feat(misconf): Add support for configurable Rego error limit (#9657)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>

Author: simar7

docs/docs/advanced/telemetry-flags.md

@@ -24,6 +24,7 @@
 --pkg-types
 --quiet
 --redis-tls
+--rego-error-limit
 --removed-pkgs
 --report
 --scanners

docs/docs/references/configuration/cli/trivy_config.md

@@ -58,6 +58,7 @@ trivy config [flags] DIR
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
+      --rego-error-limit int              maximum number of compile errors allowed during Rego policy evaluation (default 10)
       --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
       --report string                     specify a compliance report format for the output (allowed values: all,summary) (default "all")
   -s, --severity strings                  severities of security issues to be displayed

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -106,6 +106,7 @@ trivy filesystem [flags] PATH
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
+      --rego-error-limit int              maximum number of compile errors allowed during Rego policy evaluation (default 10)
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
       --report string                     specify a compliance report format for the output (allowed values: all,summary) (default "all")

docs/docs/references/configuration/cli/trivy_image.md

@@ -127,6 +127,7 @@ trivy image [flags] IMAGE_NAME
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
+      --rego-error-limit int              maximum number of compile errors allowed during Rego policy evaluation (default 10)
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --removed-pkgs                      detect vulnerabilities of removed packages (only for Alpine)
       --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -118,6 +118,7 @@ trivy kubernetes [flags] [CONTEXT]
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
+      --rego-error-limit int              maximum number of compile errors allowed during Rego policy evaluation (default 10)
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
       --report string                     specify a report format for the output (allowed values: all,summary) (default "all")

docs/docs/references/configuration/cli/trivy_repository.md

@@ -105,6 +105,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
+      --rego-error-limit int              maximum number of compile errors allowed during Rego policy evaluation (default 10)
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)

docs/docs/references/configuration/cli/trivy_rootfs.md

@@ -108,6 +108,7 @@ trivy rootfs [flags] ROOTDIR
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
+      --rego-error-limit int              maximum number of compile errors allowed during Rego policy evaluation (default 10)
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)

docs/docs/references/configuration/config-file.md

@@ -495,6 +495,9 @@ rego:
   # Same as '--config-data'
   data: []
 
+  # Same as '--rego-error-limit'
+  error-limit: 10
+
   # Same as '--include-deprecated-checks'
   include-deprecated-checks: false
 

docs/docs/scanner/misconfiguration/config/config.md

@@ -46,6 +46,22 @@ This can be repeated for specifying multiple packages.
 trivy config --config-check ./my-check --namespaces main --namespaces user ./configs
 ```
 
+### Limiting Rego compile errors
+
+By default, Trivy limits the number of compile errors allowed during Rego policy compilation.
+You can configure this limit using the `--rego-error-limit` flag.
+
+```bash
+trivy config --rego-error-limit 20 ./configs
+```
+
+This flag controls the maximum number of compile errors Trivy will tolerate before stopping the compilation.
+
+If the number of compile errors exceeds this limit, Trivy will terminate the scan.
+You can set `--rego-error-limit 0` to enforce strict checking and disallow any compile errors.
+
+The default value is defined internally via [CompileErrorLimit](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}pkg/iac/rego/scanner.go).
+
 ### Private Terraform registries
 Trivy can download Terraform code from private registries.
 To pass credentials you must use the `TF_TOKEN_` environment variables.

pkg/commands/artifact/run.go

@@ -750,6 +750,7 @@ func initMisconfScannerOption(ctx context.Context, opts flag.Options) (misconf.S
 		DisableEmbeddedPolicies:  disableEmbedded,
 		DisableEmbeddedLibraries: disableEmbedded,
 		IncludeDeprecatedChecks:  opts.IncludeDeprecatedChecks,
+		RegoErrorLimit:           opts.RegoOptions.ErrorLimit,
 		TfExcludeDownloaded:      opts.TfExcludeDownloaded,
 		RawConfigScanners:        opts.RawConfigScanners,
 		FilePatterns:             opts.FilePatterns,