security
Installation
Entrypoint
Types
Security

security

vulnerabilities using Trivy.

Installation

dagger install github.com/MacroPower/x/toolchains/security@8990610a338bb60f9aa8708d5fa89e1c3c6725dc

Entrypoint

Return Type

Security !

Arguments

Name	Type	Default Value	Description
source	Directory	-	Project source directory. Ignore patterns belong in the consuming project's root dagger.json customizations, not here.
image	String	-	Trivy container image.
severity	String	-	Comma-separated Trivy severity filter applied to all scan functions.
scanners	String	-	Trivy --scanners value applied to all scans (source and image).
sourcePkgTypes	String	-	Trivy --pkg-types value for source/filesystem scans.
imagePkgTypes	String	-	Trivy --pkg-types value for image scans.
cacheNamespace	String	-	Name of the Trivy cache volume (vulnerability database cache), mounted at /root/.cache with locked sharing. Override to namespace the cache when multiple toolchains share an engine.

Example

dagger -m github.com/MacroPower/x/toolchains/security@8990610a338bb60f9aa8708d5fa89e1c3c6725dc call \

func (m *MyModule) Example() *dagger.Security  {
	return dag.
			Security()
}

@function
def example() -> dagger.Security:
	return (
		dag.security()
	)

@func()
example(): Security {
	return dag
		.security()
}

Types

Security 🔗

Security scans source dependencies and container images for known vulnerabilities using Trivy. Create instances with [New].

source() 🔗

Source directory to scan for dependency vulnerabilities.

Return Type

Directory !

Example

dagger -m github.com/MacroPower/x/toolchains/security@8990610a338bb60f9aa8708d5fa89e1c3c6725dc call \
 source

func (m *MyModule) Example() *dagger.Directory  {
	return dag.
			Security().
			Source()
}

@function
def example() -> dagger.Directory:
	return (
		dag.security()
		.source()
	)

@func()
example(): Directory {
	return dag
		.security()
		.source()
}

image() 🔗

Trivy container image reference.

Return Type

String !

Example

dagger -m github.com/MacroPower/x/toolchains/security@8990610a338bb60f9aa8708d5fa89e1c3c6725dc call \
 image

func (m *MyModule) Example(ctx context.Context) string  {
	return dag.
			Security().
			Image(ctx)
}

@function
async def example() -> str:
	return await (
		dag.security()
		.image()
	)

@func()
async example(): Promise<string> {
	return dag
		.security()
		.image()
}

severity() 🔗

Comma-separated Trivy severity filter applied to all scans.

Return Type

String !

Example

dagger -m github.com/MacroPower/x/toolchains/security@8990610a338bb60f9aa8708d5fa89e1c3c6725dc call \
 severity

func (m *MyModule) Example(ctx context.Context) string  {
	return dag.
			Security().
			Severity(ctx)
}

@function
async def example() -> str:
	return await (
		dag.security()
		.severity()
	)

@func()
async example(): Promise<string> {
	return dag
		.security()
		.severity()
}

scanners() 🔗

Trivy –scanners value applied to all scans (source and image). Defaults to vuln only, so neither scan gates on Trivy’s image-default secret scanner.

Return Type

String !

Example

dagger -m github.com/MacroPower/x/toolchains/security@8990610a338bb60f9aa8708d5fa89e1c3c6725dc call \
 scanners

func (m *MyModule) Example(ctx context.Context) string  {
	return dag.
			Security().
			Scanners(ctx)
}

@function
async def example() -> str:
	return await (
		dag.security()
		.scanners()
	)

@func()
async example(): Promise<string> {
	return dag
		.security()
		.scanners()
}

sourcePkgTypes() 🔗

Trivy –pkg-types value for source/filesystem scans.

Return Type

String !

Example

dagger -m github.com/MacroPower/x/toolchains/security@8990610a338bb60f9aa8708d5fa89e1c3c6725dc call \
 source-pkg-types

func (m *MyModule) Example(ctx context.Context) string  {
	return dag.
			Security().
			SourcePkgTypes(ctx)
}

@function
async def example() -> str:
	return await (
		dag.security()
		.source_pkg_types()
	)

@func()
async example(): Promise<string> {
	return dag
		.security()
		.sourcePkgTypes()
}

imagePkgTypes() 🔗

Trivy –pkg-types value for image scans.

Return Type

String !

Example

dagger -m github.com/MacroPower/x/toolchains/security@8990610a338bb60f9aa8708d5fa89e1c3c6725dc call \
 image-pkg-types

func (m *MyModule) Example(ctx context.Context) string  {
	return dag.
			Security().
			ImagePkgTypes(ctx)
}

@function
async def example() -> str:
	return await (
		dag.security()
		.image_pkg_types()
	)

@func()
async example(): Promise<string> {
	return dag
		.security()
		.imagePkgTypes()
}

scanImage() 🔗

ScanImage scans a container image for known vulnerabilities in both OS packages and application libraries. Reports the configured severities.

Return Type

Void !

Arguments

Name	Type	Default Value	Description
target	Container !	-	Container to scan.

Example

dagger -m github.com/MacroPower/x/toolchains/security@8990610a338bb60f9aa8708d5fa89e1c3c6725dc call \
 scan-image --target IMAGE:TAG

func (m *MyModule) Example(ctx context.Context, target *dagger.Container)   {
	return dag.
			Security().
			ScanImage(ctx, target)
}

@function
async def example(target: dagger.Container) -> None:
	return await (
		dag.security()
		.scan_image(target)
	)

@func()
async example(target: Container): Promise<void> {
	return dag
		.security()
		.scanImage(target)
}

scanImageSarif() 🔗

ScanImageSarif scans a container image for known vulnerabilities in both OS packages and application libraries and returns the results in SARIF format. The SARIF file can be uploaded to GitHub’s Security tab for Code Scanning visibility on PRs.

Unlike [Security.ScanImage], this function does not use –exit-code=1. SARIF output is intended to capture results as structured data for consumption by GitHub Code Scanning; failing the pipeline here would prevent the SARIF file from being produced and uploaded.

Return Type

File !

Arguments

Name	Type	Default Value	Description
target	Container !	-	Container to scan.

Example

dagger -m github.com/MacroPower/x/toolchains/security@8990610a338bb60f9aa8708d5fa89e1c3c6725dc call \
 scan-image-sarif --target IMAGE:TAG

func (m *MyModule) Example(target *dagger.Container) *dagger.File  {
	return dag.
			Security().
			ScanImageSarif(target)
}

@function
def example(target: dagger.Container) -> dagger.File:
	return (
		dag.security()
		.scan_image_sarif(target)
	)

@func()
example(target: Container): File {
	return dag
		.security()
		.scanImageSarif(target)
}

scanSource() 🔗

ScanSource scans source dependencies for known vulnerabilities. Reports the configured severities. Trivy auto-discovers a .trivyignore file in the scanned directory for CVE suppression.

Return Type

Void !

Example

dagger -m github.com/MacroPower/x/toolchains/security@8990610a338bb60f9aa8708d5fa89e1c3c6725dc call \
 scan-source

func (m *MyModule) Example(ctx context.Context)   {
	return dag.
			Security().
			ScanSource(ctx)
}

@function
async def example() -> None:
	return await (
		dag.security()
		.scan_source()
	)

@func()
async example(): Promise<void> {
	return dag
		.security()
		.scanSource()
}

scanSourceSarif() 🔗

ScanSourceSarif scans source dependencies for known vulnerabilities and returns the results in SARIF format. The SARIF file can be uploaded to GitHub’s Security tab for Code Scanning visibility on PRs.

Unlike [Security.ScanSource], this function does not use –exit-code=1. SARIF output is intended to capture results as structured data for consumption by GitHub Code Scanning; failing the pipeline here would prevent the SARIF file from being produced and uploaded.

Return Type

File !

Example

dagger -m github.com/MacroPower/x/toolchains/security@8990610a338bb60f9aa8708d5fa89e1c3c6725dc call \
 scan-source-sarif

func (m *MyModule) Example() *dagger.File  {
	return dag.
			Security().
			ScanSourceSarif()
}

@function
def example() -> dagger.File:
	return (
		dag.security()
		.scan_source_sarif()
	)

@func()
example(): File {
	return dag
		.security()
		.scanSourceSarif()
}