feat(misconf): render causes for Terraform (#8360)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>

Author: nikpivkin

docs/docs/references/configuration/cli/trivy_config.md

@@ -45,6 +45,7 @@ trivy config [flags] DIR
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (terraform)
       --report string                     specify a compliance report format for the output (all,summary) (default "all")
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
       --skip-check-update                 skip fetching rego check updates

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -78,6 +78,7 @@ trivy filesystem [flags] PATH
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (terraform)
       --report string                     specify a compliance report format for the output (all,summary) (default "all")
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])

docs/docs/references/configuration/cli/trivy_image.md

@@ -100,6 +100,7 @@ trivy image [flags] IMAGE_NAME
       --registry-token string             registry token
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --removed-pkgs                      detect vulnerabilities of removed packages (only for Alpine)
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (terraform)
       --report string                     specify a format for the compliance report. (all,summary) (default "summary")
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -94,6 +94,7 @@ trivy kubernetes [flags] [CONTEXT]
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (terraform)
       --report string                     specify a report format for the output (all,summary) (default "all")
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])

docs/docs/references/configuration/cli/trivy_repository.md

@@ -77,6 +77,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (terraform)
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")

docs/docs/references/configuration/cli/trivy_rootfs.md

@@ -80,6 +80,7 @@ trivy rootfs [flags] ROOTDIR
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (terraform)
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")

docs/docs/references/configuration/cli/trivy_vm.md

@@ -69,6 +69,7 @@ trivy vm [flags] VM_IMAGE
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (terraform)
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")

docs/docs/references/configuration/config-file.md

@@ -409,6 +409,9 @@ misconfiguration:
   # Same as '--include-non-failures'
   include-non-failures: false
 
+  # Same as '--render-cause'
+  render-cause: []
+
   # Same as '--misconfig-scanners'
   scanners:
    - azure-arm

pkg/compliance/report/testdata/all.json

@@ -23,7 +23,8 @@
               "CauseMetadata": {
                 "Code": {
                   "Lines": null
-                }
+                },
+                "RenderedCause": {}
               }
             }
           ]
@@ -46,7 +47,8 @@
               "CauseMetadata": {
                 "Code": {
                   "Lines": null
-                }
+                },
+                "RenderedCause": {}
               }
             }
           ]

pkg/fanal/types/misconf.go

@@ -30,13 +30,14 @@ type MisconfResult struct {
 type MisconfResults []MisconfResult
 
 type CauseMetadata struct {
-	Resource    string       `json:",omitempty"`
-	Provider    string       `json:",omitempty"`
-	Service     string       `json:",omitempty"`
-	StartLine   int          `json:",omitempty"`
-	EndLine     int          `json:",omitempty"`
-	Code        Code         `json:",omitempty"`
-	Occurrences []Occurrence `json:",omitempty"`
+	Resource      string        `json:",omitempty"`
+	Provider      string        `json:",omitempty"`
+	Service       string        `json:",omitempty"`
+	StartLine     int           `json:",omitempty"`
+	EndLine       int           `json:",omitempty"`
+	Code          Code          `json:",omitempty"`
+	Occurrences   []Occurrence  `json:",omitempty"`
+	RenderedCause RenderedCause `json:",omitempty"`
 }
 
 type Occurrence struct {
@@ -45,6 +46,11 @@ type Occurrence struct {
 	Location Location
 }
 
+type RenderedCause struct {
+	Raw         string `json:",omitempty"`
+	Highlighted string `json:",omitempty"`
+}
+
 type Code struct {
 	Lines []Line
 }