github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/docs/tutorials/integrations/aws-security-hub.md

github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/docs/tutorials/integrations/aws-security-hub.md (about)

     1  # AWS Security Hub
     2  
     3  ![Amazon Security Hub](../../imgs/Security-Hub.jpeg){ width=50 }
     4  
     5  ## Upload findings to Security Hub
     6  
     7  In the following example using the template `asff.tpl`, [ASFF][asff] file can be generated.
     8  
     9  ```
    10  $ AWS_REGION=us-west-1 AWS_ACCOUNT_ID=123456789012 trivy image --format template --template "@contrib/asff.tpl" -o report.asff golang:1.12-alpine
    11  ```
    12  
    13  ASFF template needs AWS_REGION and AWS_ACCOUNT_ID from environment variables.
    14  
    15  The Product [ARN][arn] field follows the pattern below to match what AWS requires for the [product resource type][resource-type].
    16  
    17  {% raw %}
    18  ```
    19  "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
    20  ```
    21  {% endraw %}
    22  
    23  In order to upload results you must first run [enable-import-findings-for-product][enable] like:
    24  
    25  ```
    26  aws securityhub enable-import-findings-for-product --product-arn arn:aws:securityhub:<AWS_REGION>::product/aquasecurity/aquasecurity
    27  ```
    28  
    29  The findings are [formatted for the API][asff-syntax] with a key of `Findings` and a value of the array of findings.
    30  In order to upload via the CLI the outer wrapping must be removed being left with only the array of findings.
    31  The easiest way of doing this is with the [jq library][jq] using the command 
    32  
    33  ```
    34  cat report.asff | jq '.Findings'
    35  ```
    36  
    37  Then, you can upload it with AWS CLI.
    38  
    39  ```
    40  $ aws securityhub batch-import-findings --findings file://report.asff
    41  ```
    42  
    43  ### Note
    44  
    45  The [batch-import-findings][batch-import-findings] command limits the number of findings uploaded to 100 per request.
    46  The best known workaround to this problem is using [jq][jq] to run the following command
    47  
    48  ```
    49  jq '.[:100]' report.asff 1> short_report.asff
    50  ```
    51  
    52  ## Customize
    53  You can customize [asff.tpl][asff.tpl]
    54  
    55  ```
    56  $ export AWS_REGION=us-west-1
    57  $ export AWS_ACCOUNT_ID=123456789012
    58  $ trivy image --format template --template "@your-asff.tpl" -o report.asff golang:1.12-alpine
    59  ```
    60  
    61  ## Reference
    62  [aws.amazon.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/](https://aws.amazon.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/)
    63  
    64  [asff]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html
    65  [asff-syntax]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-syntax.html
    66  [arn]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
    67  [resource-type]: https://github.com/awsdocs/aws-security-hub-user-guide/blob/master/doc_source/securityhub-partner-providers.md#aqua-security--aqua-cloud-native-security-platform-sends-findings
    68  [enable]: https://docs.aws.amazon.com/cli/latest/reference/securityhub/enable-import-findings-for-product.html
    69  [batch-import-findings]: https://docs.aws.amazon.com/cli/latest/reference/securityhub/batch-import-findings.html#options
    70  [asff.tpl]: https://github.com/devseccon/trivy/blob/main/contrib/asff.tpl
    71  
    72  [jq]: https://stedolan.github.io/jq/