built-in-policies page isn't correct

[data-dude]

Description

It says the following, "The following sections list built-in configuration audit policies installed with trivy-operator. They are stored in the trivy-operator-policies-config ConfigMap created in the installation namespace (e.g. trivy-system)."

https://aquasecurity.github.io/trivy-operator/v0.16.1/docs/configuration-auditing/built-in-policies/

But that doesn't seem right. The built in policies are not changed by what is in the trivy-operator-policies configMap. In the helm chart you
can see that this is for custom policies.

Helm chart documentation:
https://github.com/aquasecurity/trivy-operator/blob/main/deploy/helm/values.yaml

  # policiesConfig Custom Rego Policies to be used by the config audit scanner
  # See https://github.com/aquasecurity/trivy-operator/blob/main/docs/tutorials/writing-custom-configuration-audit-policies.md for more details.
  policiesConfig: ""

The next sentence it explains that actually the built in polices are pulled elsewhere:
"The Trivy Operator pulls the information from the defsec respository."

Link

No response

Suggestions

The documentation needs to be more clear on where the built in config policies are.

[knqyf263]

You can raise it here