v1.3.1

What's Changed

• do not include yaml examples in checks bundle by @nikpivkin in #292

Full Changelog: v1.3.0...v1.3.1

v1.3.0

What's Changed

• Revert "test(bundle): Disable canary builds" by @simar7 in #282
• fix: fix metadata retrieval from iac types by @nikpivkin in #286
• test: unify docker and k8s tests by @nikpivkin in #285
• ci: push bundle to Docker Hub registry by @nikpivkin in #291
• chore: disable ryuk by @nikpivkin in #290
• chore: update push-bundle command by @nikpivkin in #288
• fix(checks): check only clusters in AVD-AWS-0343 by @nikpivkin in #287
• chore: store examples in YAML by @nikpivkin in #271
• chore: remove AVD-AWS-0134 by @nikpivkin in #289

Full Changelog: v1.2.2...v1.3.0

v1.2.2

What's Changed

• fix: do not use deny in rule name by @nikpivkin in #283

Full Changelog: v1.2.1...v1.2.2

v1.2.1

Full Changelog: v1.2.0...v1.2.1

v1.2.0

What's Changed

• fix(checks): add aliases to Rego checks by @nikpivkin in #269
• fix(azure): properly check ports in AVD-AZU-0058 and AVD-AZU-0050 by @nikpivkin in #268
• fix(checks): correctly check the addresses count in the AVD-NIF-0001 rule by @aokumasan in #267
• Produce a manifest with a non-zero config by @cbandy in #270
• feat(checks): add secrets leak check in Dockerfile by @nikpivkin in #265
• fix(ci): exclude Trivy for dependabot by @nikpivkin in #273
• refactor(checks): improve metadata retrieval by @nikpivkin in #261
• chore(deps): bump mvdan.cc/sh/v3 from 3.8.0 to 3.9.0 in the common group across 1 directory by @dependabot in #276
• fix(k8s): downgrade KSV117 severity from High to Medium by @nikpivkin in #275
• refactor: remove references to __defsec_metadata by @nikpivkin in #278
• feat(checks): Deprecate remaining PSP checks by @simar7 in #277
• fix(checks): handle of unresolvable values by @nikpivkin in #279
• Allow the ADD instruction with HTTP, HTTPS and Git URLs by @nicwortel in #281
• chore(deps): bump mvdan.cc/sh/v3 from 3.9.0 to 3.10.0 in the common group by @dependabot in #280

New Contributors

• @aokumasan made their first contribution in #267
• @cbandy made their first contribution in #270
• @nicwortel made their first contribution in #281

Full Changelog: v1.1.0...v1.2.0

v1.1.0

What's Changed

• chore(test): Revert "test(bundle): use only canary Trivy" by @simar7 in #248
• fix(checks): invert logic of AVD-KCV-0030 by @kapistka in #219
• chore: Fix typo in explanation by @pascal-hofmann in #220
• feat(checks): add ssl_mode support in AVD-GCP-0015 by @nikpivkin in #258
• fix(checks): rename cloudformation -> cloud_formation in metadata by @nikpivkin in #255
• feat(checks): improve S3 server logging access detection for AVD-AWS-0089 by @nikpivkin in #208
• feat: add function to retrieve object by path by @nikpivkin in #199
• chore(deps): bump Trivy by @nikpivkin in #256
• fix(checks): align AVD-AWS-0107 and AVD-AWS-0105 checks with CIS Benchmarks by @nikpivkin in #257

New Contributors

• @kapistka made their first contribution in #219
• @pascal-hofmann made their first contribution in #220

Full Changelog: v1.0.1...v1.1.0

v1.0.1

What's Changed

• Fix tests by @simar7 in #251

Full Changelog: v1.0.0...v1.0.1

v1.0.0

What's Changed

We've transitioned all of the checks from Go to Rego. Therefore we're releasing this early release of the trivy-checks bundle as a new Major version starting as v1.

This bundle will be the default checks bundle starting from the next release of Trivy (v0.56+) to allow for any improvements to be baked in prior to the use in Trivy. See the announcement here.

Commits in this change

• fix(checks): correctly check the protocol in the AVD-AWS-0102 rule by @nikpivkin in #161
• fix(docs): generate multiple examples from Rego by @nikpivkin in #169
• test(bundle): Verify bundle usage by @simar7 in #173
• test: exclude deprecated checks when detecting duplicates by @nikpivkin in #181
• ci: bump OPA to v0.65.0 by @nikpivkin in #186
• feat: add CIDR and squealer built-in Rego functions by @nikpivkin in #174
• chore(deps): bump github.com/open-policy-agent/opa from 0.65.0 to 0.67.0 by @dependabot in #206
• ci: pin Go version by @nikpivkin in #214
• refactor(checks): migrate of some AWS services to Rego by @nikpivkin in #197
• test: reorganize the structure of functional tests by @nikpivkin in #215
• Ignore casing in CIDR wildcards by @InverseIntegral in #210
• refactor(checks): migrate Nifcloud network, dns, sslcertificate to Rego by @nikpivkin in #184
• refactor(checks): migrate GitHub checks to Rego by @nikpivkin in #187
• refactor(checks): migrate Google dns, kms, bigquery to Rego by @nikpivkin in #194
• refactor(checks): migrate Azure appservice, authorization, container to Rego by @nikpivkin in #198
• refactor(checks): migrate Azure datafactory, datalake, keyvault to Rego by @nikpivkin in #201
• ci: add groups for dependabot by @nikpivkin in #213
• chore: init separate package for bundle scripts by @nikpivkin in #218
• refactor(checks): migrate AWS S3 to Rego by @nikpivkin in #204
• refactor(checks): migrate Oracle to Rego by @nikpivkin in #182
• chore(deps): bump trivy by @nikpivkin in #216
• ci: use OPA with custom built-in functions by @nikpivkin in #225
• refactor(checks): migrate Azure monitor, network, synapse, securitycenter to Rego by @nikpivkin in #202
• refactor(checks): migrate DigitalOcean spaces to Rego by @nikpivkin in #188
• refactor(checks): migrate Azure database, compute to Rego by @nikpivkin in #200
• test: initialise tests in each test file by @nikpivkin in #234
• test(bundle): use only canary Trivy by @nikpivkin in #236
• Fix typo in enforce_immutable_repository by @evankanderson in #232
• refactor(checks): migrate Openstack checks to Rego by @nikpivkin in #183
• refactor(checks): migrate Nifcloud computing, rdb, nas to Rego by @nikpivkin in #185
• refactor(checks): migrate Google sql and storage to Rego by @nikpivkin in #189
• refactor(checks): migrate Google IAM to Rego by @nikpivkin in #193
• refactor(checks): migrate Google GKE to Rego by @nikpivkin in #195
• refactor(checks): migrate Google Compute to Rego by @nikpivkin in #196
• refactor(checks): migrate AWS elasticache, elasticsearch, elb to Rego by @nikpivkin in #227
• refactor(checks): migrate AWS emr, kinesis, kms, lambda to Rego by @nikpivkin in #228
• refactor(checks): migrate AWS ecr, efs and eks to Rego by @nikpivkin in #229
• refactor(checks): migrate AWS workspaces, ssm and sqs to Rego by @nikpivkin in #230
• refactor(checks): migrate AWS redshift, sam and sns to Rego by @nikpivkin in #231
• refactor(checks): migrate AWS rds, neptune, mq, ecs to Rego by @nikpivkin in #239
• refactor(checks): migrate AWS IAM to Rego by @nikpivkin in #235
• chore: always pull trivy images by @nikpivkin in #238
• chore(deps): bump github.com/docker/docker from 26.1.3+incompatible to 26.1.5+incompatible in /scripts in the go_modules group across 1 directory by @dependabot in #223
• refactor(checks): migrate CloudStack to Rego by @nikpivkin in #222
• refactor: update Rego libs by @nikpivkin in #240
• refactor(checks): migrate AWS apigateway, cloudfront, cloudwatch to Rego by @nikpivkin in #241
• refactor(checks): migrate DigitalOcean compute to Rego by @nikpivkin in #243
• refactor(checks): migrate Azure storage to Rego by @nikpivkin in #244
• refactor(checks): migrate AWS ec2 to Rego by @nikpivkin in #226
• chore: remove unnecessary test files by @nikpivkin in #242
• chore(checks): deprecate some checks by @nikpivkin in #245
• checks: add default framework to some Rego checks by @nikpivkin in #247
• chore(deps): Bump trivy version by @simar7 in #246
• chore: mark Rego libs as libs by @nikpivkin in #250

New Contributors

• @InverseIntegral made their first contribution in #210
• @evankanderson made their first contribution in #232

Full Changelog: v0.13.0...v1.0.0

v0.13.0

What's Changed

• feat: cis eks spec update by @chen-keinan in #145
• feat: update k8s specs id by @chen-keinan in #149
• chore(deps): Update trivy pkg to latest by @simar7 in #157
• feat: add compliance additional fields by @chen-keinan in #151
• feat: rke2 cis spec support by @chen-keinan in #148
• feat(specs): Expose specs as a pkg by @simar7 in #158
• fix(specs): Relocate rke2-cis by @simar7 in #159
• docs: add compliance contribution docs by @chen-keinan in #152
• fix: update rke2 spec title by @chen-keinan in #160

Full Changelog: v0.12.0...v0.13.0

v0.12.0

What's Changed

• Fix page title for AVD-AWS-0342 in vulnerability database documentation by @thaim in #140
• feat: support node-collector commands and NodeInfo by @chen-keinan in #136
• Add OCI image annotations by @candrews in #141
• chore(deps): bump github.com/open-policy-agent/opa from 0.64.1 to 0.65.0 by @dependabot in #142
• fix: use regex to split command by @nikpivkin in #144

New Contributors

• @thaim made their first contribution in #140

Full Changelog: v0.11.0...v0.12.0