fix: the use of embedded checks, fallback for air-gapped env. (#2074)

* fix: the use of embedded checks, fallback for air-gapped env.

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: the use of embedded checks, fallback for air-gapped env.

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: the use of embedded checks, fallback for air-gapped env.

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: the use of embedded checks, fallback for air-gapped env.

Signed-off-by: chenk <hen.keinan@gmail.com>

---------

Signed-off-by: chenk <hen.keinan@gmail.com>

deploy/helm/README.md

@@ -177,7 +177,8 @@ Keeps security report resources updated
 | trivy.storageSize | string | `"5Gi"` | storageSize is the size of the trivy server PVC |
 | trivy.supportedConfigAuditKinds | string | `"Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"` | The Flag is the list of supported kinds separated by comma delimiter to be scanned by the config audit scanner  |
 | trivy.timeout | string | `"5m0s"` | timeout is the duration to wait for scan completion. |
-| trivy.useBuiltinRegoPolicies | string | `"true"` | The Flag to enable the usage of builtin rego policies by default  |
+| trivy.useBuiltinRegoPolicies | string | `"true"` | The Flag to enable the usage of builtin rego policies by default, these policies are downloaded by default from ghcr.io/aquasecurity/trivy-checks  |
+| trivy.useEmbeddedRegoPolicies | string | `"false"` | To enable the usage of embedded rego policies, set the flag useEmbeddedRegoPolicies. This should serve as a fallback for air-gapped environments. When useEmbeddedRegoPolicies is set to true, useBuiltinRegoPolicies should be set to false. |
 | trivy.vulnType | string | `nil` | vulnType can be used to tell Trivy to filter vulnerabilities by a pkg-type (library, os) |
 | trivyOperator.additionalReportLabels | string | `""` | additionalReportLabels comma-separated representation of the labels which the user wants the scanner pods to be labeled with. Example: `foo=bar,env=stage` will labeled the reports with the labels `foo: bar` and `env: stage` |
 | trivyOperator.configAuditReportsPlugin | string | `"Trivy"` | configAuditReportsPlugin the name of the plugin that generates config audit reports. |

deploy/helm/templates/configmaps/trivy.yaml

@@ -67,6 +67,9 @@ data:
   {{- with .Values.trivy.useBuiltinRegoPolicies }}
   trivy.useBuiltinRegoPolicies: {{ . | quote }}
   {{- end }}
+  {{- with .Values.trivy.useEmbeddedRegoPolicies }}
+  trivy.useEmbeddedRegoPolicies: {{ . | quote }}
+  {{- end }}
   {{- with .Values.trivy.offlineScan }}
   trivy.offlineScan: {{ . | quote }}
   {{- end }}

deploy/helm/values.yaml

@@ -522,10 +522,14 @@ trivy:
   #
   dbRepositoryInsecure: "false"
 
-  # -- The Flag to enable the usage of builtin rego policies by default
+  # -- The Flag to enable the usage of builtin rego policies by default, these policies are downloaded by default from ghcr.io/aquasecurity/trivy-checks
   #
   useBuiltinRegoPolicies: "true"
 
+  # -- To enable the usage of embedded rego policies, set the flag useEmbeddedRegoPolicies. This should serve as a fallback for air-gapped environments.
+  # When useEmbeddedRegoPolicies is set to true, useBuiltinRegoPolicies should be set to false.
+  useEmbeddedRegoPolicies: "false"
+
   # -- The Flag is the list of supported kinds separated by comma delimiter to be scanned by the config audit scanner
   #
   supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"

deploy/static/trivy-operator.yaml

@@ -3040,6 +3040,7 @@ data:
   trivy.sbomSources: ""
   trivy.dbRepositoryInsecure: "false"
   trivy.useBuiltinRegoPolicies: "true"
+  trivy.useEmbeddedRegoPolicies: "false"
   trivy.supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
   trivy.timeout: "5m0s"
   trivy.mode: "Standalone"

pkg/configauditreport/plugin.go

@@ -19,6 +19,8 @@ type ConfigAuditConfig interface {
 
 	// GetUseBuiltinRegoPolicies return trivy config which associated to configauditreport plugin
 	GetUseBuiltinRegoPolicies() bool
+	// GetUseEmbeddedRegoPolicies return trivy embedded rego policies (mainly for air-gapped environment)
+	GetUseEmbeddedRegoPolicies() bool
 	// GetSupportedConfigAuditKinds list of supported kinds to be scanned by the config audit scanner
 	GetSupportedConfigAuditKinds() []string
 

pkg/plugins/trivy/config.go

@@ -56,6 +56,7 @@ const (
 	keyTrivyDBRepositoryInsecure = "trivy.dbRepositoryInsecure"
 
 	keyTrivyUseBuiltinRegoPolicies    = "trivy.useBuiltinRegoPolicies"
+	keyTrivyUseEmbeddedRegoPolicies   = "trivy.useEmbeddedRegoPolicies"
 	keyTrivySupportedConfigAuditKinds = "trivy.supportedConfigAuditKinds"
 
 	keyTrivyServerURL              = "trivy.serverURL"
@@ -278,6 +279,17 @@ func (c Config) GetUseBuiltinRegoPolicies() bool {
 	}
 	return boolVal
 }
+func (c Config) GetUseEmbeddedRegoPolicies() bool {
+	val, ok := c.Data[keyTrivyUseEmbeddedRegoPolicies]
+	if !ok {
+		return false
+	}
+	boolVal, err := strconv.ParseBool(val)
+	if err != nil {
+		return false
+	}
+	return boolVal
+}
 func (c Config) GetSslCertDir() string {
 	val, ok := c.Data[keyTrivySslCertDir]
 	if !ok {

pkg/policy/policy.go

@@ -158,7 +158,7 @@ func (p *Policies) Applicable(resourceKind string) (bool, string, error) {
 	if err != nil {
 		return false, "", err
 	}
-	if !HasExternalPolicies && !p.cac.GetUseBuiltinRegoPolicies() {
+	if !HasExternalPolicies && !p.cac.GetUseBuiltinRegoPolicies() && !p.cac.GetUseEmbeddedRegoPolicies() {
 		return false, fmt.Sprintf("no policies found for kind %s", resourceKind), nil
 	}
 	return true, "", nil
@@ -224,7 +224,7 @@ func (p *Policies) Eval(ctx context.Context, resource client.Object, inputs ...[
 	if err != nil {
 		return nil, err
 	}
-	so := scannerOptions(policiesFolder, dataPaths, dataFS, hasPolicies)
+	so := p.scannerOptions(policiesFolder, dataPaths, dataFS, hasPolicies)
 	scanner := kubernetes.NewScanner(so...)
 	scanResult, err := scanner.ScanFS(ctx, memfs, inputFolder)
 	if err != nil {
@@ -272,15 +272,16 @@ func (r *Policies) HasSeverity(resultSeverity severity.Severity) bool {
 	return strings.Contains(defaultSeverity, string(resultSeverity))
 }
 
-func scannerOptions(policiesFolder string, dataPaths []string, dataFS fs.FS, hasPolicies bool) []options.ScannerOption {
+func (p *Policies) scannerOptions(policiesFolder string, dataPaths []string, dataFS fs.FS, hasPolicies bool) []options.ScannerOption {
 	optionsArray := []options.ScannerOption{
-		options.ScannerWithPolicyDirs(policiesFolder),
 		options.ScannerWithDataDirs(dataPaths...),
 		options.ScannerWithDataFilesystem(dataFS),
 	}
-	if !hasPolicies {
+	if !hasPolicies && p.cac.GetUseEmbeddedRegoPolicies() {
 		optionsArray = append(optionsArray, options.ScannerWithEmbeddedPolicies(true))
 		optionsArray = append(optionsArray, options.ScannerWithEmbeddedLibraries(true))
+	} else {
+		optionsArray = append(optionsArray, options.ScannerWithPolicyDirs(policiesFolder))
 	}
 	return optionsArray
 }

pkg/policy/policy_test.go

@@ -1070,7 +1070,8 @@ func (a resultSort) Less(i, j int) bool { return a[i].Metadata.ID < a[j].Metadat
 func (a resultSort) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
 
 type testConfig struct {
-	builtInPolicies bool
+	builtInPolicies  bool
+	embeddedPolicies bool
 }
 
 func newTestConfig(builtInPolicies bool) testConfig {
@@ -1082,6 +1083,11 @@ func (tc testConfig) GetUseBuiltinRegoPolicies() bool {
 	return tc.builtInPolicies
 }
 
+// GetUseBuiltinRegoPolicies return trivy config which associated to configauditreport plugin
+func (tc testConfig) GetUseEmbeddedRegoPolicies() bool {
+	return tc.embeddedPolicies
+}
+
 // GetSupportedConfigAuditKinds list of supported kinds to be scanned by the config audit scanner
 func (tc testConfig) GetSupportedConfigAuditKinds() []string {
 	return utils.MapKinds(strings.Split(trivy.SupportedConfigAuditKinds, ","))