Skip to content

trivy-sbom

GitHub stars sarif GitHub release (latest SemVer) GitHub last commit GitHub commit activity GitHub contributors

Generates SBOM (Software Bill Of Material) using Trivy

trivy-sbom documentation

trivy - GitHub

Configuration in MegaLinter

Variable Description Default value
REPOSITORY_TRIVY_SBOM_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
REPOSITORY_TRIVY_SBOM_COMMAND_REMOVE_ARGUMENTS User custom arguments to remove from command line before calling the linter
Ex: -s --foo "bar"
REPOSITORY_TRIVY_SBOM_PRE_COMMANDS List of bash commands to run before the linter None
REPOSITORY_TRIVY_SBOM_POST_COMMANDS List of bash commands to run after the linter None
REPOSITORY_TRIVY_SBOM_UNSECURED_ENV_VARIABLES List of env variables explicitly not filtered before calling REPOSITORY_TRIVY_SBOM and its pre/post commands None
REPOSITORY_TRIVY_SBOM_CONFIG_FILE trivy-sbom configuration file nameUse LINTER_DEFAULT to let the linter find it trivy-sbom.yaml
REPOSITORY_TRIVY_SBOM_RULES_PATH Path where to find linter configuration file Workspace folder, then MegaLinter default rules
REPOSITORY_TRIVY_SBOM_DISABLE_ERRORS Run linter but consider errors as warnings false
REPOSITORY_TRIVY_SBOM_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0
REPOSITORY_TRIVY_SBOM_CLI_EXECUTABLE Override CLI executable ['trivy']

IDE Integration

Use trivy-sbom in your favorite IDE to catch errors before MegaLinter !

IDE Extension Name Install
Visual Studio Code VSCode Trivy Install in VSCode

MegaLinter Flavours

This linter is available in the following flavours

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 117 Docker Image Size (tag) Docker Pulls
ci_light Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML 22 Docker Image Size (tag) Docker Pulls
cupcake MegaLinter for the most commonly used languages 85 Docker Image Size (tag) Docker Pulls
documentation MegaLinter for documentation projects 51 Docker Image Size (tag) Docker Pulls
dotnet Optimized for C, C++, C# or VB based projects 63 Docker Image Size (tag) Docker Pulls
dotnetweb Optimized for C, C++, C# or VB based projects with JS/TS 72 Docker Image Size (tag) Docker Pulls
go Optimized for GO based projects 53 Docker Image Size (tag) Docker Pulls
java Optimized for JAVA based projects 55 Docker Image Size (tag) Docker Pulls
javascript Optimized for JAVASCRIPT or TYPESCRIPT based projects 60 Docker Image Size (tag) Docker Pulls
php Optimized for PHP based projects 54 Docker Image Size (tag) Docker Pulls
python Optimized for PYTHON based projects 62 Docker Image Size (tag) Docker Pulls
ruby Optimized for RUBY based projects 51 Docker Image Size (tag) Docker Pulls
rust Optimized for RUST based projects 51 Docker Image Size (tag) Docker Pulls
salesforce Optimized for Salesforce based projects 54 Docker Image Size (tag) Docker Pulls
security Optimized for security 24 Docker Image Size (tag) Docker Pulls
swift Optimized for SWIFT based projects 51 Docker Image Size (tag) Docker Pulls
terraform Optimized for TERRAFORM based projects 55 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • If this linter is active, all files will always be linted

How the linting is performed

trivy-sbom is called once on the whole project directory (project CLI lint mode)

  • filtering can not be done using MegaLinter configuration variables,it must be done using trivy-sbom configuration or ignore file (if existing)
  • VALIDATE_ALL_CODEBASE: false doesn't make trivy-sbom analyze only updated files

Example calls

trivy fs --format cyclonedx .
trivy fs --config trivy-sbom.yaml --format cyclonedx .

Help content

Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets

Usage:
  trivy [global flags] command [flags] target
  trivy [command]

Examples:
  # Scan a container image
  $ trivy image python:3.4-alpine

  # Scan a container image from a tar archive
  $ trivy image --input ruby-3.1.tar

  # Scan local filesystem
  $ trivy fs .

  # Run in server mode
  $ trivy server

Scanning Commands
  aws         [EXPERIMENTAL] Scan AWS account
  config      Scan config files for misconfigurations
  filesystem  Scan local filesystem
  image       Scan a container image
  kubernetes  [EXPERIMENTAL] Scan kubernetes cluster
  repository  Scan a repository
  rootfs      Scan rootfs
  sbom        Scan SBOM for vulnerabilities
  vm          [EXPERIMENTAL] Scan a virtual machine image

Management Commands
  module      Manage modules
  plugin      Manage plugins

Utility Commands
  completion  Generate the autocompletion script for the specified shell
  convert     Convert Trivy JSON report into a different format
  help        Help about any command
  server      Server mode
  version     Print the version

Flags:
      --cache-dir string          cache directory (default "/root/.cache/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
  -f, --format string             version format (json)
      --generate-default-config   write the default config to trivy-default.yaml
  -h, --help                      help for trivy
      --insecure                  allow insecure server connections
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version

Use "trivy [command] --help" for more information about a command.

Installation on mega-linter Docker image

  • Dockerfile commands :
RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin