From 7654b2e27e8af2d71586374d3a8c254d46f2416a Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Thu, 31 Oct 2024 15:04:52 +0600 Subject: [PATCH] docs: add example of creating whitelist of checks (#7821) Signed-off-by: nikpivkin --- docs/docs/configuration/filtering.md | 4 ++-- .../ignore-policies}/advanced.rego | 0 .../ignore-policies}/basic.rego | 0 examples/ignore-policies/whitelist.rego | 13 +++++++++++++ 4 files changed, 15 insertions(+), 2 deletions(-) rename {contrib/example_policy => examples/ignore-policies}/advanced.rego (100%) rename {contrib/example_policy => examples/ignore-policies}/basic.rego (100%) create mode 100644 examples/ignore-policies/whitelist.rego diff --git a/docs/docs/configuration/filtering.md b/docs/docs/configuration/filtering.md index 22fbe2d7a24d..095e5c3bb559 100644 --- a/docs/docs/configuration/filtering.md +++ b/docs/docs/configuration/filtering.md @@ -477,13 +477,13 @@ ignore { ``` ```bash -trivy image --ignore-policy contrib/example_policy/basic.rego centos:7 +trivy image --ignore-policy examples/ignore-policies/basic.rego centos:7 ``` For more advanced use cases, there is a built-in Rego library with helper functions that you can import into your policy using: `import data.lib.trivy`. More info about the helper functions are in the library [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go). -You can find more example checks [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go) +You can create a whitelist of checks using Rego, see the detailed [example](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/ignore-policies/whitelist.rego). Additional examples are available [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/ignore-policies). ### By Vulnerability Exploitability Exchange (VEX) | Scanner | Supported | diff --git a/contrib/example_policy/advanced.rego b/examples/ignore-policies/advanced.rego similarity index 100% rename from contrib/example_policy/advanced.rego rename to examples/ignore-policies/advanced.rego diff --git a/contrib/example_policy/basic.rego b/examples/ignore-policies/basic.rego similarity index 100% rename from contrib/example_policy/basic.rego rename to examples/ignore-policies/basic.rego diff --git a/examples/ignore-policies/whitelist.rego b/examples/ignore-policies/whitelist.rego new file mode 100644 index 000000000000..51a75c37c72f --- /dev/null +++ b/examples/ignore-policies/whitelist.rego @@ -0,0 +1,13 @@ +package trivy + +import rego.v1 + +allowed_checks := { + "AVD-AWS-0089" +} + +default ignore := false + +ignore if not is_check_allowed + +is_check_allowed if input.AVDID in allowed_checks \ No newline at end of file