Input Schema
Overview
Policies can be defined with custom schemas that allow inputs to be verified against them. Adding a policy schema enables Trivy to show more detailed error messages when an invalid input is encountered.
In Trivy we have been able to define a schema for a Dockerfile Without input schemas, a policy would be as follows:
Example
# METADATA
package mypackage
deny {
input.evil == "foo bar"
}
If this policy is run against offending Dockerfile(s), there will not be any issues as the policy will fail to evaluate. Although the policy's failure to evaluate is legitimate, this should not result in a positive result for the scan.
For instance if we have a policy that checks for misconfigurations in a Dockerfile
, we could define the
schema as such
Example
# METADATA
# schemas:
# - input: schema["dockerfile"]
package mypackage
deny {
input.evil == "foo bar"
}
Here input: schema["dockerfile"]
points to a schema that expects a valid Dockerfile
as input. An example of this
can be found here.
Now if this policy is evaluated against, a more descriptive error will be available to help fix the problem.
1 error occurred: testpolicy.rego:8: rego_type_error: undefined ref: input.evil
input.evil
^
have: "evil"
want (one of): ["Stages"]
Currently, out of the box the following schemas are supported natively:
Custom Checks with Custom Schemas
You can also bring a custom policy that defines one or more custom schema.
Example
# METADATA
# schemas:
# - input: schema["fooschema"]
# - input: schema["barschema"]
package mypackage
deny {
input.evil == "foo bar"
}
The checks can be placed in a structure as follows
Example
/Users/user/my-custom-checks
├── my_policy.rego
└── schemas
└── fooschema.json
└── barschema.json
To use such a policy with Trivy, use the --config-policy
flag that points to the policy file or to the directory where the schemas and checks are contained.
$ trivy --config-policy=/Users/user/my-custom-checks <path/to/iac>
For more details on how to define schemas within Rego checks, please see the OPA guide that describes it in more detail.