL, try a larger size.
|
|
309
|
+
|
|
310
|
+
Default value (`3008` MB) is Maximum memory size for default AWS account without quota limit increase.
|
|
311
|
+
|
|
312
|
+
---
|
|
313
|
+
|
|
314
|
+
##### `platform`<sup>Optional</sup> <a name="platform" id="image-scanner-with-trivy.ImageScannerWithTrivyProps.property.platform"></a>
|
|
315
|
+
|
|
316
|
+
```typescript
|
|
317
|
+
public readonly platform: string;
|
|
318
|
+
```
|
|
319
|
+
|
|
320
|
+
- *Type:* string
|
|
321
|
+
- *Default:*
|
|
322
|
+
|
|
323
|
+
Scan Image on a specific Architecture and OS.
|
|
324
|
+
|
|
325
|
+
By default, Trivy loads an image on a `linux/amd64` machine.
|
|
326
|
+
|
|
327
|
+
To customize this, pass a `platform` argument in the format OS/Architecture for the image, such as `linux/arm64`
|
|
328
|
+
|
|
329
|
+
---
|
|
330
|
+
|
|
331
|
+
##### `scanners`<sup>Optional</sup> <a name="scanners" id="image-scanner-with-trivy.ImageScannerWithTrivyProps.property.scanners"></a>
|
|
332
|
+
|
|
333
|
+
```typescript
|
|
334
|
+
public readonly scanners: Scanners[];
|
|
335
|
+
```
|
|
336
|
+
|
|
337
|
+
- *Type:* <a href="#image-scanner-with-trivy.Scanners">Scanners</a>[]
|
|
338
|
+
- *Default:* [Security.VULN,Scanners.SECRET]
|
|
339
|
+
|
|
340
|
+
Enable/Disable Scanners.
|
|
341
|
+
|
|
342
|
+
You can enable/disable scanners with the `scanners`.
|
|
343
|
+
|
|
344
|
+
For example, container image scanning enables vulnerability (VULN) and secret scanners (SECRET) by default.
|
|
345
|
+
If you don't need secret scanning, it can be disabled by specifying Scanners.VULN only.
|
|
346
|
+
|
|
347
|
+
> [https://aquasecurity.github.io/trivy/latest/docs/configuration/others/#enabledisable-scanners](https://aquasecurity.github.io/trivy/latest/docs/configuration/others/#enabledisable-scanners)
|
|
348
|
+
|
|
349
|
+
---
|
|
350
|
+
|
|
351
|
+
##### `severity`<sup>Optional</sup> <a name="severity" id="image-scanner-with-trivy.ImageScannerWithTrivyProps.property.severity"></a>
|
|
352
|
+
|
|
353
|
+
```typescript
|
|
354
|
+
public readonly severity: Severity[];
|
|
355
|
+
```
|
|
356
|
+
|
|
357
|
+
- *Type:* <a href="#image-scanner-with-trivy.Severity">Severity</a>[]
|
|
358
|
+
- *Default:* [Severity.CRITICAL]
|
|
359
|
+
|
|
360
|
+
Severity Selection.
|
|
361
|
+
|
|
362
|
+
The severity is taken from the selected data source since the severity from vendors is more accurate.
|
|
363
|
+
Using CVE-2023-0464 as an example, while it is rated as "HIGH" in NVD, Red Hat has marked its 'Impact' as "Low". As a result, Trivy will display it as "Low".
|
|
364
|
+
|
|
365
|
+
The severity depends on the compile option, the default configuration, etc. NVD doesn't know how the vendor distributes the software.
|
|
366
|
+
Red Hat evaluates the severity more accurately. That's why Trivy prefers vendor scores over NVD.
|
|
367
|
+
|
|
368
|
+
It defaults to `CRITICAL` IN THIS CONSTRUCT for safety in CI/CD, but the default configuration of Trivy is "CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN".
|
|
369
|
+
|
|
370
|
+
> [https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#severity-selection](https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#severity-selection)
|
|
371
|
+
|
|
372
|
+
---
|
|
373
|
+
|
|
374
|
+
##### `trivyIgnore`<sup>Optional</sup> <a name="trivyIgnore" id="image-scanner-with-trivy.ImageScannerWithTrivyProps.property.trivyIgnore"></a>
|
|
375
|
+
|
|
376
|
+
```typescript
|
|
377
|
+
public readonly trivyIgnore: string[];
|
|
378
|
+
```
|
|
379
|
+
|
|
380
|
+
- *Type:* string[]
|
|
381
|
+
- *Default:* []
|
|
382
|
+
|
|
383
|
+
By Finding IDs.
|
|
384
|
+
|
|
385
|
+
The ignore rules written to the .trivyignore in trivy.
|
|
386
|
+
Put each line you write in the file into one element of the array.
|
|
387
|
+
|
|
388
|
+
> [https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#trivyignore](https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#trivyignore)
|
|
389
|
+
|
|
390
|
+
---
|
|
391
|
+
|
|
392
|
+
*Example*
|
|
393
|
+
|
|
394
|
+
```typescript
|
|
395
|
+
$ cat .trivyignore
|
|
396
|
+
# Accept the risk
|
|
397
|
+
CVE-2018-14618
|
|
398
|
+
|
|
399
|
+
# Accept the risk until 2023-01-01
|
|
400
|
+
CVE-2019-14697 exp:2023-01-01
|
|
401
|
+
|
|
402
|
+
# No impact in our settings
|
|
403
|
+
CVE-2019-1543
|
|
404
|
+
|
|
405
|
+
# Ignore misconfigurations
|
|
406
|
+
AVD-DS-0002
|
|
407
|
+
|
|
408
|
+
# Ignore secrets
|
|
409
|
+
generic-unwanted-rule
|
|
410
|
+
aws-account-id
|
|
411
|
+
```
|
|
412
|
+
|
|
413
|
+
|
|
414
|
+
|
|
415
|
+
|
|
416
|
+
## Enums <a name="Enums" id="Enums"></a>
|
|
417
|
+
|
|
418
|
+
### ImageConfigScanners <a name="ImageConfigScanners" id="image-scanner-with-trivy.ImageConfigScanners"></a>
|
|
419
|
+
|
|
420
|
+
Enum for ImageConfigScanners.
|
|
421
|
+
|
|
422
|
+
> [https://aquasecurity.github.io/trivy/latest/docs/target/container_image/#container-image-metadata](https://aquasecurity.github.io/trivy/latest/docs/target/container_image/#container-image-metadata)
|
|
423
|
+
|
|
424
|
+
#### Members <a name="Members" id="Members"></a>
|
|
425
|
+
|
|
426
|
+
| **Name** | **Description** |
|
|
427
|
+
| --- | --- |
|
|
428
|
+
| <code><a href="#image-scanner-with-trivy.ImageConfigScanners.CONFIG">CONFIG</a></code> | *No description.* |
|
|
429
|
+
| <code><a href="#image-scanner-with-trivy.ImageConfigScanners.SECRET">SECRET</a></code> | *No description.* |
|
|
430
|
+
|
|
431
|
+
---
|
|
432
|
+
|
|
433
|
+
##### `CONFIG` <a name="CONFIG" id="image-scanner-with-trivy.ImageConfigScanners.CONFIG"></a>
|
|
434
|
+
|
|
435
|
+
---
|
|
436
|
+
|
|
437
|
+
|
|
438
|
+
##### `SECRET` <a name="SECRET" id="image-scanner-with-trivy.ImageConfigScanners.SECRET"></a>
|
|
439
|
+
|
|
440
|
+
---
|
|
441
|
+
|
|
442
|
+
|
|
443
|
+
### Scanners <a name="Scanners" id="image-scanner-with-trivy.Scanners"></a>
|
|
444
|
+
|
|
445
|
+
Enum for Scanners.
|
|
446
|
+
|
|
447
|
+
> [https://aquasecurity.github.io/trivy/latest/docs/configuration/others/#enabledisable-scanners](https://aquasecurity.github.io/trivy/latest/docs/configuration/others/#enabledisable-scanners)
|
|
448
|
+
|
|
449
|
+
#### Members <a name="Members" id="Members"></a>
|
|
450
|
+
|
|
451
|
+
| **Name** | **Description** |
|
|
452
|
+
| --- | --- |
|
|
453
|
+
| <code><a href="#image-scanner-with-trivy.Scanners.VULN">VULN</a></code> | *No description.* |
|
|
454
|
+
| <code><a href="#image-scanner-with-trivy.Scanners.CONFIG">CONFIG</a></code> | *No description.* |
|
|
455
|
+
| <code><a href="#image-scanner-with-trivy.Scanners.SECRET">SECRET</a></code> | *No description.* |
|
|
456
|
+
| <code><a href="#image-scanner-with-trivy.Scanners.LICENSE">LICENSE</a></code> | *No description.* |
|
|
457
|
+
|
|
458
|
+
---
|
|
459
|
+
|
|
460
|
+
##### `VULN` <a name="VULN" id="image-scanner-with-trivy.Scanners.VULN"></a>
|
|
461
|
+
|
|
462
|
+
---
|
|
463
|
+
|
|
464
|
+
|
|
465
|
+
##### `CONFIG` <a name="CONFIG" id="image-scanner-with-trivy.Scanners.CONFIG"></a>
|
|
466
|
+
|
|
467
|
+
---
|
|
468
|
+
|
|
469
|
+
|
|
470
|
+
##### `SECRET` <a name="SECRET" id="image-scanner-with-trivy.Scanners.SECRET"></a>
|
|
471
|
+
|
|
472
|
+
---
|
|
473
|
+
|
|
474
|
+
|
|
475
|
+
##### `LICENSE` <a name="LICENSE" id="image-scanner-with-trivy.Scanners.LICENSE"></a>
|
|
476
|
+
|
|
477
|
+
---
|
|
478
|
+
|
|
479
|
+
|
|
480
|
+
### Severity <a name="Severity" id="image-scanner-with-trivy.Severity"></a>
|
|
481
|
+
|
|
482
|
+
Enum for Severity Selection.
|
|
483
|
+
|
|
484
|
+
> [https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#severity-selection](https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#severity-selection)
|
|
485
|
+
|
|
486
|
+
#### Members <a name="Members" id="Members"></a>
|
|
487
|
+
|
|
488
|
+
| **Name** | **Description** |
|
|
489
|
+
| --- | --- |
|
|
490
|
+
| <code><a href="#image-scanner-with-trivy.Severity.UNKNOWN">UNKNOWN</a></code> | *No description.* |
|
|
491
|
+
| <code><a href="#image-scanner-with-trivy.Severity.LOW">LOW</a></code> | *No description.* |
|
|
492
|
+
| <code><a href="#image-scanner-with-trivy.Severity.MEDIUM">MEDIUM</a></code> | *No description.* |
|
|
493
|
+
| <code><a href="#image-scanner-with-trivy.Severity.HIGH">HIGH</a></code> | *No description.* |
|
|
494
|
+
| <code><a href="#image-scanner-with-trivy.Severity.CRITICAL">CRITICAL</a></code> | *No description.* |
|
|
495
|
+
|
|
496
|
+
---
|
|
497
|
+
|
|
498
|
+
##### `UNKNOWN` <a name="UNKNOWN" id="image-scanner-with-trivy.Severity.UNKNOWN"></a>
|
|
499
|
+
|
|
500
|
+
---
|
|
501
|
+
|
|
502
|
+
|
|
503
|
+
##### `LOW` <a name="LOW" id="image-scanner-with-trivy.Severity.LOW"></a>
|
|
504
|
+
|
|
505
|
+
---
|
|
506
|
+
|
|
507
|
+
|
|
508
|
+
##### `MEDIUM` <a name="MEDIUM" id="image-scanner-with-trivy.Severity.MEDIUM"></a>
|
|
509
|
+
|
|
510
|
+
---
|
|
511
|
+
|
|
512
|
+
|
|
513
|
+
##### `HIGH` <a name="HIGH" id="image-scanner-with-trivy.Severity.HIGH"></a>
|
|
514
|
+
|
|
515
|
+
---
|
|
516
|
+
|
|
517
|
+
|
|
518
|
+
##### `CRITICAL` <a name="CRITICAL" id="image-scanner-with-trivy.Severity.CRITICAL"></a>
|
|
519
|
+
|
|
520
|
+
---
|
|
521
|
+
|