How to do policy exceptions for non rego-based rules like AVD-AWS-0017

[hans-d]

Question

The documentation [1] show how to do some rule based exptions with additional configuration. They pick an example which uses a rego based file for the policy.
In the case of eg AVD-AWS-0017, there is no rego-based package [2]. How do I write a policy to work with this? Eg, what is the package name I can use? Does it even work for these kind of rules?

[1] https://aquasecurity.github.io/trivy/v0.46/docs/scanner/misconfiguration/policy/exceptions/
[2] https://github.com/aquasecurity/defsec/blob/v0.93.1/rules/cloud/policies/aws/cloudwatch/log_group_customer_key.go

Target

AWS

Scanner

Misconfiguration

Output Format

None

Mode

None

Operating System

No response

Version

No response

[simar7]

If you are trying to ignore rules, you could look into using .trivyignore or via specifying a Rego policy to ignore. Details here https://aquasecurity.github.io/trivy/v0.46/docs/configuration/filtering/#by-open-policy-agent

As for making exceptions by namespace, the concept of namespaces only exists for Rego policies. But if you want to make granular decisions on whether to make an exception for a rule or not, specifying a Rego ignore policy and documented above would be the way to go.