trivy
trivy documentation
- Visit Official Web Site
Configuration in MegaLinter
- Enable trivy by adding
REPOSITORY_TRIVY
in ENABLE_LINTERS variable - Disable trivy by adding
REPOSITORY_TRIVY
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
REPOSITORY_TRIVY_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
REPOSITORY_TRIVY_FILE_EXTENSIONS | Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all filesEx: [".py", ""] |
Exclude every file |
REPOSITORY_TRIVY_FILE_NAMES_REGEX | File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: ["Dockerfile(-.+)?", "Jenkinsfile"] |
Include every file |
REPOSITORY_TRIVY_PRE_COMMANDS | List of bash commands to run before the linter | None |
REPOSITORY_TRIVY_POST_COMMANDS | List of bash commands to run after the linter | None |
REPOSITORY_TRIVY_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
REPOSITORY_TRIVY_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
IDE Integration
Use trivy in your favorite IDE to catch errors before MegaLinter !
IDE | Extension Name | Install | |
---|---|---|---|
Visual Studio Code | VsCode Trivy |
MegaLinter Flavours
This linter is available in the following flavours
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 101 | ||
ci_light | Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML | 18 | ||
documentation | MegaLinter for documentation projects | 42 | ||
dotnet | Optimized for C, C++, C# or VB based projects | 50 | ||
go | Optimized for GO based projects | 44 | ||
java | Optimized for JAVA based projects | 44 | ||
javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 51 | ||
php | Optimized for PHP based projects | 46 | ||
python | Optimized for PYTHON based projects | 50 | ||
ruby | Optimized for RUBY based projects | 43 | ||
rust | Optimized for RUST based projects | 43 | ||
salesforce | Optimized for Salesforce based projects | 45 | ||
security | Optimized for security | 20 | ||
swift | Optimized for SWIFT based projects | 43 | ||
terraform | Optimized for TERRAFORM based projects | 48 |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
trivy is called once on the whole project directory
- filtering can not be done using MegaLinter configuration variables,it must be done using trivy configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
does not make trivy analyze only updated files
Example calls
trivy fs --security-checks vuln,config .
Installation on mega-linter Docker image
- Dockerfile commands :
RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.29.2 && \
wget --tries=5 -q -O /usr/local/bin/sarif.tpl https://raw.githubusercontent.com/aquasecurity/trivy/714b5ca2460363e082d42a8d933c7a0cb7eff7a8/contrib/sarif.tpl && \
chmod 644 /usr/local/bin/sarif.tpl