Use of CloudSploit rules in custom --compliance reports

[brsolomon-deloitte]

Description

From the docs at https://aquasecurity.github.io/trivy/v0.36/docs/compliance/compliance/#custom-compliance,

it seems like a custom compliance spec such as trivy --compliance @</path/to/compliance.yaml> will only support .spec.controls.check.id for "AVD-" or "CVE-" rules and not CloudSploit rules.

However, the full AVD docs from avd.aquasec.com contains both Trivy/CSPM rules whose IDs start with "AVD-" as well as rules sourced from CloudSploit such as: https://avd.aquasec.com/misconfig/aws/api-gateway/api-gateway-default-endpoint-disabled/.

This will error out:

# compliance.yaml
spec:
  id: "aws-myreport" 
  # ...
  controls:
    - name: foo
      description: bar
      id: "1.0"
      checks:
        - id: AVD-KSV-0012
        - id: api-gateway-default-endpoint-disabled

With trivy config --compliance @compliance.yaml, this will error out because of the final id that does not start with AVD- or CVE-. (This is the CloudSploit rule from https://avd.aquasec.com/misconfig/aws/api-gateway/api-gateway-default-endpoint-disabled/.) But presumably, it is still part of the "full" AVD and represents a cloud misconfiguration, and it would be nice for Trivy to scan for it and for it to be an included check in a compliance report.

(Perhaps my assumption is incorrect - does Trivy not audit the CloudSploit rules at all in the first place? My understanding is that Trivy uses the "full" AVD which consists of both "AVD-" rules and CloudSploit-sourced rules.)

Link

No response

Suggestions

See above.

[simar7]

CloudSploit rules are currently not supported within Trivy open source.

[brsolomon-deloitte]

Okay, thank you for clarifying.

[itaysk]

just to add more context - Trivy meant to replace cloudsploit. so if there are missing checks in Trivy, you could request or contribute them to complete coverage gaps