Skip to content

Commit bc3741a

Browse files
nikpivkinnikpivkin
authored
feat(misconf): support of selectors for all providers for Rego (#6905)
Signed-off-by: nikpivkin <[email protected]>
1 parent 735aadf commit bc3741a

File tree

2 files changed

+33
-12
lines changed

2 files changed

+33
-12
lines changed

pkg/iac/providers/provider.go

+7
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,13 @@ const (
2626
CloudStackProvider Provider = "cloudstack"
2727
)
2828

29+
func AllProviders() []Provider {
30+
return []Provider{
31+
AWSProvider, AzureProvider, DigitalOceanProvider, GitHubProvider, GoogleProvider,
32+
KubernetesProvider, OracleProvider, OpenStackProvider, NifcloudProvider, CloudStackProvider,
33+
}
34+
}
35+
2936
func RuleProviderToString(provider Provider) string {
3037
return strings.ToUpper(string(provider))
3138
}

pkg/iac/rego/scanner.go

+26-12
Original file line numberDiff line numberDiff line change
@@ -17,12 +17,30 @@ import (
1717

1818
"github.com/aquasecurity/trivy/pkg/iac/debug"
1919
"github.com/aquasecurity/trivy/pkg/iac/framework"
20+
"github.com/aquasecurity/trivy/pkg/iac/providers"
2021
"github.com/aquasecurity/trivy/pkg/iac/rego/schemas"
2122
"github.com/aquasecurity/trivy/pkg/iac/scan"
2223
"github.com/aquasecurity/trivy/pkg/iac/scanners/options"
2324
"github.com/aquasecurity/trivy/pkg/iac/types"
2425
)
2526

27+
var checkTypesWithSubtype = map[types.Source]struct{}{
28+
types.SourceCloud: {},
29+
types.SourceDefsec: {},
30+
types.SourceKubernetes: {},
31+
}
32+
33+
var supportedProviders = makeSupportedProviders()
34+
35+
func makeSupportedProviders() map[string]struct{} {
36+
m := make(map[string]struct{})
37+
for _, p := range providers.AllProviders() {
38+
m[string(p)] = struct{}{}
39+
}
40+
m["kind"] = struct{}{} // kubernetes
41+
return m
42+
}
43+
2644
var _ options.ConfigurableScanner = (*Scanner)(nil)
2745

2846
type Scanner struct {
@@ -295,12 +313,8 @@ func (s *Scanner) ScanInput(ctx context.Context, inputs ...Input) (scan.Results,
295313
}
296314

297315
func isPolicyWithSubtype(sourceType types.Source) bool {
298-
for _, s := range []types.Source{types.SourceCloud, types.SourceDefsec, types.SourceKubernetes} {
299-
if sourceType == s {
300-
return true
301-
}
302-
}
303-
return false
316+
_, exists := checkTypesWithSubtype[sourceType]
317+
return exists
304318
}
305319

306320
func checkSubtype(ii map[string]any, provider string, subTypes []SubType) bool {
@@ -311,10 +325,11 @@ func checkSubtype(ii map[string]any, provider string, subTypes []SubType) bool {
311325
for _, st := range subTypes {
312326
switch services := ii[provider].(type) {
313327
case map[string]any:
314-
for service := range services {
315-
if (service == st.Service) && (st.Provider == provider) {
316-
return true
317-
}
328+
if st.Provider != provider {
329+
continue
330+
}
331+
if _, exists := services[st.Service]; exists {
332+
return true
318333
}
319334
case string: // k8s - logic can be improved
320335
if strings.EqualFold(services, st.Group) ||
@@ -331,8 +346,7 @@ func isPolicyApplicable(staticMetadata *StaticMetadata, inputs ...Input) bool {
331346
for _, input := range inputs {
332347
if ii, ok := input.Contents.(map[string]any); ok {
333348
for provider := range ii {
334-
// TODO(simar): Add other providers
335-
if !strings.Contains(strings.Join([]string{"kind", "aws", "azure"}, ","), provider) {
349+
if _, exists := supportedProviders[provider]; !exists {
336350
continue
337351
}
338352

0 commit comments

Comments
 (0)