You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
🌰 Terraform scanning now supports iterator argument for dynamic blocks 🥂
🎣 Terraform plan scanning now supports input variables 🏭
🧳 Misconfiguration scanning now ignores duplicate checks 🍼
🪨 Compliance specs are now included in the Trivy Checks bundle 🗿
🏃🏻♀️Terraform now supports ignores on nested attributes 🪺
💽 Virtual Machine scanning enhancements 🧩
💔 Breaking Changes 💔
🗑️ Removal of deprecated SBOM flags 🛠️
In this release, we've removed the deprecated --sbom-format and --artifact-type flags from the sbom subcommand. These flags were deprecated two years ago, and their removal is part of our ongoing effort to streamline the CLI and remove outdated options.
This update introduces the --detection-priority flag to the vulnerability scanner, providing users with control over the scanner's accuracy and coverage. The flag allows you to select between precise mode, which focuses on reducing false positives, and comprehensive mode, which increases detection coverage at the risk of including some false positives. This feature is particularly useful in environments where either accuracy or comprehensive detection is critical.
The following language-specific scenarios supports the new flag:
go.mod: use specified Go version for stdlib vulnerability detection. See here for more details.
requirements.txt: support >=,~= and a trailing .* matching. See here for more details.
pubspec.lock: use minimum versions from sdks for SDK dependencies. See here for more details.
📝 Support test scope for pom.xml files 🧪
Trivy currently supports dependencies with test scope. To include these dependencies into result - use --include-dev-deps flag.
🥣 Scanning generic YAML and JSON files 🛼
Trivy now supports scanning any YAML or JSON files for misconfigurations. Note that Trivy doesn't ship with checks for files it doesn't recognize, but you can still author custom checks that will evaluate your generic yaml or json files.
$ cat serverless.rego
# METADATA# title: Serverless Framework service name not starting with "aws-"# description: Ensure that Serverless Framework service names start with "aws-"# schemas:# - input: schema["serverless-schema"]# custom:# id: SF001# severity: LOW
package user.serverless001
deny[res] {
not startswith(input.service, "aws-")
res := result.new(
sprintf("Service name %q is not allowed", [input.service]),
input.service
)
}
$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user ./iac
serverless.yaml (yaml)
Tests: 4 (SUCCESSES: 3, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
LOW: Service name "serverless-rest-api-with-pynamodb" is not allowed
═════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensure that Serverless Framework service names start with "aws-"
You can also use the --config-file-schemas flag to provide schemas for generic json and yaml files. Trivy will use these schemas for file filtering and type checking in Rego checks. Find more details on this feature here
🌰 Terraform scanning now supports iterator argument for dynamic blocks 🥂
Trivy now supports the iterator argument for dynamic blocks. Previously this led to false positives while scanning terraform code:
🧳 Misconfiguration scanning now ignores duplicate checks 🍼
Trivy now ignores any duplicated checks in the output by skipping them if they've already been evaluated. This helps prevent cases where a duplicated custom check might be accidentally supplied by the user.
🪨 Compliance specs are now included in the Trivy Checks bundle 🗿
Trivy Checks bundle now includes compliance specs. Previously, complience specs were embedded in the Trivy binary, and therefore were tied to it's release cycle. This means new or updated complience will be available for Trivy users immediately without having to upgrade or wait for a new Trivy version.
🏃🏻♀️Terraform now supports ignores on nested attributes 🪺
Previously it was not possible to ignore on special variables such as each and count that terraform offers, especially when working within dynamic blocks.
The following example shows how to ignore each.value with the name of vm-2:
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
📑 Table of Contents
test
scope forpom.xml
files 🧪iterator
argument for dynamic blocks 🥂💔 Breaking Changes 💔
🗑️ Removal of deprecated SBOM flags 🛠️
In this release, we've removed the deprecated
--sbom-format
and--artifact-type
flags from thesbom
subcommand. These flags were deprecated two years ago, and their removal is part of our ongoing effort to streamline the CLI and remove outdated options.For more details, please refer to the announcement here.
🚀 What's new? 🚀
🎛️ Customize detection sensitivity 🕵️
This update introduces the
--detection-priority
flag to the vulnerability scanner, providing users with control over the scanner's accuracy and coverage. The flag allows you to select between precise mode, which focuses on reducing false positives, and comprehensive mode, which increases detection coverage at the risk of including some false positives. This feature is particularly useful in environments where either accuracy or comprehensive detection is critical.See here for more details.
The following language-specific scenarios supports the new flag:
go.mod
: use specified Go version for stdlib vulnerability detection. See here for more details.requirements.txt
: support>=
,~=
and a trailing.*
matching. See here for more details.pubspec.lock
: use minimum versions fromsdks
forSDK
dependencies. See here for more details.📝 Support
test
scope forpom.xml
files 🧪Trivy currently supports dependencies with
test
scope. To include these dependencies into result - use--include-dev-deps
flag.🥣 Scanning generic YAML and JSON files 🛼
Trivy now supports scanning any YAML or JSON files for misconfigurations. Note that Trivy doesn't ship with checks for files it doesn't recognize, but you can still author custom checks that will evaluate your generic yaml or json files.
For example:
$ cat iac/serverless.yaml service: serverless-rest-api-with-pynamodb frameworkVersion: ">=2.24.0" plugins: - serverless-python-requirements ...
You can also use the
--config-file-schemas
flag to provide schemas for generic json and yaml files. Trivy will use these schemas for file filtering and type checking in Rego checks. Find more details on this feature here🌰 Terraform scanning now supports
iterator
argument for dynamic blocks 🥂Trivy now supports the iterator argument for dynamic blocks. Previously this led to false positives while scanning terraform code:
🎣 Terraform plan scanning now supports input variables 🏭
Trivy now supports scanning of terraform plans that contain variables. As always the user can pass the variables in as such:
$ trivy config --tf-vars vars.tfvars --misconfig-scanners "terraformplan-snapshot" tfplan
🧳 Misconfiguration scanning now ignores duplicate checks 🍼
Trivy now ignores any duplicated checks in the output by skipping them if they've already been evaluated. This helps prevent cases where a duplicated custom check might be accidentally supplied by the user.
🪨 Compliance specs are now included in the Trivy Checks bundle 🗿
Trivy Checks bundle now includes compliance specs. Previously, complience specs were embedded in the Trivy binary, and therefore were tied to it's release cycle. This means new or updated complience will be available for Trivy users immediately without having to upgrade or wait for a new Trivy version.
🏃🏻♀️Terraform now supports ignores on nested attributes 🪺
Previously it was not possible to ignore on special variables such as
each
andcount
that terraform offers, especially when working within dynamic blocks.The following example shows how to ignore
each.value
with thename
ofvm-2
:More info on this feature here
💽 Virtual Machine scanning enhancements 🧩
Virtual Machine scanning now supports scanning filesystems directly, even when there's no Master Boot Record (MBR) present.
Thanks to @yusuke-koyoshi.
In addition it now supports Ext2 and Ext3 filesystems.
Thanks to @aruneko.
👷♂️ Notable Fixes 🛠️
Message
field not escaped inasff.tpl
#7400Beta Was this translation helpful? Give feedback.
All reactions