aquasecurity · simar7 · May 16, 2024 · May 8, 2024 · May 8, 2024 · May 8, 2024
@@ -129,8 +129,8 @@ $ trivy image --skip-db-update --skip-java-db-update --offline-scan alpine:3.12
 
 No special measures are required to detect misconfigurations in an air-gapped environment.
 
-### Run Trivy with `--skip-policy-update` option
-In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.
+### Run Trivy with `--skip-check-update` option
+In an air-gapped environment, specify `--skip-check-update` so that Trivy doesn't attempt to download the latest misconfiguration checks.
 
 ```
 $ trivy conf --skip-policy-update /path/to/conf

@@ -3,7 +3,7 @@ The cache directory includes
 
 - [Vulnerability Database][trivy-db][^1]
 - [Java Index Database][trivy-java-db][^2]
-- [Misconfiguration Policies][misconf-policies][^3]
+- [Misconfiguration Checks][misconf-checks][^3]
 - Cache of previous scans.
 
 The cache option is common to all scanners.
@@ -70,7 +70,7 @@ $ trivy server --cache-backend redis://localhost:6379 \
 
 [trivy-db]: ./db.md#vulnerability-database
 [trivy-java-db]: ./db.md#java-index-database
-[misconf-policies]: ../scanner/misconfiguration/check/builtin.md
+[misconf-checks]: ../scanner/misconfiguration/check/builtin.md
 
 [^1]: Downloaded when scanning for vulnerabilities
 [^2]: Downloaded when scanning `jar/war/par/ear` files

@@ -483,7 +483,7 @@ trivy image --ignore-policy contrib/example_policy/basic.rego centos:7
 For more advanced use cases, there is a built-in Rego library with helper functions that you can import into your policy using: `import data.lib.trivy`.
 More info about the helper functions are in the library [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go).
 
-You can find more example policies [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go)
+You can find more example checks [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go)
 
 ### By Vulnerability Exploitability Exchange (VEX)
 | Scanner | Supported |

@@ -11,7 +11,7 @@ The following scanners are supported.
 Trivy recursively searches directories and scans all found Helm files.
 
 It evaluates variables, functions, and other elements within Helm templates and resolve the chart to Kubernetes manifests then run the Kubernetes checks.
-See [here](../../scanner/misconfiguration/check/builtin.md) for more details on the built-in policies.
+See [here](../../scanner/misconfiguration/check/builtin.md) for more details on the built-in checks.
 
 ### Value overrides
 There are a number of options for overriding values in Helm charts.

@@ -87,6 +87,7 @@ trivy aws [flags]
  -h, --help help for aws
  --ignore-policy string specify the Rego file path to evaluate each vulnerability
  --ignorefile string specify .trivyignore file (default ".trivyignore")
+ --include-deprecated-checks include deprecated checks
  --include-non-failures include successes and exceptions, available with '--scanners misconfig'
  --list-all-pkgs enabling the option will output all packages regardless of vulnerability
  --max-cache-age duration The maximum age of the cloud cache. Cached data will be required from the cloud provider if it is older than this. (default 24h0m0s)

@@ -31,6 +31,7 @@ trivy config [flags] DIR
  -h, --help help for config
  --ignore-policy string specify the Rego file path to evaluate each vulnerability
  --ignorefile string specify .trivyignore file (default ".trivyignore")
+ --include-deprecated-checks include deprecated checks
  --include-non-failures include successes and exceptions, available with '--scanners misconfig'
  --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)
  --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])

@@ -49,6 +49,7 @@ trivy filesystem [flags] PATH
  --ignore-unfixed display only fixed vulnerabilities
  --ignored-licenses strings specify a list of license to ignore
  --ignorefile string specify .trivyignore file (default ".trivyignore")
+ --include-deprecated-checks include deprecated checks
  --include-dev-deps include development dependencies in the report (supported: npm, yarn)
  --include-non-failures include successes and exceptions, available with '--scanners misconfig'
  --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")

@@ -67,6 +67,7 @@ trivy image [flags] IMAGE_NAME
  --ignorefile string specify .trivyignore file (default ".trivyignore")
  --image-config-scanners strings comma-separated list of what security issues to detect on container image configurations (misconfig,secret)
  --image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
+ --include-deprecated-checks include deprecated checks
  --include-non-failures include successes and exceptions, available with '--scanners misconfig'
  --input string input file path instead of image name
  --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")

@@ -62,6 +62,7 @@ trivy kubernetes [flags] [CONTEXT]
  --ignore-unfixed display only fixed vulnerabilities
  --ignorefile string specify .trivyignore file (default ".trivyignore")
  --image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
+ --include-deprecated-checks include deprecated checks
  --include-kinds strings indicate the kinds included in scanning (example: node)
  --include-namespaces strings indicate the namespaces included in scanning (example: kube-system)
  --include-non-failures include successes and exceptions, available with '--scanners misconfig'

@@ -49,6 +49,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
  --ignore-unfixed display only fixed vulnerabilities
  --ignored-licenses strings specify a list of license to ignore
  --ignorefile string specify .trivyignore file (default ".trivyignore")
+ --include-deprecated-checks include deprecated checks
  --include-dev-deps include development dependencies in the report (supported: npm, yarn)
  --include-non-failures include successes and exceptions, available with '--scanners misconfig'
  --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")

@@ -52,6 +52,7 @@ trivy rootfs [flags] ROOTDIR
  --ignore-unfixed display only fixed vulnerabilities
  --ignored-licenses strings specify a list of license to ignore
  --ignorefile string specify .trivyignore file (default ".trivyignore")
+ --include-deprecated-checks include deprecated checks
  --include-non-failures include successes and exceptions, available with '--scanners misconfig'
  --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
  --license-confidence-level float specify license classifier's confidence level (default 0.9)

@@ -382,10 +382,14 @@ misconfiguration:
  # Same as '--include-non-failures'
  # Default is false
  include-non-failures: false
+
+ # Same as '--include-deprecated-checks'
+ # Default is false
+ include-deprecated-checks: false
 
- # Same as '--policy-bundle-repository'
+ # Same as '--check-bundle-repository' and '--policy-bundle-repository'
  # Default is 'ghcr.io/aquasecurity/trivy-checks:0'
- policy-bundle-repository: ghcr.io/aquasecurity/trivy-checks:0 
+ check-bundle-repository: ghcr.io/aquasecurity/trivy-checks:0 
 
  # Same as '--miconfig-scanners'
  # Default is all scanners

@@ -3,10 +3,10 @@ Exceptions let you specify cases where you allow policy violations.
 Trivy supports two types of exceptions.
 
 !!! info
- Exceptions can be applied to built-in policies as well as custom policies.
+ Exceptions can be applied to built-in checks as well as custom checks.
 
 ## Namespace-based exceptions
-There are some cases where you need to disable built-in policies partially or fully.
+There are some cases where you need to disable built-in checks partially or fully.
 Namespace-based exceptions lets you rough choose which individual packages to exempt.
 
 To use namespace-based exceptions, create a Rego rule with the name `exception` that returns the package names to exempt.
@@ -26,7 +26,7 @@ The `exception` rule must be defined under `namespace.exceptions`.
  }
  ```
 
-This example exempts all built-in policies for Kubernetes.
+This example exempts all built-in checks for Kubernetes.
 
 ## Rule-based exceptions
 There are some cases where you need more flexibility and granularity in defining which cases to exempt.
@@ -73,7 +73,7 @@ The above would provide an exception from `deny_foo` and `deny_bar`.
  }
  ```
 
-If you want to apply rule-based exceptions to built-in policies, you have to define the exception under the same package.
+If you want to apply rule-based exceptions to built-in checks, you have to define the exception under the same package.
 
 !!! example
  ``` rego

@@ -1,6 +1,6 @@
 # Custom Data
 
-Custom policies may require additional data in order to determine an answer.
+Custom checks may require additional data in order to determine an answer.
 
 For example, an allowed list of resources that can be created. 
 Instead of hardcoding this information inside your policy, Trivy allows passing paths to data files with the `--data` flag.

@@ -1,10 +1,10 @@
-# Debugging policies
+# Debugging checks
 When working on more complex queries (or when learning Rego), it's useful to see exactly how the policy is applied.
 For this purpose you can use the `--trace` flag.
 This will output a large trace from Open Policy Agent like the following:
 
 !!! tip
- Only failed policies show traces. If you want to debug a passed policy, you need to make it fail on purpose.
+ Only failed checks show traces. If you want to debug a passed check, you need to make it fail on purpose.
 
 ```shell
 $ trivy conf --trace configs/

@@ -1,8 +1,8 @@
-# Custom Policies
+# Custom Checks
 
 ## Overview
-You can write custom policies in [Rego][rego].
-Once you finish writing custom policies, you can pass the policy files or the directory where those policies are stored with `--policy` option.
+You can write custom checks in [Rego][rego].
+Once you finish writing custom checks, you can pass the policy files or the directory where those policies are stored with `--policy` option.
 
 ``` bash
 trivy conf --policy /path/to/policy.rego --policy /path/to/custom_policies --namespaces user /path/to/config_dir
@@ -120,7 +120,7 @@ Trivy supports extra fields in the `custom` section as described below.
  ```
 
 All fields are optional. The `schemas` field should be used to enable policy validation using a built-in schema. The 
-schema that will be used is based on the input document type. It is recommended to use this to ensure your policies are 
+schema that will be used is based on the input document type. It is recommended to use this to ensure your checks are 
 correct and do not reference incorrect properties/values.
 
 | Field name | Allowed values | Default value | In table | In JSON |
@@ -131,6 +131,7 @@ correct and do not reference incorrect properties/values.
 | custom.id | Any characters | N/A | :material-check: | :material-check: |
 | custom.severity | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` | UNKNOWN | :material-check: | :material-check: |
 | custom.recommended_actions | Any characters | | :material-close: | :material-check: |
+| custom.deprecated | `true`, `false` | `false` | :material-close: | :material-check: | 
 | custom.input.selector.type | Any item(s) in [this list][source-types] | | :material-close: | :material-check: |
 | url | Any characters | | :material-close: | :material-check: |
 

@@ -54,7 +54,7 @@ Currently, out of the box the following schemas are supported natively:
 3. [Cloud](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/cloud.json)
 
 
-## Custom Policies with Custom Schemas
+## Custom Checks with Custom Schemas
 
 You can also bring a custom policy that defines one or more custom schema. 
 
@@ -71,21 +71,21 @@ You can also bring a custom policy that defines one or more custom schema.
  }
  ```
 
-The policies can be placed in a structure as follows
+The checks can be placed in a structure as follows
 
 !!! example
  ```
- /Users/user/my-custom-policies
+ /Users/user/my-custom-checks
  ├── my_policy.rego
  └── schemas
  └── fooschema.json
  └── barschema.json
  ```
 
-To use such a policy with Trivy, use the `--config-policy` flag that points to the policy file or to the directory where the schemas and policies are contained.
+To use such a policy with Trivy, use the `--config-policy` flag that points to the policy file or to the directory where the schemas and checks are contained.
 
 ```bash
-$ trivy --config-policy=/Users/user/my-custom-policies <path/to/iac>
+$ trivy --config-policy=/Users/user/my-custom-checks <path/to/iac>
 ```
 
-For more details on how to define schemas within Rego policies, please see the [OPA guide](https://www.openpolicyagent.org/docs/latest/policy-language/#schema-annotations) that describes it in more detail.
+For more details on how to define schemas within Rego checks, please see the [OPA guide](https://www.openpolicyagent.org/docs/latest/policy-language/#schema-annotations) that describes it in more detail.
@@ -1,9 +1,9 @@
 # Testing
-It is highly recommended to write tests for your custom policies.
+It is highly recommended to write tests for your custom checks.
 
 ## Rego testing
-To help you verify the correctness of your custom policies, OPA gives you a framework that you can use to write tests for your policies. 
-By writing tests for your custom policies you can speed up the development process of new rules and reduce the amount of time it takes to modify rules as requirements evolve.
+To help you verify the correctness of your custom checks, OPA gives you a framework that you can use to write tests for your checks. 
+By writing tests for your custom checks you can speed up the development process of new rules and reduce the amount of time it takes to modify rules as requirements evolve.
 
 For more details, see [Policy Testing][opa-testing].
 
@@ -22,12 +22,12 @@ For more details, see [Policy Testing][opa-testing].
  }
  ```
 
-To write tests for custom policies, you can refer to existing tests under [trivy-checks][trivy-checks].
+To write tests for custom checks, you can refer to existing tests under [trivy-checks][trivy-checks].
 
 ## Go testing
 [Fanal][fanal] which is a core library of Trivy can be imported as a Go library.
-You can scan config files in Go and test your custom policies using Go's testing methods, such as [table-driven tests][table].
-This allows you to use the actual configuration file as input, making it easy to prepare test data and ensure that your custom policies work in practice.
+You can scan config files in Go and test your custom checks using Go's testing methods, such as [table-driven tests][table].
+This allows you to use the actual configuration file as input, making it easy to prepare test data and ensure that your custom checks work in practice.
 
 In particular, Dockerfile and HCL need to be converted to structural data as input, which may be different from the expected input format.
 

@@ -1,6 +1,6 @@
 # Misconfiguration Scanning
-Trivy provides built-in policies to detect configuration issues in popular Infrastructure as Code files, such as: Docker, Kubernetes, Terraform, CloudFormation, and more. 
-In addition to built-in policies, you can write your own custom policies, as you can see [here][custom].
+Trivy provides built-in checks to detect configuration issues in popular Infrastructure as Code files, such as: Docker, Kubernetes, Terraform, CloudFormation, and more. 
+In addition to built-in checks, you can write your own custom checks, as you can see [here][custom].
 
 ## Quick start
 
@@ -94,7 +94,7 @@ In the above example, Trivy detected vulnerabilities of Python dependencies and
 
 ## Type detection
 The specified directory can contain mixed types of IaC files.
-Trivy automatically detects config types and applies relevant policies.
+Trivy automatically detects config types and applies relevant checks.
 
 For example, the following example holds IaC files for Terraform, CloudFormation, Kubernetes, Helm Charts, and Dockerfile in the same directory.
 
@@ -326,16 +326,16 @@ trivy config --misconfig-scanners=terraform,dockerfile .
 
 Will only scan for misconfigurations that pertain to Terraform and Dockerfiles.
 
-### Passing custom policies
-You can pass policy files or directories including your custom policies through `--policy` option.
+### Passing custom checks
+You can pass policy files or directories including your custom checks through `--policy` option.
 This can be repeated for specifying multiple files or directories.
 
 ```bash
 cd examplex/misconf/
 trivy conf --policy custom-policy/policy --policy combine/policy --policy policy.rego --namespaces user misconf/mixed
 ```
 
-For more details, see [Custom Policies](./custom/index.md).
+For more details, see [Custom Checks](./custom/index.md).
 
 !!! tip
 You also need to specify `--namespaces` option.
@@ -352,8 +352,8 @@ trivy conf --policy ./policy --data ./data --namespaces user ./configs
 For more details, see [Custom Data](./custom/data.md).
 
 ### Passing namespaces
-By default, Trivy evaluates policies defined in `builtin.*`.
-If you want to evaluate custom policies in other packages, you have to specify package prefixes through `--namespaces` option.
+By default, Trivy evaluates checks defined in `builtin.*`.
+If you want to evaluate custom checks in other packages, you have to specify package prefixes through `--namespaces` option.
 This can be repeated for specifying multiple packages.
 
 ``` bash