How about adding a long ID to each check at avd.aquasec.com?

[nekketsuuu]

Description

I propose to add a long ID of a check to the documentation of the check on https://avd.aquasec.com/. For example, I want that google-gke-encrypt-instance-storage-data is written in https://avd.aquasec.com/misconfig/google/gke/avd-gcp-0051/.

This would help writing inline ignore comments. First, we can write inline comments in several formats, especially a short ID format # trivy:ignore:AVD-GCP-0051 and a long ID format # trivy:ignore:google-gke-encrypt-instance-storage-data (Ref. https://trivy.dev/v0.62/docs/scanner/misconfiguration/#skipping-detected-misconfigurations-by-inline-comments). Currently, when scanning with Trivy, it provides a URL like https://avd.aquasec.com/misconfig/avd-gcp-0051 for details, and the page only displays the short ID.

I prefer the long ID format because the short ID makes it difficult to understand its purpose in the code without additional searching. However, since the check's documentation only shows the short ID, it takes extra time to locate the correct long ID (for example, by searching through the metadata in aquasecurity/trivy-checks: https://github.com/aquasecurity/trivy-checks/blob/a5cb6398785b450db3bc7a569eaaa12b9683e1e9/checks/cloud/google/gke/use_cluster_labels.rego). This is why I suggest including the long ID of a check in its documentation.

Link

As an example: https://avd.aquasec.com/misconfig/avd-gcp-0051

Suggestions

I'd like to add a long ID, in which is <provider>-<service>-<short-code> style, into the docs of checks.

[simar7]

Yeah that's good idea - track #8850

[itaysk]

today Trivy checks have: id, avd_id, short_code. when you say

I prefer the long ID format because the short ID makes it difficult to understand

do you mean that the avd_id is difficult to understand of the short_code is difficult to understand?

[nekketsuuu]

I compared avd_id with <provider>-<service>-<short-code>, which I called the long ID format. For instance AVD-GCP-0051 vs google-gke-encrypt-instance-storage-data. The latter is self-descriptive and easy to understand what are ignored by inline comments.

[itaysk]

thanks for clarifying. the short_code is self-descriptive as you want, it was created for this purpose (of referring to the check by semantic a reference). why can't you use it?

[nekketsuuu]

Because the use of short_code in inline ignore comments is not documented AFAIK. Also, short_code is not shown at avd.aquasec.com, too. For example please see https://avd.aquasec.com/misconfig/google/gke/avd-gcp-0051/. I don't care about short_code in this discussion.

[itaysk]

thanks for clarifying. @simar7 I think the action item here should be to support/test/document using short_code for ignoring checks, and not necessarily to add another longer id.

[simar7]

I think there's some confusion here. To clarify as @itaysk mentioned:

id (deprecated)
avd_id: AVD-AWS-0001
short_code: some-foo-bar-service
long_id: aws-s3-some-foo-bar-service

@itaysk we already have LongID as part of the code, we just don't have it rendered in AVD.

trivy/pkg/iac/scan/rule.go

Lines 76 to 78 in 6d84e0c

	func (r Rule) LongID() string {
	return strings.ToLower(fmt.Sprintf("%s-%s-%s", r.Provider, r.Service, r.ShortCode))
	}

My intention was to add short_code as part of the issue I created. I will update that issue accordingly.