Built-in Policies
Policy Sources
Built-in policies are mainly written in Rego. Those policies are managed under AppShield repository. Only Terraform's policies are currently powered by tfsec.
| Config type | Source |
|---|---|
| Kubernetes | AppShield |
| Dockerfile | AppShield |
| Terraform | tfsec |
For suggestions or issues regarding policy content, please open an issue under AppShield or tfsec repository.
CloudFormation and Ansible are coming soon.
Policy Distribution
AppShield policies are destributed as OPA bundle on GitHub Container Registry (GHCR). When misconfiguration detection is enabled, Trivy pulls OPA bundle from GHCR as OCI artifact and stores it in the cache. Then, those policies are loaded into Trivy OPA engine and used for detecting misconfigurations.
Update Interval
Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.