Verify IaC Misconfiguration Threshold in Trivy SARIF
Type: Rule
ID: trivy-iac-findings
Source: v2/rules/sarif/trivy/report-trivy-iac-errors.yaml
Rego Source: ../report-iac-errors.rego
Help: https://scribe-security.netlify.app/docs/valint/generic#trivy-integration-example
Labels: SARIF, Trivy
Verify the number of infrastructure-as-code (IaC) errors in the Trivy SARIF report remains below the specified threshold.
This rule requires SARIF Evidence. See here for more details.
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule is scoped by product.
Usage example
uses: sarif/trivy/report-trivy-iac-errors@v2
with:
violations_threshold: 0
Mitigation
Ensures that IaC misconfiguration errors remain within acceptable limits, reducing the risk of deploying images with insecure configuration settings.
Description
This rule evaluates the SARIF report generated by the Trivy Vulnerability Scanner to detect vulnerabilities that match a specified blocklist of CVE identifiers. It processes the report by iterating over its vulnerability results, retrieving the corresponding rule definitions, and checking if the rule IDs contain any of the CVEs listed in the configuration. If the total number of matching vulnerabilities exceeds the allowed threshold, the rule records a violation that includes details such as the CVE identifier, its severity, and the location (artifact URI) where it was detected.
Evidence Requirements
Evidence must be provided in a SARIF 2.1.0 compliant format, generated by the Trivy Vulnerability Scanner.
Evidence Requirements
| Field | Value |
|---|---|
| signed | False |
| content_body_type | generic |
| target_type | data |
| predicate_type | http://docs.oasis-open.org/sarif/sarif/2.1.0 |
| tool | Trivy Vulnerability Scanner |
| filter-by | ['product'] |
Input Definitions
| Parameter | Type | Required | Description |
|---|---|---|---|
| violations_threshold | integer | False | The maximum number of allowed IaC misconfiguration errors. |