trivy
Installation
Entrypoint
Types
Trivy

trivy

Trivy détecte nativement les misconfigurations dans un plan Terraform/OpenTofu
exporté en JSON (`tofu show -json`). Ce module est conçu pour consommer
l'artefact produit par le module iac/terraform (PlanArtifact).

Installation

dagger install dev.azure.com/dordogne/DAGGER-TEMPLATES/_git/DAGGER-TEMPLATES/security/trivy@b8d17276895759b5f1c86838eb6ea196040d7576

Entrypoint

Return Type

Trivy !

Example

dagger -m dev.azure.com/dordogne/DAGGER-TEMPLATES/_git/DAGGER-TEMPLATES/security/trivy@b8d17276895759b5f1c86838eb6ea196040d7576 call \

func (m *MyModule) Example() *dagger.Trivy  {
	return dag.
			Trivy()
}

@function
def example() -> dagger.Trivy:
	return (
		dag.trivy()
	)

@func()
example(): Trivy {
	return dag
		.trivy()
}

Types

Trivy 🔗

version() 🔗

Version de l’image aquasec/trivy

Return Type

String !

Example

dagger -m dev.azure.com/dordogne/DAGGER-TEMPLATES/_git/DAGGER-TEMPLATES/security/trivy@b8d17276895759b5f1c86838eb6ea196040d7576 call \
 version

func (m *MyModule) Example(ctx context.Context) string  {
	return dag.
			Trivy().
			Version(ctx)
}

@function
async def example() -> str:
	return await (
		dag.trivy()
		.version()
	)

@func()
async example(): Promise<string> {
	return dag
		.trivy()
		.version()
}

severity() 🔗

Sévérités à signaler (ex: “HIGH,CRITICAL”)

Return Type

String !

Example

dagger -m dev.azure.com/dordogne/DAGGER-TEMPLATES/_git/DAGGER-TEMPLATES/security/trivy@b8d17276895759b5f1c86838eb6ea196040d7576 call \
 severity

func (m *MyModule) Example(ctx context.Context) string  {
	return dag.
			Trivy().
			Severity(ctx)
}

@function
async def example() -> str:
	return await (
		dag.trivy()
		.severity()
	)

@func()
async example(): Promise<string> {
	return dag
		.trivy()
		.severity()
}

registryHost() 🔗

Authentification registry (pour le scan d’images privées)

Return Type

String !

Example

dagger -m dev.azure.com/dordogne/DAGGER-TEMPLATES/_git/DAGGER-TEMPLATES/security/trivy@b8d17276895759b5f1c86838eb6ea196040d7576 call \
 registry-host

func (m *MyModule) Example(ctx context.Context) string  {
	return dag.
			Trivy().
			RegistryHost(ctx)
}

@function
async def example() -> str:
	return await (
		dag.trivy()
		.registry_host()
	)

@func()
async example(): Promise<string> {
	return dag
		.trivy()
		.registryHost()
}

registryUsername() 🔗

Return Type

String !

Example

dagger -m dev.azure.com/dordogne/DAGGER-TEMPLATES/_git/DAGGER-TEMPLATES/security/trivy@b8d17276895759b5f1c86838eb6ea196040d7576 call \
 registry-username

func (m *MyModule) Example(ctx context.Context) string  {
	return dag.
			Trivy().
			RegistryUsername(ctx)
}

@function
async def example() -> str:
	return await (
		dag.trivy()
		.registry_username()
	)

@func()
async example(): Promise<string> {
	return dag
		.trivy()
		.registryUsername()
}

registryPassword() 🔗

Return Type

Secret !

Example

dagger -m dev.azure.com/dordogne/DAGGER-TEMPLATES/_git/DAGGER-TEMPLATES/security/trivy@b8d17276895759b5f1c86838eb6ea196040d7576 call \
 registry-password

func (m *MyModule) Example() *dagger.Secret  {
	return dag.
			Trivy().
			RegistryPassword()
}

@function
def example() -> dagger.Secret:
	return (
		dag.trivy()
		.registry_password()
	)

@func()
example(): Secret {
	return dag
		.trivy()
		.registryPassword()
}

scanConfig() 🔗

ScanConfig scanne du code IaC brut (HCL, Dockerfile, Kubernetes…) dans un répertoire.

Return Type

String !

Arguments

Name	Type	Default Value	Description
source	Directory !	-	Répertoire contenant le code à scanner
subpath	String	"."	Sous-chemin relatif dans source (défaut: ".")
failOnFindings	Boolean	true	Faire échouer le scan si des findings sont détectés
format	String	"table"	Format de sortie: table, json, sarif

Example

dagger -m dev.azure.com/dordogne/DAGGER-TEMPLATES/_git/DAGGER-TEMPLATES/security/trivy@b8d17276895759b5f1c86838eb6ea196040d7576 call \
 scan-config --source DIR_PATH

func (m *MyModule) Example(ctx context.Context, source *dagger.Directory) string  {
	return dag.
			Trivy().
			ScanConfig(ctx, source)
}

@function
async def example(source: dagger.Directory) -> str:
	return await (
		dag.trivy()
		.scan_config(source)
	)

@func()
async example(source: Directory): Promise<string> {
	return dag
		.trivy()
		.scanConfig(source)
}

scanImage() 🔗

ScanImage scanne les vulnérabilités d’une image Docker (trivy image).

Pour une image d’un registry privé, configurer les identifiants au préalable via WithRegistry() : Trivy pull l’image lui-même et lit TRIVY_USERNAME / TRIVY_PASSWORD pour s’authentifier.

Return Type

String !

Arguments

Name	Type	Default Value	Description
image	String !	-	Référence complète de l'image (ex: "dordogne.azurecr.io/ad-frontend:v5")
ignoreUnfixed	Boolean	true	Ignorer les vulnérabilités sans correctif disponible
failOnFindings	Boolean	true	Faire échouer le scan si des vulnérabilités sont détectées
format	String	"table"	Format de sortie: table, json, sarif

Example

dagger -m dev.azure.com/dordogne/DAGGER-TEMPLATES/_git/DAGGER-TEMPLATES/security/trivy@b8d17276895759b5f1c86838eb6ea196040d7576 call \
 scan-image --image string

func (m *MyModule) Example(ctx context.Context, image string) string  {
	return dag.
			Trivy().
			ScanImage(ctx, image)
}

@function
async def example(image: str) -> str:
	return await (
		dag.trivy()
		.scan_image(image)
	)

@func()
async example(image: string): Promise<string> {
	return dag
		.trivy()
		.scanImage(image)
}

scanPlan() 🔗

ScanPlan scanne un plan Terraform/OpenTofu exporté en JSON (tofu show -json).

Trivy détecte automatiquement le format « Terraform Plan JSON » via trivy config. Avec failOnFindings=true, la commande retourne un code non nul si une misconfiguration d’une sévérité configurée est trouvée — ce qui fait échouer le job CI.

Return Type

String !

Arguments

Name	Type	Default Value	Description
plan	File !	-	Plan au format JSON (tfplan.json) produit par iac/terraform PlanArtifact
failOnFindings	Boolean	true	Faire échouer le scan si des findings sont détectés
format	String	"table"	Format de sortie: table, json, sarif

Example

dagger -m dev.azure.com/dordogne/DAGGER-TEMPLATES/_git/DAGGER-TEMPLATES/security/trivy@b8d17276895759b5f1c86838eb6ea196040d7576 call \
 scan-plan --plan file:path

func (m *MyModule) Example(ctx context.Context, plan *dagger.File) string  {
	return dag.
			Trivy().
			ScanPlan(ctx, plan)
}

@function
async def example(plan: dagger.File) -> str:
	return await (
		dag.trivy()
		.scan_plan(plan)
	)

@func()
async example(plan: File): Promise<string> {
	return dag
		.trivy()
		.scanPlan(plan)
}

test() 🔗

Return Type

String !

Example

dagger -m dev.azure.com/dordogne/DAGGER-TEMPLATES/_git/DAGGER-TEMPLATES/security/trivy@b8d17276895759b5f1c86838eb6ea196040d7576 call \
 test

func (m *MyModule) Example(ctx context.Context) string  {
	return dag.
			Trivy().
			Test(ctx)
}

@function
async def example() -> str:
	return await (
		dag.trivy()
		.test()
	)

@func()
async example(): Promise<string> {
	return dag
		.trivy()
		.test()
}

withRegistry() 🔗

WithRegistry configure l’authentification registry pour le scan d’images privées.

Trivy s’authentifie via les variables TRIVY_USERNAME / TRIVY_PASSWORD lorsqu’il pull l’image à scanner. Utiliser env:VAR_NAME pour les identifiants.

Return Type

Trivy !

Arguments

Name	Type	Default Value	Description
host	String !	-	Hôte du registry (ex: "dordogne.azurecr.io")
username	String !	-	Nom d'utilisateur du registry
password	Secret !	-	Mot de passe / token du registry

Example

dagger -m dev.azure.com/dordogne/DAGGER-TEMPLATES/_git/DAGGER-TEMPLATES/security/trivy@b8d17276895759b5f1c86838eb6ea196040d7576 call \
 with-registry --host string --username string --password env:MYSECRET

func (m *MyModule) Example(host string, username string, password *dagger.Secret) *dagger.Trivy  {
	return dag.
			Trivy().
			WithRegistry(host, username, password)
}

@function
def example(host: str, username: str, password: dagger.Secret) -> dagger.Trivy:
	return (
		dag.trivy()
		.with_registry(host, username, password)
	)

@func()
example(host: string, username: string, password: Secret): Trivy {
	return dag
		.trivy()
		.withRegistry(host, username, password)
}

withSeverity() 🔗

WithSeverity définit les sévérités à signaler, ex: “CRITICAL” ou “HIGH,CRITICAL”.

Return Type

Trivy !

Arguments

Name	Type	Default Value	Description
severity	String !	-	No description provided

Example

dagger -m dev.azure.com/dordogne/DAGGER-TEMPLATES/_git/DAGGER-TEMPLATES/security/trivy@b8d17276895759b5f1c86838eb6ea196040d7576 call \
 with-severity --severity string

func (m *MyModule) Example(severity string) *dagger.Trivy  {
	return dag.
			Trivy().
			WithSeverity(severity)
}

@function
def example(severity: str) -> dagger.Trivy:
	return (
		dag.trivy()
		.with_severity(severity)
	)

@func()
example(severity: string): Trivy {
	return dag
		.trivy()
		.withSeverity(severity)
}

withVersion() 🔗

WithVersion définit la version de l’image Trivy (pattern immuable).

Return Type

Trivy !

Arguments

Name	Type	Default Value	Description
version	String !	-	No description provided

Example

dagger -m dev.azure.com/dordogne/DAGGER-TEMPLATES/_git/DAGGER-TEMPLATES/security/trivy@b8d17276895759b5f1c86838eb6ea196040d7576 call \
 with-version --version string

func (m *MyModule) Example(version string) *dagger.Trivy  {
	return dag.
			Trivy().
			WithVersion(version)
}

@function
def example(version: str) -> dagger.Trivy:
	return (
		dag.trivy()
		.with_version(version)
	)

@func()
example(version: string): Trivy {
	return dag
		.trivy()
		.withVersion(version)
}