feat: Add AWS Cloud scanning (#2493)

* feat: Added AWS Cloud scanning

Co-authored-by: Owen Rumney <owen.rumney@aquasec.com>

.github/CODEOWNERS

@@ -7,8 +7,11 @@ helm/trivy/ @krol3
 # Misconfiguration scanning
 examples/misconf/           @owenrumney @liamg @knqyf263
 docs/docs/misconfiguration  @owenrumney @liamg @knqyf263
+docs/docs/cloud             @owenrumney @liamg @knqyf263
 pkg/fanal/analyzer/config   @owenrumney @liamg @knqyf263
 pkg/fanal/handler/misconf   @owenrumney @liamg @knqyf263
+pkg/cloud                   @owenrumney @liamg @knqyf263
+pkg/flag                    @owenrumney @liamg @knqyf263
 
 # Kubernetes scanning
 pkg/k8s/                @josedonizetti @chen-keinan @knqyf263

docs/docs/cloud/aws/scanning.md

@@ -0,0 +1,55 @@
+# Amazon Web Services
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+The Trivy AWS CLI allows you to scan your AWS account for misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. 
+
+Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too.
+
+The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks.
+
+Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform.
+
+You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` and `SecurityAudit` policies attached.
+
+Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - results are cached locally per AWS account/region.
+
+## CLI Commands
+
+Scan a full AWS account (all supported services):
+
+```shell
+trivy aws --region us-east-1
+```
+
+You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these.
+
+![AWS Summary Report](../../../imgs/trivy-aws.png)
+
+The summary view is the default when scanning multiple services.
+
+Scan a specific service:
+
+```shell
+trivy aws --service s3
+```
+
+Scan multiple services:
+
+```shell
+# --service s3,ec2 works too
+trivy aws --service s3 --service ec2
+```
+
+Show results for a specific AWS resource:
+
+```shell
+trivy aws --service s3 --arn arn:aws:s3:::example-bucket
+```
+
+All ARNs with detected issues will be displayed when showing results for their associated service.
+
+## Cached Results
+
+By default, Trivy will cache results for each service for 24 hours. This means you can filter and view results for a service without having to wait for the scan to run again. If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`. Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.)

docs/docs/references/customization/config-file.md

@@ -6,7 +6,7 @@ An example is [here][example].
 
 ## Global Options
 
-```
+```yaml
 # Same as '--quiet'
 # Default is false
 quiet: false
@@ -30,7 +30,7 @@ cache-dir: $HOME/.cache/trivy
 
 ## Report Options
 
-```
+```yaml
 # Same as '--format'
 # Default is 'table'
 format: table
@@ -80,7 +80,7 @@ severity:
 ## Scan Options
 Available in client/server mode
 
-```
+```yaml
 scan:
   # Same as '--skip-dirs'
   # Default is empty
@@ -107,7 +107,7 @@ scan:
 
 ## Cache Options
 
-```
+```yaml
 cache:
   # Same as '--cache-backend'
   # Default is 'fs' 
@@ -134,7 +134,7 @@ cache:
 
 ## DB Options
 
-```
+```yaml
 db:
   # Same as '--skip-db-update'
   # Default is false
@@ -152,7 +152,7 @@ db:
 ## Image Options
 Available with container image scanning
 
-```
+```yaml
 image:
   # Same as '--input' (available with 'trivy image')
   # Default is empty
@@ -166,7 +166,7 @@ image:
 ## Vulnerability Options
 Available with vulnerability scanning
 
-```
+```yaml
 vulnerability:
   # Same as '--vuln-type'
   # Default is 'os,library'
@@ -182,7 +182,7 @@ vulnerability:
 ## Secret Options
 Available with secret scanning
 
-```
+```yaml
 secret:
   # Same as '--secret-config'
   # Default is 'trivy-secret.yaml'
@@ -193,7 +193,7 @@ secret:
 ## Misconfiguration Options
 Available with misconfiguration scanning
 
-```
+```yaml
 misconfiguration:
   # Same as '--file-patterns'
   # Default is empty
@@ -256,7 +256,7 @@ misconfiguration:
 ## Kubernetes Options
 Available with Kubernetes scanning
 
-```
+```yaml
 kubernetes:
   # Same as '--context'
   # Default is empty
@@ -270,7 +270,7 @@ kubernetes:
 ## Repository Options
 Available with git repository scanning (`trivy repo`) 
 
-```
+```yaml
 repository:
   # Same as '--branch'
   # Default is empty
@@ -288,7 +288,7 @@ repository:
 ## Client/Server Options
 Available in client/server mode
 
-```
+```yaml
 server:
   # Same as '--server' (available in client mode)
   # Default is empty
@@ -313,4 +313,28 @@ server:
   listen: 0.0.0.0:10000
 ```
 
+## Cloud Options
+
+Available for cloud scanning (currently only `trivy aws`)
+
+```yaml
+cloud:
+  # whether to force a cache update for every scan
+  update-cache: false
+  
+  # how old cached results can be before being invalidated
+  max-cache-age: 24h
+  
+  # aws-specific cloud settings
+  aws:
+    # the aws region to use
+    region: us-east-1
+    
+    # the aws endpoint to use (not required for general use)
+    endpoint: https://my.custom.aws.endpoint
+    
+    # the aws account to use (this will be determined from your environment when not set)
+    account: 123456789012
+```
+
 [example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml

go.mod

@@ -17,6 +17,9 @@ require (
 	github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516
 	github.com/aquasecurity/trivy-db v0.0.0-20220627104749-930461748b63
 	github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20220727123250-2cfd49c5b6c3
+	github.com/aws/aws-sdk-go-v2 v1.16.8
+	github.com/aws/aws-sdk-go-v2/config v1.15.15
+	github.com/aws/aws-sdk-go-v2/service/sts v1.16.10
 	github.com/caarlos0/env/v6 v6.9.3
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.1.0
@@ -38,6 +41,7 @@ require (
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075
 	github.com/kylelemons/godebug v1.1.0
+	github.com/liamg/loading v0.0.4
 	github.com/liamg/memoryfs v1.4.2
 	github.com/liamg/tml v0.6.0
 	github.com/mailru/easyjson v0.7.7
@@ -67,8 +71,58 @@ require (
 )
 
 require (
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.3 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.12.10 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.15 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.16 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/apigateway v1.15.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.12.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/athena v1.18.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudfront v1.18.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.16.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.19.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.15.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/codebuild v1.19.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/docdb v1.19.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.15.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.51.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.17.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecs v1.18.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/efs v1.17.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/eks v1.21.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/elasticache v1.22.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.18.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.16.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/emr v1.20.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/iam v1.18.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kafka v1.17.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.18.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/lambda v1.23.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/mq v1.13.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/neptune v1.17.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/rds v1.23.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/redshift v1.26.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.27.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.15.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sns v1.17.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sqs v1.19.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.11.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/workspaces v1.22.0 // indirect
+	github.com/aws/smithy-go v1.12.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	gonum.org/v1/gonum v0.7.0 // indirect
 )
 
 require (
@@ -92,7 +146,7 @@ require (
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/semver/v3 v3.1.1 // indirect
-	github.com/Masterminds/squirrel v1.5.2 // indirect
+	github.com/Masterminds/squirrel v1.5.3 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
 	github.com/Microsoft/hcsshim v0.9.3 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
@@ -107,7 +161,7 @@ require (
 	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
 	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
-	github.com/aquasecurity/defsec v0.70.0
+	github.com/aquasecurity/defsec v0.71.5
 	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
 	github.com/aws/aws-sdk-go v1.44.66
 	github.com/beorn7/perks v1.0.1 // indirect
@@ -173,7 +227,6 @@ require (
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/go-version v1.4.0 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hashicorp/hcl/v2 v2.13.0 // indirect
 	github.com/hhatto/gorst v0.0.0-20181029133204-ca9f730cac5b // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
@@ -182,7 +235,7 @@ require (
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jdkato/prose v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/jmoiron/sqlx v1.3.4 // indirect
+	github.com/jmoiron/sqlx v1.3.5 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
@@ -194,7 +247,7 @@ require (
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/liamg/iamgo v0.0.9 // indirect
 	github.com/liamg/jfather v0.0.7 // indirect
-	github.com/lib/pq v1.10.4 // indirect
+	github.com/lib/pq v1.10.6 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/magiconair/properties v1.8.6 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
@@ -241,7 +294,6 @@ require (
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/rubenv/sql-migrate v1.1.1 // indirect
 	github.com/russross/blackfriday v1.6.0 // indirect
-	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/saracen/walker v0.0.0-20191201085201-324a081bae7e
 	github.com/sergi/go-diff v1.1.0 // indirect
 	github.com/shogo82148/go-shuffle v0.0.0-20170808115208-59829097ff3b // indirect
@@ -274,11 +326,10 @@ require (
 	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
 	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
 	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
-	golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 // indirect
+	golang.org/x/term v0.0.0-20220526004731-065cf7ba2467
 	golang.org/x/text v0.3.7
 	golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect
 	golang.org/x/tools v0.1.10-0.20220218145154-897bd77cd717 // indirect
-	gonum.org/v1/gonum v0.7.0 // indirect
 	google.golang.org/api v0.81.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f // indirect
@@ -292,11 +343,11 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gotest.tools v2.2.0+incompatible
 	gotest.tools/v3 v3.2.0 // indirect
-	helm.sh/helm/v3 v3.9.0 // indirect
+	helm.sh/helm/v3 v3.9.2 // indirect
 	k8s.io/api v0.25.0-alpha.2 // indirect
-	k8s.io/apiextensions-apiserver v0.24.0 // indirect
+	k8s.io/apiextensions-apiserver v0.24.2 // indirect
 	k8s.io/apimachinery v0.25.0-alpha.2 // indirect
-	k8s.io/apiserver v0.24.1 // indirect
+	k8s.io/apiserver v0.24.2 // indirect
 	k8s.io/cli-runtime v0.24.3 // indirect
 	k8s.io/client-go v0.25.0-alpha.2 // indirect
 	k8s.io/component-base v0.24.3 // indirect