docs: improve targets documentation #8305
Conversation
|
some clarifications about the target docs structure:
removed some sections/examples that appeared in some of the target and were redundant IMO |
|
after rebase, I guess cache is also part of the target consistent structure |
- define target types and refer to them in relevant places
- use consistent structure for all targets docs (also simplify it)
- (also update scanner embedding doc)
|
|
||
| ### Generation |
There was a problem hiding this comment.
We got a request from the community to add a section about SBOM generation in this page so that people will not misunderstand Trivy supports only SBOM discovery.
|
|
||
| Trivy scans the configuration of container images for | ||
| Supported scanners: |
There was a problem hiding this comment.
It's not the case for image metadata scanning. --scanners configures scanners for image contents. We need to consider how we can clarify that. It's not clear now as this section is nested.
|
|
||
| ## SBOM generation |
There was a problem hiding this comment.
Same here. We should keep it somehow.
| ## Files inside container images | ||
| Container images consist of files. | ||
| For instance, new files will be installed if you install a package. | ||
| `image` is a post-build target type, which means it scans installed packages. For more information, see [Target types](../coverage/language/index.md#target-types). |
There was a problem hiding this comment.
#target-types seems like a dead anchor.
| ``` | ||
| $ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test/Pipfile.lock | ||
| ``` | ||
| `fs` is a pre-build target type, which means it scans package manager lock files. For more information, see [Target types](../coverage/language/index.md#target-types). |
|
|
||
| ## Scan Cache | ||
| When scanning git repositories, it stores analysis results in the cache, using the latest commit hash as the key. | ||
| Note that the cache is not used when the repository is dirty, otherwise Trivy will miss the files that are not committed. | ||
|
|
||
| More details are available in the [cache documentation](../configuration/cache.md#scan-cache-backend). | ||
|
|
||
| ## References |
There was a problem hiding this comment.
Nesting these options looks organized to me. These are about specific usages and do not seem to be granular with the other items. Are there any reasons we should avoid it?
| - [Scan container](../advanced/container/embed-in-dockerfile.md) | ||
| - [Scan unpacked container filesystem](../advanced/container/unpacked-filesystem.md) | ||
|
|
||
| `rootfs` is a post-build target type, which means it scans installed packages. For more information, see [Target types](../coverage/language/index.md#target-types). |
| $ trivy vm --scanners license [YOUR_VM_IMAGE] | ||
| ``` | ||
|
|
||
| ## SBOM generation |
| Usage: | ||
|
|
||
| You can scan a VM image file, Amazon Machine Image (AMI), or Amazon Elastic Block Store (EBS) snapshot. |
There was a problem hiding this comment.
| Usage: | |
| You can scan a VM image file, Amazon Machine Image (AMI), or Amazon Elastic Block Store (EBS) snapshot. | |
| You can scan a VM image file, Amazon Machine Image (AMI), or Amazon Elastic Block Store (EBS) snapshot. | |
| Usage: |
| ### Misconfigurations | ||
| It is supported, but it is not useful in most cases. | ||
| As mentioned [here](../scanner/misconfiguration/index.md), Trivy mainly supports Infrastructure as Code (IaC) files for misconfigurations. | ||
| If your VM image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with `--scanners misconfig`. |
There was a problem hiding this comment.
I would mention this kind of information somewhere. "Misconfigurations" has a broader meaning. Our misconfiguration scanning is IaC-specific and usually doesn't function for container and VM images.
Description
Related issues