fix(misconf): improve argument handling in AVD-DS-0001

[nikpivkin]

Discussed in #8265

^{Originally posted by rittneje January 21, 2025}

Description

We have Dockerfiles that reference build args to construct the registry prefix of the image.

Scanning such Dockerfiles never triggers avd-ds-0001.

Desired Behavior

The check ought to work even if we are using a build arg.

Actual Behavior

Trivy reports nothing.

Reproduction Steps

ARG REGISTRY

FROM ${REGISTRY}/ubuntu

$ docker run --rm -it -v $PWD:$PWD:ro -w $PWD aquasec/trivy:0.58.2 config Dockerfile
2025-01-21T04:40:12Z    INFO    [misconfig] Misconfiguration scanning is enabled
2025-01-21T04:40:12Z    INFO    [misconfig] Need to update the built-in checks
2025-01-21T04:40:12Z    INFO    [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [-----------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 100ms
2025-01-21T04:40:14Z    INFO    Detected config files   num=1

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

2025-01-21T04:47:07Z    DEBUG   No plugins loaded
2025-01-21T04:47:07Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-01-21T04:47:07Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-01-21T04:47:07Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-01-21T04:47:07Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-01-21T04:47:07Z    INFO    [misconfig] Misconfiguration scanning is enabled
2025-01-21T04:47:07Z    DEBUG   [misconfig] Failed to open the check metadata   err="open /root/.cache/trivy/policy/metadata.json: no such file or directory"
2025-01-21T04:47:07Z    INFO    [misconfig] Need to update the built-in checks
2025-01-21T04:47:07Z    INFO    [misconfig] Downloading the built-in checks...
2025-01-21T04:47:07Z    DEBUG   [misconfig] Loading check bundle        repository="mirror.gcr.io/aquasec/trivy-checks:1"
160.80 KiB / 160.80 KiB [-----------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 200ms
2025-01-21T04:47:09Z    DEBUG   [misconfig] Digest of the built-in checks       digest="sha256:f6901e03f486a48f47aa17a78d89d18e6c31ded82aff83ed19d0d73935a1a059"
2025-01-21T04:47:09Z    DEBUG   [misconfig] Checks successfully loaded from disk
2025-01-21T04:47:09Z    DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-01-21T04:47:09Z    DEBUG   Initializing scan cache...      type="memory"
2025-01-21T04:47:09Z    DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Dockerfile"
2025-01-21T04:47:10Z    DEBUG   [rego] Overriding filesystem for checks
2025-01-21T04:47:10Z    DEBUG   [rego] Embedded libraries are loaded    count=15
2025-01-21T04:47:10Z    DEBUG   [rego] Embedded checks are loaded       count=511
2025-01-21T04:47:10Z    DEBUG   [rego] Checks from disk are loaded      count=526
2025-01-21T04:47:10Z    DEBUG   [rego] Overriding filesystem for data
2025-01-21T04:47:10Z    DEBUG   [dockerfile scanner] Scanning files...  count=1
2025-01-21T04:47:10Z    DEBUG   [rego] Scanning inputs  count=1
2025-01-21T04:47:10Z    DEBUG   OS is not detected.
2025-01-21T04:47:10Z    INFO    Detected config files   num=1
2025-01-21T04:47:10Z    DEBUG   Scanned config file     file_path="Dockerfile"
2025-01-21T04:47:10Z    DEBUG   Found an ignore file    file_path=".trivyignore"
2025-01-21T04:47:10Z    DEBUG   Ignored id="AVD-DS-0002" target="Dockerfile"
2025-01-21T04:47:10Z    DEBUG   Ignored id="AVD-DS-0026" target="Dockerfile"
2025-01-21T04:47:10Z    DEBUG   [vex] VEX filtering is disabled

Operating System

docker container

Version

Version: 0.58.2

Checklist

• Run trivy clean --all
• Read the troubleshooting