A shareable package of CircleCI configuration to integrate with trivy, written by cci-labs
CommunityUse CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1Add the orbs stanza below your version, invoking the orb:
1
2
orbs:
trivy: cci-labs/trivy@1.0.0Use trivy elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
Scan your repo after checkout
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
version: '2.1'
orbs:
trivy: cci-labs/trivy:latest
jobs:
trivy:
docker:
- image: cimg/base:2024.11
environment:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
steps:
- checkout
- aqua-trivy/scan:
format: sarif
ignore-unfixed: true
output: report.sarif
scan-type: fs
workflows:
demo:
jobs:
- trivy
Install Trivy security scanner
| PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
|---|---|---|---|---|
cache Enable or disable caching | Enable or disable caching | No | true type: boolean | boolean |
path Path of where Trivy is install | Path of where Trivy is install | No | ~/.local/bin type: string | string |
version Trivy version to use | Trivy version to use | No | v0.56.2 type: string | string |
Run Trivy vulnerability scan
| PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
|---|---|---|---|---|
cache Specify whether caching is needed. Set to false to disable caching. | Specify whether caching is needed. Set to false to disable caching. | No | true type: boolean | boolean |
cache-dir Specify where the cache is stored | Specify where the cache is stored | No | ~/.cache/trivy type: string | string |
docker-host Unix domain socket path to use for Docker scanning, e.g., unix:///var/run/docker.sock | Unix domain socket path to use for Docker scanning, e.g., unix:///var/run/docker.sock | No | '' type: string | string |
exit-code Exit code when vulnerabilities were found | Exit code when vulnerabilities were found | No | '' type: string | string |
format Output format (table, json, template) | Output format (table, json, template) | No | table type: string | string |
github-pat GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API | GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API | No | '' type: string | string |
hide-progress Suppress progress bar and log output | Suppress progress bar and log output | No | false type: boolean | boolean |
ignore-policy Filter vulnerabilities with OPA rego language | Filter vulnerabilities with OPA rego language | No | '' type: string | string |
ignore-unfixed Ignore unfixed vulnerabilities | Ignore unfixed vulnerabilities | No | false type: boolean | boolean |
image-ref Image reference (for backward compatibility) | Image reference (for backward compatibility) | No | '' type: string | string |
input Reference of tar file to scan | Reference of tar file to scan | No | '' type: string | string |
limit-severities-for-sarif Limit severities for SARIF format | Limit severities for SARIF format | No | '' type: string | string |
list-all-pkgs Output all packages regardless of vulnerability | Output all packages regardless of vulnerability | No | false type: boolean | boolean |
output Writes results to a file with the specified file name | Writes results to a file with the specified file name | No | '' type: string | string |
pkg-type Comma-separated list of package types (os, library) | Comma-separated list of package types (os, library) | No | os,library type: string | string |
scan-ref Scan reference | Scan reference | No | . type: string | string |
scan-type Scan type to use for scanning vulnerability | Scan type to use for scanning vulnerability | No | image type: string | string |
scanners Comma-separated list of what security issues to detect | Comma-separated list of what security issues to detect | No | '' type: string | string |
severity Severities of vulnerabilities to be displayed | Severities of vulnerabilities to be displayed | No | UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL type: string | string |
skip-dirs Comma-separated list of directories where traversal is skipped | Comma-separated list of directories where traversal is skipped | No | '' type: string | string |
skip-files Comma-separated list of files to be skipped | Comma-separated list of files to be skipped | No | '' type: string | string |
skip-setup-trivy Skip calling the setup-trivy action to install Trivy | Skip calling the setup-trivy action to install Trivy | No | false type: boolean | boolean |
template Use an existing template for rendering output (@/contrib/gitlab.tpl, @/contrib/junit.tpl, @/contrib/html.tpl) | Use an existing template for rendering output (@/contrib/gitlab.tpl, @/contrib/junit.tpl, @/contrib/html.tpl) | No | '' type: string | string |
tf-vars Path to terraform tfvars file | Path to terraform tfvars file | No | '' type: string | string |
timeout Timeout (default 5m0s) | Timeout (default 5m0s) | No | '' type: string | string |
trivy-config Path to trivy.yaml config | Path to trivy.yaml config | No | '' type: string | string |
trivy-ignores Comma-separated list of relative paths in the repository to one or more .trivyignore files | Comma-separated list of relative paths in the repository to one or more .trivyignore files | No | '' type: string | string |
version Trivy version to use | Trivy version to use | No | v0.56.2 type: string | string |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
version: 2.1
description: |
Aqua Security Trivy - Ported from GitHub Action - Unofficial
display:
home_url: https://github.com/aquasecurity/trivy-action
source_url: https://github.com/CircleCI-Labs/trivy
commands:
install:
description: Install Trivy security scanner
parameters:
cache:
default: true
description: Enable or disable caching
type: boolean
path:
default: ~/.local/bin
description: Path of where Trivy is install
type: string
version:
default: v0.56.2
description: Trivy version to use
type: string
steps:
- run:
command: |
echo "export TRIVY_BIN_DIR=<< parameters.path>>/trivy-bin" >> $BASH_ENV
source $BASH_ENV
name: Set Binary Path
- when:
condition:
and:
- equal:
- true
- << parameters.cache >>
- equal:
- latest
- << parameters.version >>
steps:
- run:
command: |
echo "'install-trivy' doesn't currently support caching the 'latest' version"
echo "Refer to https://github.com/aquasecurity/setup-trivy?tab=readme-ov-file#caching for more details."
name: Check caching for the latest version
- when:
condition:
and:
- equal:
- true
- << parameters.cache >>
- not:
equal:
- latest
- << parameters.version >>
steps:
- restore_cache:
keys:
- trivy-binary-<< parameters.version >>-{{ arch }}
name: Restore Trivy Binary from Cache
- run:
command: |
if [ ! -f "${TRIVY_BIN_DIR}/trivy" ]; then
echo "Installing Trivy version << parameters.version >>"
mkdir -p ${TRIVY_BIN_DIR}
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b ${TRIVY_BIN_DIR} << parameters.version >>
else
echo "Trivy found in cache."
fi
name: Install Trivy
- when:
condition:
and:
- equal:
- true
- << parameters.cache >>
- not:
equal:
- latest
- << parameters.version >>
steps:
- save_cache:
key: trivy-binary-<< parameters.version >>-{{ arch }}
name: Save Trivy Binary to Cache
paths:
- << parameters.path >>/trivy-bin
- run:
command: |
echo "export PATH=\$PATH:${TRIVY_BIN_DIR}" >> $BASH_ENV
source $BASH_ENV
name: Add Trivy Binary to PATH
scan:
description: Run Trivy vulnerability scan
parameters:
cache:
default: true
description: Specify whether caching is needed. Set to false to disable caching.
type: boolean
cache-dir:
default: ~/.cache/trivy
description: Specify where the cache is stored
type: string
docker-host:
default: ""
description: Unix domain socket path to use for Docker scanning, e.g., unix:///var/run/docker.sock
type: string
exit-code:
default: ""
description: Exit code when vulnerabilities were found
type: string
format:
default: table
description: Output format (table, json, template)
type: string
github-pat:
default: ""
description: GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API
type: string
hide-progress:
default: false
description: Suppress progress bar and log output
type: boolean
ignore-policy:
default: ""
description: Filter vulnerabilities with OPA rego language
type: string
ignore-unfixed:
default: false
description: Ignore unfixed vulnerabilities
type: boolean
image-ref:
default: ""
description: Image reference (for backward compatibility)
type: string
input:
default: ""
description: Reference of tar file to scan
type: string
limit-severities-for-sarif:
default: ""
description: Limit severities for SARIF format
type: string
list-all-pkgs:
default: false
description: Output all packages regardless of vulnerability
type: boolean
output:
default: ""
description: Writes results to a file with the specified file name
type: string
pkg-type:
default: os,library
description: Comma-separated list of package types (os, library)
type: string
scan-ref:
default: .
description: Scan reference
type: string
scan-type:
default: image
description: Scan type to use for scanning vulnerability
type: string
scanners:
default: ""
description: Comma-separated list of what security issues to detect
type: string
severity:
default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
description: Severities of vulnerabilities to be displayed
type: string
skip-dirs:
default: ""
description: Comma-separated list of directories where traversal is skipped
type: string
skip-files:
default: ""
description: Comma-separated list of files to be skipped
type: string
skip-setup-trivy:
default: false
description: Skip calling the setup-trivy action to install Trivy
type: boolean
template:
default: ""
description: Use an existing template for rendering output (@/contrib/gitlab.tpl, @/contrib/junit.tpl, @/contrib/html.tpl)
type: string
tf-vars:
default: ""
description: Path to terraform tfvars file
type: string
timeout:
default: ""
description: Timeout (default 5m0s)
type: string
trivy-config:
default: ""
description: Path to trivy.yaml config
type: string
trivy-ignores:
default: ""
description: Comma-separated list of relative paths in the repository to one or more .trivyignore files
type: string
version:
default: v0.56.2
description: Trivy version to use
type: string
steps:
- when:
condition:
not:
equal:
- true
- << parameters.skip-setup-trivy >>
steps:
- install:
cache: << parameters.cache >>
version: << parameters.version >>
- run:
command: |
date +'%Y-%m-%d' > current_date.txt
name: Get Current Date
- when:
condition:
equal:
- true
- << parameters.cache >>
steps:
- restore_cache:
keys:
- cache-trivy-{{ checksum "current_date.txt" }}
- cache-trivy-
name: Restore Trivy DB from Cache
- run:
command: |
set_env_var_if_provided() {
local var_name="$1"
local input_value="$2"
local default_value="$3"
if [ ! -z "$input_value" ] && [ "$input_value" != "$default_value" ]; then
echo "export $var_name=$input_value" >> $BASH_ENV
fi
}
set_env_var_if_provided "TRIVY_INPUT" << parameters.input >> ""
set_env_var_if_provided "TRIVY_EXIT_CODE" << parameters.exit-code >> ""
set_env_var_if_provided "TRIVY_IGNORE_UNFIXED" << parameters.ignore-unfixed >> "false"
set_env_var_if_provided "TRIVY_PKG_TYPES" << parameters.pkg-type >> "os,library"
set_env_var_if_provided "TRIVY_SEVERITY" << parameters.severity >> "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
set_env_var_if_provided "TRIVY_FORMAT" << parameters.format >> "table"
set_env_var_if_provided "TRIVY_TEMPLATE" << parameters.template >> ""
set_env_var_if_provided "TRIVY_OUTPUT" << parameters.output >> ""
set_env_var_if_provided "TRIVY_SKIP_DIRS" << parameters.skip-dirs >> ""
set_env_var_if_provided "TRIVY_SKIP_FILES" << parameters.skip-files >> ""
set_env_var_if_provided "TRIVY_TIMEOUT" << parameters.timeout >> ""
set_env_var_if_provided "TRIVY_IGNORE_POLICY" << parameters.ignore-policy >> ""
set_env_var_if_provided "TRIVY_QUIET" << parameters.hide-progress >> ""
set_env_var_if_provided "TRIVY_LIST_ALL_PKGS" << parameters.list-all-pkgs >> "false"
set_env_var_if_provided "TRIVY_SCANNERS" << parameters.scanners >> ""
set_env_var_if_provided "TRIVY_CONFIG" << parameters.trivy-config >> ""
set_env_var_if_provided "TRIVY_TF_VARS" << parameters.tf-vars >> ""
set_env_var_if_provided "TRIVY_DOCKER_HOST" << parameters.docker-host >> ""
echo "export INPUT_SCAN_TYPE=<< parameters.scan-type >>" >> $BASH_ENV
echo "export INPUT_IMAGE_REF=<< parameters.image-ref >>" >> $BASH_ENV
echo "export INPUT_SCAN_REF=<< parameters.scan-ref >>" >> $BASH_ENV
echo "export INPUT_TRIVYIGNORES=<< parameters.trivy-ignores >>" >> $BASH_ENV
echo "export INPUT_GITHUB_PAT=<< parameters.github-pat >>" >> $BASH_ENV
echo "export INPUT_TRIVYIGNORES=<< parameters.trivy-ignores >>" >> $BASH_ENV
echo "export INPUT_LIMIT_SEVERITIES_FOR_SARIF=<< parameters.limit-severities-for-sarif >>" >> $BASH_ENV
echo "export TRIVY_CACHE_DIR=<< parameters.cache-dir >>" >> $BASH_ENV
source $BASH_ENV
name: Set Trivy Environment Variables
- run:
command: |-
#!/bin/bash
# From https://github.com/aquasecurity/trivy-action/blob/master/entrypoint.sh
set -euo pipefail
# Set artifact reference
scanType="${INPUT_SCAN_TYPE:-image}"
scanRef="${INPUT_SCAN_REF:-.}"
if [ -n "${INPUT_IMAGE_REF:-}" ]; then
scanRef="${INPUT_IMAGE_REF}" # backwards compatibility
fi
# Handle trivy ignores
if [ -n "${INPUT_TRIVYIGNORES:-}" ]; then
ignorefile="./trivyignores"
# Clear the ignore file if it exists, or create a new empty file
: > "$ignorefile"
for f in ${INPUT_TRIVYIGNORES//,/ }; do
if [ -f "$f" ]; then
echo "Found ignorefile '${f}':"
cat "${f}"
cat "${f}" >> "$ignorefile"
else
echo "ERROR: cannot find ignorefile '${f}'." >&2
exit 1
fi
done
export TRIVY_IGNOREFILE="$ignorefile"
fi
# Handle SARIF
if [ "${TRIVY_FORMAT:-}" = "sarif" ]; then
if [ "${INPUT_LIMIT_SEVERITIES_FOR_SARIF:-false,,}" != "true" ]; then
echo "Building SARIF report with all severities"
unset TRIVY_SEVERITY
else
echo "Building SARIF report"
fi
fi
# Run Trivy
cmd=(trivy "$scanType" "$scanRef")
echo "Running Trivy with options: ${cmd[*]}"
"${cmd[@]}"
returnCode=$?
if [ "${TRIVY_FORMAT:-}" = "github" ]; then
if [ -n "${INPUT_GITHUB_PAT:-}" ]; then
printf "\n Uploading GitHub Dependency Snapshot"
curl -H 'Accept: application/vnd.github+json' -H "Authorization: token ${INPUT_GITHUB_PAT}" \
"https://api.github.com/repos/$GITHUB_REPOSITORY/dependency-graph/snapshots" -d @"${TRIVY_OUTPUT:-}"
else
printf "\n Failing GitHub Dependency Snapshot. Missing github-pat" >&2
fi
fi
exit $returnCode
name: Run Trivy
- when:
condition:
equal:
- true
- << parameters.cache >>
steps:
- save_cache:
key: cache-trivy-{{ checksum "current_date.txt" }}
name: Save Trivy DB from Cache
paths:
- << parameters.cache-dir >>
examples:
scan-repo:
description: |
Scan your repo after checkout
usage:
version: "2.1"
orbs:
trivy: cci-labs/trivy:latest
jobs:
trivy:
docker:
- image: cimg/base:2024.11
environment:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
steps:
- checkout
- aqua-trivy/scan:
format: sarif
ignore-unfixed: true
output: report.sarif
scan-type: fs
workflows:
demo:
jobs:
- trivy