Dagger
Search

trivy

A highly configurable security scanner that can be used to scan both local and remote container images, or filesystems for vulnerabilities.

Installation

dagger install github.com/purpleclay/daggerverse/trivy@c3f44e0c8a396b2adf024bb862714037ae4cc8e7

Entrypoint

Return Type
Trivy !
Arguments
NameTypeDescription
baseContainer a custom base image containing an installation of trivy
cfgFile a trivy configuration file, https://aquasecurity.github.io/trivy/latest/docs/configuration/ Will be mounted as trivy.yaml
ignoreFileFile a trivy ignore file for configuring supressions, https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#suppression. Will be mounted as either .trivyignore or .trivyignore.yaml
Example
func (m *myModule) example() *Trivy  {
	return dag.
			Trivy()
}
@function
def example() -> dag.Trivy:
	return (
		dag.trivy()
	)
@func()
example(): Trivy {
	return dag
		.trivy()
}

Types

Trivy 🔗

Trivy Dagger Module

image() 🔗

Scan a published (or remote) image for any vulnerabilities

Examples:

Scan a container image

$ trivy image –ref golang:1.21.7-bookworm

Filter by severities

$ trivy image –severity HIGH,CRITICAL –ref golang:1.21.7-bookworm

Ignore unfixed/unpatched vulnerabilities

$ trivy image –ignore-unfixed –ref golang:1.21.7-bookworm

Configure scan using a trivy configuration file

$ trivy –cfg trivy.yaml image –ref golang:1.21.7-bookworm

Configure scan to suppress accepted vulnerabilities

$ trivy –ignore-file .trivyignore image –ref golang:1.21.7-bookworm

Return Type
String !
Arguments
NameTypeDefault ValueDescription
exitCodeInteger -the returned exit code when vulnerabilities are detected (0)
formatString -the type of format to use when generating the compliance report (table)
ignoreUnfixedBoolean -filter out any vulnerabilities without a known fix
passwordSecret -the password for authenticating with the registry
refString !-the reference to an image within a repository
registryString "docker.io"the address of the registry to authenticate with
scannersString -the types of scanner to execute (vuln,secret)
severityString -the severity of security issues to detect (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)
templateString -a custom go template to use when generating the compliance report
usernameString -the username for authenticating with the registry
vulnTypeString -the types of vulnerabilities to scan for (os,library)
Example
dagger -m github.com/purpleclay/daggerverse/trivy@c3f44e0c8a396b2adf024bb862714037ae4cc8e7 call \
 image --ref string
func (m *myModule) example(ctx context.Context, ref string) string  {
	return dag.
			Trivy().
			Image(ctxref)
}
@function
async def example(ref: str) -> str:
	return await (
		dag.trivy()
		.image(ref)
	)
@func()
async example(ref: string): Promise<string> {
	return dag
		.trivy()
		.image(ref)
}

imageLocal() 🔗

Scan a locally exported image for any vulnerabilities

$ docker save golang:1.21.7-bookworm -o image.tar

Examples:

Scan a container image

$ trivy image-local –ref image.tar

Filter by severities

$ trivy image-local –severity HIGH,CRITICAL –ref image.tar

Ignore unfixed/unpatched vulnerabilities

$ trivy image-local –ignore-unfixed –ref image.tar

Configure scan using a trivy configuration file

$ trivy –cfg trivy.yaml image-local –ref image.tar

Configure scan to suppress accepted vulnerabilities

$ trivy –ignore-file .trivyignore image-local –ref image.tar

Return Type
String !
Arguments
NameTypeDefault ValueDescription
exitCodeInteger -the returned exit code when vulnerabilities are detected (0)
formatString -the type of format to use when generating the compliance report (table)
ignoreUnfixedBoolean -filter out any vulnerabilities without a known fix
refFile !-the path to an exported image tar
scannersString -the types of scanner to execute (vuln,secret)
severityString -the severity of security issues to detect (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)
templateString -a custom go template to use when generating the compliance report
vulnTypeString -the types of vulnerabilities to scan for (os,library)
Example
dagger -m github.com/purpleclay/daggerverse/trivy@c3f44e0c8a396b2adf024bb862714037ae4cc8e7 call \
 image-local --ref file:path
func (m *myModule) example(ctx context.Context, ref *File) string  {
	return dag.
			Trivy().
			ImageLocal(ctxref)
}
@function
async def example(ref: dagger.File) -> str:
	return await (
		dag.trivy()
		.image_local(ref)
	)
@func()
async example(ref: File): Promise<string> {
	return dag
		.trivy()
		.imageLocal(ref)
}

filesystem() 🔗

Scan a filesystem for any vulnerabilities

Examples:

Scan a directory

$ trivy filesystem /path/to/your_project

Scan a remote repository

$ trivy filesystem –dir https://github.com/dagger/dagger

Scan a single file

$ trivy filesystem go.mod

Return Type
String !
Arguments
NameTypeDefault ValueDescription
dirDirectory !-the path to directory to scan
exitCodeInteger -the returned exit code when vulnerabilities are detected (0)
formatString -the type of format to use when generating the compliance report (table)
ignoreUnfixedBoolean -filter out any vulnerabilities without a known fix
scannersString -the types of scanner to execute (vuln,secret)
severityString -the severity of security issues to detect (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)
templateString -a custom go template to use when generating the compliance report
vulnTypeString -the types of vulnerabilities to scan for (os,library)
Example
dagger -m github.com/purpleclay/daggerverse/trivy@c3f44e0c8a396b2adf024bb862714037ae4cc8e7 call \
 filesystem --dir DIR_PATH
func (m *myModule) example(ctx context.Context, dir *Directory) string  {
	return dag.
			Trivy().
			Filesystem(ctx, dir)
}
@function
async def example(dir: dagger.Directory) -> str:
	return await (
		dag.trivy()
		.filesystem(dir)
	)
@func()
async example(dir: Directory): Promise<string> {
	return dag
		.trivy()
		.filesystem(dir)
}