> For the complete CircleCI developer hub index, see [llms.txt](https://circleci.com/developer/llms.txt)

# cci-labs/trivy

Aqua Security Trivy - Ported from GitHub Action - Unofficial


## Commands

### install

Install Trivy security scanner

| Parameter | Type | Default | Description |
|---|---|---|---|
| `cache` | boolean | true | Enable or disable caching |
| `path` | string | ~/.local/bin | Path of where Trivy is install |
| `version` | string | v0.56.2 | Trivy version to use |

### scan

Run Trivy vulnerability scan

| Parameter | Type | Default | Description |
|---|---|---|---|
| `cache` | boolean | true | Specify whether caching is needed. Set to false to disable caching. |
| `cache-dir` | string | ~/.cache/trivy | Specify where the cache is stored |
| `docker-host` | string |  | Unix domain socket path to use for Docker scanning, e.g., unix:///var/run/docker.sock |
| `exit-code` | string |  | Exit code when vulnerabilities were found |
| `format` | string | table | Output format (table, json, template) |
| `github-pat` | string |  | GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API |
| `hide-progress` | boolean | false | Suppress progress bar and log output |
| `ignore-policy` | string |  | Filter vulnerabilities with OPA rego language |
| `ignore-unfixed` | boolean | false | Ignore unfixed vulnerabilities |
| `image-ref` | string |  | Image reference (for backward compatibility) |
| `input` | string |  | Reference of tar file to scan |
| `limit-severities-for-sarif` | string |  | Limit severities for SARIF format |
| `list-all-pkgs` | boolean | false | Output all packages regardless of vulnerability |
| `output` | string |  | Writes results to a file with the specified file name |
| `pkg-type` | string | os,library | Comma-separated list of package types (os, library) |
| `scan-ref` | string | . | Scan reference |
| `scan-type` | string | image | Scan type to use for scanning vulnerability |
| `scanners` | string |  | Comma-separated list of what security issues to detect |
| `severity` | string | UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL | Severities of vulnerabilities to be displayed |
| `skip-dirs` | string |  | Comma-separated list of directories where traversal is skipped |
| `skip-files` | string |  | Comma-separated list of files to be skipped |
| `skip-setup-trivy` | boolean | false | Skip calling the setup-trivy action to install Trivy |
| `template` | string |  | Use an existing template for rendering output (@/contrib/gitlab.tpl, @/contrib/junit.tpl, @/contrib/html.tpl) |
| `tf-vars` | string |  | Path to terraform tfvars file |
| `timeout` | string |  | Timeout (default 5m0s) |
| `trivy-config` | string |  | Path to trivy.yaml config |
| `trivy-ignores` | string |  | Comma-separated list of relative paths in the repository to one or more .trivyignore files |
| `version` | string | v0.56.2 | Trivy version to use |

## Examples

### scan-repo

Scan your repo after checkout


```yaml
version: '2.1'
orbs:
  trivy: cci-labs/trivy:latest
jobs:
  trivy:
    docker:
      - image: cimg/base:2024.11
    environment:
      TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
    steps:
      - checkout
      - aqua-trivy/scan:
          format: sarif
          ignore-unfixed: true
          output: report.sarif
          scan-type: fs
workflows:
  demo:
    jobs:
      - trivy
```