feat(misconf): Add support for configurable Rego error limit

docs/docs/advanced/telemetry-flags.md

@@ -24,6 +24,7 @@
 --pkg-types
 --quiet
 --redis-tls
+--rego-error-limit
 --removed-pkgs
 --report
 --scanners

docs/docs/references/configuration/cli/trivy_config.md

@@ -58,6 +58,7 @@ trivy config [flags] DIR
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
+      --rego-error-limit int              maximum number of compile errors allowed during Rego policy evaluation (default 10)
       --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
       --report string                     specify a compliance report format for the output (allowed values: all,summary) (default "all")
   -s, --severity strings                  severities of security issues to be displayed

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -106,6 +106,7 @@ trivy filesystem [flags] PATH
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
+      --rego-error-limit int              maximum number of compile errors allowed during Rego policy evaluation (default 10)
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
       --report string                     specify a compliance report format for the output (allowed values: all,summary) (default "all")

docs/docs/references/configuration/cli/trivy_image.md

@@ -127,6 +127,7 @@ trivy image [flags] IMAGE_NAME
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
+      --rego-error-limit int              maximum number of compile errors allowed during Rego policy evaluation (default 10)
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --removed-pkgs                      detect vulnerabilities of removed packages (only for Alpine)
       --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -118,6 +118,7 @@ trivy kubernetes [flags] [CONTEXT]
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
+      --rego-error-limit int              maximum number of compile errors allowed during Rego policy evaluation (default 10)
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
       --report string                     specify a report format for the output (allowed values: all,summary) (default "all")

docs/docs/references/configuration/cli/trivy_repository.md

@@ -105,6 +105,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
+      --rego-error-limit int              maximum number of compile errors allowed during Rego policy evaluation (default 10)
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)

docs/docs/references/configuration/cli/trivy_rootfs.md

@@ -108,6 +108,7 @@ trivy rootfs [flags] ROOTDIR
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
+      --rego-error-limit int              maximum number of compile errors allowed during Rego policy evaluation (default 10)
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)

docs/docs/references/configuration/config-file.md

@@ -495,6 +495,9 @@ rego:
   # Same as '--config-data'
   data: []
 
+  # Same as '--rego-error-limit'
+  error-limit: 10
+
   # Same as '--include-deprecated-checks'
   include-deprecated-checks: false
 

pkg/commands/artifact/run.go

@@ -742,6 +742,7 @@ func initMisconfScannerOption(ctx context.Context, opts flag.Options) (misconf.S
 		DisableEmbeddedPolicies:  disableEmbedded,
 		DisableEmbeddedLibraries: disableEmbedded,
 		IncludeDeprecatedChecks:  opts.IncludeDeprecatedChecks,
+		RegoErrorLimit:           opts.RegoOptions.ErrorLimit,
 		TfExcludeDownloaded:      opts.TfExcludeDownloaded,
 		RawConfigScanners:        opts.RawConfigScanners,
 		FilePatterns:             opts.FilePatterns,

pkg/flag/rego_flags.go

@@ -1,5 +1,7 @@
 package flag
 
+import "github.com/open-policy-agent/opa/ast"
+
 // e.g. config yaml:
 //
 //	rego:
@@ -74,6 +76,13 @@ var (
 			},
 		},
 	}
+	RegoErrorLimitFlag = Flag[int]{
+		Name:          "rego-error-limit",
+		ConfigName:    "rego.error-limit",
+		Usage:         "maximum number of compile errors allowed during Rego policy evaluation",
+		TelemetrySafe: true,
+		Default:       ast.CompileErrorLimitDefault,
+	}
 )
 
 // RegoFlagGroup composes common printer flag structs used for commands providing misconfinguration scanning.
@@ -84,6 +93,7 @@ type RegoFlagGroup struct {
 	CheckPaths              *Flag[[]string]
 	DataPaths               *Flag[[]string]
 	CheckNamespaces         *Flag[[]string]
+	ErrorLimit              *Flag[int]
 }
 
 type RegoOptions struct {
@@ -93,6 +103,7 @@ type RegoOptions struct {
 	CheckPaths              []string
 	DataPaths               []string
 	CheckNamespaces         []string
+	ErrorLimit              int
 }
 
 func NewRegoFlagGroup() *RegoFlagGroup {
@@ -103,6 +114,7 @@ func NewRegoFlagGroup() *RegoFlagGroup {
 		CheckPaths:              ConfigCheckFlag.Clone(),
 		DataPaths:               ConfigDataFlag.Clone(),
 		CheckNamespaces:         CheckNamespaceFlag.Clone(),
+		ErrorLimit:              RegoErrorLimitFlag.Clone(),
 	}
 }
 
@@ -118,6 +130,7 @@ func (f *RegoFlagGroup) Flags() []Flagger {
 		f.CheckPaths,
 		f.DataPaths,
 		f.CheckNamespaces,
+		f.ErrorLimit,
 	}
 }
 
@@ -129,6 +142,7 @@ func (f *RegoFlagGroup) ToOptions(opts *Options) error {
 		CheckPaths:              f.CheckPaths.Value(),
 		DataPaths:               f.DataPaths.Value(),
 		CheckNamespaces:         f.CheckNamespaces.Value(),
+		ErrorLimit:              f.ErrorLimit.Value(),
 	}
 	return nil
 }

pkg/iac/rego/embed.go

@@ -41,6 +41,7 @@ func RegisterRegoRules(modules map[string]*ast.Module) {
 		WithCapabilities(nil).
 		WithUseTypeCheckAnnotations(true)
 
+	compiler.SetErrorLimit(ast.CompileErrorLimitDefault)
 	compiler.Compile(modules)
 	if compiler.Failed() {
 		// we should panic as the embedded rego policies are syntactically incorrect...

pkg/iac/rego/load.go

@@ -247,6 +247,7 @@ func (s *Scanner) compilePolicies(srcFS fs.FS, paths []string) error {
 		WithCapabilities(ast.CapabilitiesForThisVersion()).
 		WithSchemas(schemaSet)
 
+	compiler.SetErrorLimit(s.regoErrorLimit)
 	compiler.Compile(s.policies)
 	if compiler.Failed() {
 		s.fallbackChecks(compiler)

pkg/misconf/scanner.go

@@ -60,6 +60,7 @@ type ScannerOption struct {
 	DisableEmbeddedPolicies  bool
 	DisableEmbeddedLibraries bool
 	IncludeDeprecatedChecks  bool
+	RegoErrorLimit           int
 
 	HelmValues              []string
 	HelmValueFiles          []string
@@ -236,6 +237,10 @@ func initRegoOptions(opt ScannerOption) ([]options.ScannerOption, error) {
 		rego.WithTrivyVersion(app.Version()),
 	}
 
+	if opt.RegoErrorLimit > 0 {
+		opts = append(opts, rego.WithRegoErrorLimits(opt.RegoErrorLimit))
+	}
+
 	policyFS, policyPaths, err := CreatePolicyFS(opt.PolicyPaths)
 	if err != nil {
 		return nil, err