trivy
You can ignore a list of errors by defining a .trivyignore file
trivy documentation
- Version in MegaLinter: 0.43.1
- Visit Official Web Site
- See How to configure trivy rules
- See How to ignore files and directories with trivy
Configuration in MegaLinter
- Enable trivy by adding
REPOSITORY_TRIVYin ENABLE_LINTERS variable - Disable trivy by adding
REPOSITORY_TRIVYin DISABLE_LINTERS variable
| Variable | Description | Default value |
|---|---|---|
| REPOSITORY_TRIVY_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| REPOSITORY_TRIVY_PRE_COMMANDS | List of bash commands to run before the linter | None |
| REPOSITORY_TRIVY_POST_COMMANDS | List of bash commands to run after the linter | None |
| REPOSITORY_TRIVY_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling REPOSITORY_TRIVY and its pre/post commands | None |
| REPOSITORY_TRIVY_CONFIG_FILE | trivy configuration file nameUse LINTER_DEFAULT to let the linter find it |
trivy.yaml |
| REPOSITORY_TRIVY_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
| REPOSITORY_TRIVY_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
| REPOSITORY_TRIVY_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
| REPOSITORY_TRIVY_CLI_EXECUTABLE | Override CLI executable | ['trivy'] |
IDE Integration
Use trivy in your favorite IDE to catch errors before MegaLinter !
| IDE | Extension Name | Install | |
|---|---|---|---|
| Visual Studio Code | VSCode Trivy |  |
MegaLinter Flavours
This linter is available in the following flavours
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
 |
all | Default MegaLinter Flavor | 117 |   |
| ci_light | Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML | 22 |   |
|
| cupcake | MegaLinter for the most commonly used languages | 85 |   |
|
| documentation | MegaLinter for documentation projects | 51 |   |
|
| dotnet | Optimized for C, C++, C# or VB based projects | 63 |   |
|
| dotnetweb | Optimized for C, C++, C# or VB based projects with JS/TS | 72 |   |
|
| go | Optimized for GO based projects | 53 |   |
|
| java | Optimized for JAVA based projects | 55 |   |
|
| javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 60 |   |
|
| php | Optimized for PHP based projects | 54 |   |
|
| python | Optimized for PYTHON based projects | 62 |   |
|
| ruby | Optimized for RUBY based projects | 51 |   |
|
| rust | Optimized for RUST based projects | 51 |   |
|
| salesforce | Optimized for Salesforce based projects | 54 |   |
|
| security | Optimized for security | 24 |   |
|
| swift | Optimized for SWIFT based projects | 51 |   |
|
| terraform | Optimized for TERRAFORM based projects | 55 |   |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
trivy is called once on the whole project directory (project CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using trivy configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: falsedoesn't make trivy analyze only updated files
Example calls
trivy fs --scanners vuln,config .
Help content
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
Usage:
trivy [global flags] command [flags] target
trivy [command]
Examples:
# Scan a container image
$ trivy image python:3.4-alpine
# Scan a container image from a tar archive
$ trivy image --input ruby-3.1.tar
# Scan local filesystem
$ trivy fs .
# Run in server mode
$ trivy server
Scanning Commands
aws [EXPERIMENTAL] Scan AWS account
config Scan config files for misconfigurations
filesystem Scan local filesystem
image Scan a container image
kubernetes [EXPERIMENTAL] Scan kubernetes cluster
repository Scan a remote repository
rootfs Scan rootfs
sbom Scan SBOM for vulnerabilities
vm [EXPERIMENTAL] Scan a virtual machine image
Management Commands
module Manage modules
plugin Manage plugins
Utility Commands
completion Generate the autocompletion script for the specified shell
convert Convert Trivy JSON report into a different format
help Help about any command
server Server mode
version Print the version
Flags:
--cache-dir string cache directory (default "/root/.cache/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
-f, --format string version format (json)
--generate-default-config write the default config to trivy-default.yaml
-h, --help help for trivy
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
Use "trivy [command] --help" for more information about a command.
Installation on mega-linter Docker image
- Dockerfile commands :
RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin