trivy
A highly configurable security scanner that can be used to scan both local and remotecontainer images, or filesystems for vulnerabilities.
Installation
dagger install github.com/purpleclay/daggerverse/trivy@c3f44e0c8a396b2adf024bb862714037ae4cc8e7
Entrypoint
Return Type
Trivy !
Arguments
Name | Type | Default Value | Description |
---|---|---|---|
base | Container | - | a custom base image containing an installation of trivy |
cfg | File | - | a trivy configuration file, https://aquasecurity.github.io/trivy/latest/docs/configuration/ Will be mounted as trivy.yaml |
ignoreFile | File | - | a trivy ignore file for configuring supressions, https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#suppression. Will be mounted as either .trivyignore or .trivyignore.yaml |
Example
dagger -m github.com/purpleclay/daggerverse/trivy@c3f44e0c8a396b2adf024bb862714037ae4cc8e7 call \
func (m *myModule) example() *Trivy {
return dag.
Trivy()
}
@function
def example() -> dag.Trivy:
return (
dag.trivy()
)
@func()
example(): Trivy {
return dag
.trivy()
}
Types
Trivy 🔗
Trivy Dagger Module
image() 🔗
Scan a published (or remote) image for any vulnerabilities
Examples:
Scan a container image
$ trivy image –ref golang:1.21.7-bookworm
Filter by severities
$ trivy image –severity HIGH,CRITICAL –ref golang:1.21.7-bookworm
Ignore unfixed/unpatched vulnerabilities
$ trivy image –ignore-unfixed –ref golang:1.21.7-bookworm
Configure scan using a trivy configuration file
$ trivy –cfg trivy.yaml image –ref golang:1.21.7-bookworm
Configure scan to suppress accepted vulnerabilities
$ trivy –ignore-file .trivyignore image –ref golang:1.21.7-bookworm
Return Type
String !
Arguments
Name | Type | Default Value | Description |
---|---|---|---|
exitCode | Integer | - | the returned exit code when vulnerabilities are detected (0) |
format | String | - | the type of format to use when generating the compliance report (table) |
ignoreUnfixed | Boolean | - | filter out any vulnerabilities without a known fix |
password | Secret | - | the password for authenticating with the registry |
ref | String ! | - | the reference to an image within a repository |
registry | String | "docker.io" | the address of the registry to authenticate with |
scanners | String | - | the types of scanner to execute (vuln,secret) |
severity | String | - | the severity of security issues to detect (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) |
template | String | - | a custom go template to use when generating the compliance report |
username | String | - | the username for authenticating with the registry |
vulnType | String | - | the types of vulnerabilities to scan for (os,library) |
Example
dagger -m github.com/purpleclay/daggerverse/trivy@c3f44e0c8a396b2adf024bb862714037ae4cc8e7 call \
image --ref string
func (m *myModule) example(ctx context.Context, ref string) string {
return dag.
Trivy().
Image(ctxref)
}
@function
async def example(ref: str) -> str:
return await (
dag.trivy()
.image(ref)
)
@func()
async example(ref: string): Promise<string> {
return dag
.trivy()
.image(ref)
}
imageLocal() 🔗
Scan a locally exported image for any vulnerabilities
$ docker save golang:1.21.7-bookworm -o image.tar
Examples:
Scan a container image
$ trivy image-local –ref image.tar
Filter by severities
$ trivy image-local –severity HIGH,CRITICAL –ref image.tar
Ignore unfixed/unpatched vulnerabilities
$ trivy image-local –ignore-unfixed –ref image.tar
Configure scan using a trivy configuration file
$ trivy –cfg trivy.yaml image-local –ref image.tar
Configure scan to suppress accepted vulnerabilities
$ trivy –ignore-file .trivyignore image-local –ref image.tar
Return Type
String !
Arguments
Name | Type | Default Value | Description |
---|---|---|---|
exitCode | Integer | - | the returned exit code when vulnerabilities are detected (0) |
format | String | - | the type of format to use when generating the compliance report (table) |
ignoreUnfixed | Boolean | - | filter out any vulnerabilities without a known fix |
ref | File ! | - | the path to an exported image tar |
scanners | String | - | the types of scanner to execute (vuln,secret) |
severity | String | - | the severity of security issues to detect (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) |
template | String | - | a custom go template to use when generating the compliance report |
vulnType | String | - | the types of vulnerabilities to scan for (os,library) |
Example
dagger -m github.com/purpleclay/daggerverse/trivy@c3f44e0c8a396b2adf024bb862714037ae4cc8e7 call \
image-local --ref file:path
func (m *myModule) example(ctx context.Context, ref *File) string {
return dag.
Trivy().
ImageLocal(ctxref)
}
@function
async def example(ref: dagger.File) -> str:
return await (
dag.trivy()
.image_local(ref)
)
@func()
async example(ref: File): Promise<string> {
return dag
.trivy()
.imageLocal(ref)
}
filesystem() 🔗
Scan a filesystem for any vulnerabilities
Examples:
Scan a directory
$ trivy filesystem /path/to/your_project
Scan a remote repository
$ trivy filesystem –dir https://github.com/dagger/dagger
Scan a single file
$ trivy filesystem go.mod
Return Type
String !
Arguments
Name | Type | Default Value | Description |
---|---|---|---|
dir | Directory ! | - | the path to directory to scan |
exitCode | Integer | - | the returned exit code when vulnerabilities are detected (0) |
format | String | - | the type of format to use when generating the compliance report (table) |
ignoreUnfixed | Boolean | - | filter out any vulnerabilities without a known fix |
scanners | String | - | the types of scanner to execute (vuln,secret) |
severity | String | - | the severity of security issues to detect (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) |
template | String | - | a custom go template to use when generating the compliance report |
vulnType | String | - | the types of vulnerabilities to scan for (os,library) |
Example
dagger -m github.com/purpleclay/daggerverse/trivy@c3f44e0c8a396b2adf024bb862714037ae4cc8e7 call \
filesystem --dir DIR_PATH
func (m *myModule) example(ctx context.Context, dir *Directory) string {
return dag.
Trivy().
Filesystem(ctx, dir)
}
@function
async def example(dir: dagger.Directory) -> str:
return await (
dag.trivy()
.filesystem(dir)
)
@func()
async example(dir: Directory): Promise<string> {
return dag
.trivy()
.filesystem(dir)
}