trivy-sbom
Generates SBOM (Software Bill Of Material) using Trivy
trivy-sbom documentation
- Version in MegaLinter: 0.48.3
- Visit Official Web Site
- See How to configure trivy-sbom rules
- See How to ignore files and directories with trivy-sbom
Configuration in MegaLinter
- Enable trivy-sbom by adding
REPOSITORY_TRIVY_SBOM
in ENABLE_LINTERS variable - Disable trivy-sbom by adding
REPOSITORY_TRIVY_SBOM
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
REPOSITORY_TRIVY_SBOM_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
REPOSITORY_TRIVY_SBOM_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
REPOSITORY_TRIVY_SBOM_PRE_COMMANDS | List of bash commands to run before the linter | None |
REPOSITORY_TRIVY_SBOM_POST_COMMANDS | List of bash commands to run after the linter | None |
REPOSITORY_TRIVY_SBOM_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling REPOSITORY_TRIVY_SBOM and its pre/post commands | None |
REPOSITORY_TRIVY_SBOM_CONFIG_FILE | trivy-sbom configuration file nameUse LINTER_DEFAULT to let the linter find it |
trivy-sbom.yaml |
REPOSITORY_TRIVY_SBOM_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
REPOSITORY_TRIVY_SBOM_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
REPOSITORY_TRIVY_SBOM_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
REPOSITORY_TRIVY_SBOM_CLI_EXECUTABLE | Override CLI executable | ['trivy'] |
IDE Integration
Use trivy-sbom in your favorite IDE to catch errors before MegaLinter !
IDE | Extension Name | Install | |
---|---|---|---|
Visual Studio Code | VSCode Trivy |
MegaLinter Flavours
This linter is available in the following flavours
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 121 | ||
c_cpp | Optimized for pure C/C++ projects | 54 | ||
ci_light | Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML | 22 | ||
cupcake | MegaLinter for the most commonly used languages | 83 | ||
documentation | MegaLinter for documentation projects | 50 | ||
dotnet | Optimized for C, C++, C# or VB based projects | 63 | ||
dotnetweb | Optimized for C, C++, C# or VB based projects with JS/TS | 72 | ||
go | Optimized for GO based projects | 52 | ||
java | Optimized for JAVA based projects | 53 | ||
javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 59 | ||
php | Optimized for PHP based projects | 53 | ||
python | Optimized for PYTHON based projects | 61 | ||
ruby | Optimized for RUBY based projects | 50 | ||
rust | Optimized for RUST based projects | 50 | ||
salesforce | Optimized for Salesforce based projects | 54 | ||
security | Optimized for security | 23 | ||
swift | Optimized for SWIFT based projects | 50 | ||
terraform | Optimized for TERRAFORM based projects | 54 |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
trivy-sbom is called once on the whole project directory (project
CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using trivy-sbom configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
doesn't make trivy-sbom analyze only updated files
Example calls
trivy fs --format cyclonedx .
trivy fs --config trivy-sbom.yaml --format cyclonedx .
Help content
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
Usage:
trivy [global flags] command [flags] target
trivy [command]
Examples:
# Scan a container image
$ trivy image python:3.4-alpine
# Scan a container image from a tar archive
$ trivy image --input ruby-3.1.tar
# Scan local filesystem
$ trivy fs .
# Run in server mode
$ trivy server
Scanning Commands
aws [EXPERIMENTAL] Scan AWS account
config Scan config files for misconfigurations
filesystem Scan local filesystem
image Scan a container image
kubernetes [EXPERIMENTAL] Scan kubernetes cluster
repository Scan a repository
rootfs Scan rootfs
sbom Scan SBOM for vulnerabilities
vm [EXPERIMENTAL] Scan a virtual machine image
Management Commands
module Manage modules
plugin Manage plugins
Utility Commands
completion Generate the autocompletion script for the specified shell
convert Convert Trivy JSON report into a different format
help Help about any command
server Server mode
version Print the version
Flags:
--cache-dir string cache directory (default "/root/.cache/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
-f, --format string version format (json)
--generate-default-config write the default config to trivy-default.yaml
-h, --help help for trivy
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
Use "trivy [command] --help" for more information about a command.
Installation on mega-linter Docker image
- Dockerfile commands :
RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin