Skip to content

trivy

GitHub last commit

trivy documentation

trivy - GitHub

Configuration in MegaLinter

Variable Description Default value
REPOSITORY_TRIVY_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
REPOSITORY_TRIVY_FILE_EXTENSIONS Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all files
Ex: [".py", ""]
Exclude every file
REPOSITORY_TRIVY_FILE_NAMES_REGEX File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files
Ex: ["Dockerfile(-.+)?", "Jenkinsfile"]
Include every file
REPOSITORY_TRIVY_PRE_COMMANDS List of bash commands to run before the linter None
REPOSITORY_TRIVY_POST_COMMANDS List of bash commands to run after the linter None
REPOSITORY_TRIVY_DISABLE_ERRORS Run linter but consider errors as warnings false
REPOSITORY_TRIVY_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0

IDE Integration

Use trivy in your favorite IDE to catch errors before MegaLinter !

IDE Extension Name Install
Visual Studio Code VsCode Trivy Install in VsCode

MegaLinter Flavours

This linter is available in the following flavours

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 101 Docker Image Size (tag) Docker Pulls
ci_light Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML 18 Docker Image Size (tag) Docker Pulls
documentation MegaLinter for documentation projects 42 Docker Image Size (tag) Docker Pulls
dotnet Optimized for C, C++, C# or VB based projects 50 Docker Image Size (tag) Docker Pulls
go Optimized for GO based projects 44 Docker Image Size (tag) Docker Pulls
java Optimized for JAVA based projects 44 Docker Image Size (tag) Docker Pulls
javascript Optimized for JAVASCRIPT or TYPESCRIPT based projects 51 Docker Image Size (tag) Docker Pulls
php Optimized for PHP based projects 46 Docker Image Size (tag) Docker Pulls
python Optimized for PYTHON based projects 50 Docker Image Size (tag) Docker Pulls
ruby Optimized for RUBY based projects 43 Docker Image Size (tag) Docker Pulls
rust Optimized for RUST based projects 43 Docker Image Size (tag) Docker Pulls
salesforce Optimized for Salesforce based projects 45 Docker Image Size (tag) Docker Pulls
security Optimized for security 20 Docker Image Size (tag) Docker Pulls
swift Optimized for SWIFT based projects 43 Docker Image Size (tag) Docker Pulls
terraform Optimized for TERRAFORM based projects 48 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • If this linter is active, all files will always be linted

How the linting is performed

trivy is called once on the whole project directory

  • filtering can not be done using MegaLinter configuration variables,it must be done using trivy configuration or ignore file (if existing)
  • VALIDATE_ALL_CODEBASE: false does not make trivy analyze only updated files

Example calls

trivy fs --security-checks vuln,config .

Help content

NAME:
   trivy - Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets

USAGE:
   trivy [global options] command [command options] target

VERSION:
   0.29.2

COMMANDS:
   image, i          scan an image
   filesystem, fs    scan local filesystem for language-specific dependencies and config files
   rootfs            scan rootfs
   repository, repo  scan remote repository
   server, s         server mode
   config, conf      scan config files
   plugin, p         manage plugins
   module, m         manage modules
   kubernetes, k8s   scan kubernetes vulnerabilities, secrets and misconfigurations
   sbom              generate SBOM for an artifact
   version           print the version
   help, h           Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --cache-dir value  cache directory (default: "/root/.cache/trivy") [$TRIVY_CACHE_DIR]
   --debug, -d        debug mode (default: false) [$TRIVY_DEBUG]
   --help, -h         show help (default: false)
   --quiet, -q        suppress progress bar and log output (default: false) [$TRIVY_QUIET]
   --version, -v      print the version (default: false)

Installation on mega-linter Docker image

  • Dockerfile commands :
RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.29.2 && \
    wget --tries=5 -q -O /usr/local/bin/sarif.tpl https://raw.githubusercontent.com/aquasecurity/trivy/714b5ca2460363e082d42a8d933c7a0cb7eff7a8/contrib/sarif.tpl && \
    chmod 644 /usr/local/bin/sarif.tpl