trivy-sbom
Generates SBOM (Software Bill Of Material) using Trivy
trivy-sbom documentation
- Version in MegaLinter: 0.53.0
- Visit Official Web Site
- See How to configure trivy-sbom rules
- See How to ignore files and directories with trivy-sbom
Configuration in MegaLinter
- Enable trivy-sbom by adding
REPOSITORY_TRIVY_SBOMin ENABLE_LINTERS variable - Disable trivy-sbom by adding
REPOSITORY_TRIVY_SBOMin DISABLE_LINTERS variable
| Variable | Description | Default value |
|---|---|---|
| REPOSITORY_TRIVY_SBOM_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| REPOSITORY_TRIVY_SBOM_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
| REPOSITORY_TRIVY_SBOM_PRE_COMMANDS | List of bash commands to run before the linter | None |
| REPOSITORY_TRIVY_SBOM_POST_COMMANDS | List of bash commands to run after the linter | None |
| REPOSITORY_TRIVY_SBOM_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling REPOSITORY_TRIVY_SBOM and its pre/post commands | None |
| REPOSITORY_TRIVY_SBOM_CONFIG_FILE | trivy-sbom configuration file nameUse LINTER_DEFAULT to let the linter find it |
trivy-sbom.yaml |
| REPOSITORY_TRIVY_SBOM_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
| REPOSITORY_TRIVY_SBOM_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
| REPOSITORY_TRIVY_SBOM_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
| REPOSITORY_TRIVY_SBOM_CLI_EXECUTABLE | Override CLI executable | ['trivy'] |
IDE Integration
Use trivy-sbom in your favorite IDE to catch errors before MegaLinter !
| IDE | Extension Name | Install | |
|---|---|---|---|
| Visual Studio Code | VSCode Trivy |  |
MegaLinter Flavours
This linter is available in the following flavours
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
 |
all | Default MegaLinter Flavor | 125 |   |
| c_cpp | Optimized for pure C/C++ projects | 56 |   |
|
| ci_light | Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML | 21 |   |
|
| cupcake | MegaLinter for the most commonly used languages | 84 |   |
|
| documentation | MegaLinter for documentation projects | 51 |   |
|
| dotnet | Optimized for C, C++, C# or VB based projects | 63 |   |
|
| dotnetweb | Optimized for C, C++, C# or VB based projects with JS/TS | 72 |   |
|
| go | Optimized for GO based projects | 53 |   |
|
| java | Optimized for JAVA based projects | 54 |   |
|
| javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 61 |   |
|
| php | Optimized for PHP based projects | 56 |   |
|
| python | Optimized for PYTHON based projects | 64 |   |
|
| ruby | Optimized for RUBY based projects | 52 |   |
|
| rust | Optimized for RUST based projects | 52 |   |
|
| salesforce | Optimized for Salesforce based projects | 56 |   |
|
| security | Optimized for security | 24 |   |
|
| swift | Optimized for SWIFT based projects | 52 |   |
|
| terraform | Optimized for TERRAFORM based projects | 56 |   |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
trivy-sbom is called once on the whole project directory (project CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using trivy-sbom configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: falsedoesn't make trivy-sbom analyze only updated files
Example calls
trivy fs --format cyclonedx .
trivy fs --config trivy-sbom.yaml --format cyclonedx .
Help content
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
Usage:
trivy [global flags] command [flags] target
trivy [command]
Examples:
# Scan a container image
$ trivy image python:3.4-alpine
# Scan a container image from a tar archive
$ trivy image --input ruby-3.1.tar
# Scan local filesystem
$ trivy fs .
# Run in server mode
$ trivy server
Scanning Commands
config Scan config files for misconfigurations
filesystem Scan local filesystem
image Scan a container image
kubernetes [EXPERIMENTAL] Scan kubernetes cluster
repository Scan a repository
rootfs Scan rootfs
sbom Scan SBOM for vulnerabilities and licenses
vm [EXPERIMENTAL] Scan a virtual machine image
Management Commands
module Manage modules
plugin Manage plugins
Utility Commands
clean Remove cached files
completion Generate the autocompletion script for the specified shell
convert Convert Trivy JSON report into a different format
help Help about any command
server Server mode
version Print the version
Flags:
--cache-dir string cache directory (default "/root/.cache/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
-f, --format string version format (json)
--generate-default-config write the default config to trivy-default.yaml
-h, --help help for trivy
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
Use "trivy [command] --help" for more information about a command.
Installation on mega-linter Docker image
- Dockerfile commands :
RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin