The trivy buildkite plugin provides a convenient mechanism for running the open-source trivy static analysis tool on your project. For more information about trivy, please refer to their documentation.
- Automatically downloads and verifies the trivy executable if it cannot be
found in the
PATH
environment variable's directories - Executes a
filesystem
scan on the git repo cloned by buildkite. Refer to the filesystem scan documentation for more information - Executes an
image
scan against an existing Docker image ref. Refer to the image scan documentation for more information
The following code snippet demonstrates how to use the plugin in a pipeline step with the default plugin configuration parameters:
steps:
- command: ls
plugins:
- equinixmetal-buildkite/trivy#v1.20.0:
Specify the exit-code
option as a plugin parameter in pipeline.yml
to fail
the pipeline when there are vulnerabilities:
steps:
- command: ls
plugins:
- equinixmetal-buildkite/trivy#v1.20.0:
exit-code: 1
Specify the severity
option as a plugin parameter in pipeline.yml
to scan
specific type of vulnerabilities. Below is an example for scanning CRITICAL
vulnerabilities:
steps:
- command: ls
plugins:
- equinixmetal-buildkite/trivy#v1.20.0:
severity: "CRITICAL"
Specify the ignorefile
option as a plugin parameter in pipeline.yml
to use
.trivyignore.yaml
file
steps:
- command: ls
plugins:
- equinixmetal-buildkite/trivy#v1.20.0:
ignorefile: ".trivyignore.yaml"
$ cat .trivyignore.yaml
vulnerabilities:
- id: CVE-2022-40897
paths:
- "usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA"
statement: Accept the risk
- id: CVE-2023-2650
- id: CVE-2023-3446
- id: CVE-2023-3817
purls:
- "pkg:deb/debian/libssl1.1"
- id: CVE-2023-29491
expired_at: 2023-09-01
misconfigurations:
- id: AVD-DS-0001
- id: AVD-DS-0002
paths:
- "docs/Dockerfile"
statement: The image needs root privileges
secrets:
- id: aws-access-key-id
- id: aws-secret-access-key
paths:
- "foo/bar/aws.secret"
licenses:
- id: GPL-3.0 # License name is used as ID
paths:
- "usr/share/gcc/python/libstdcxx/v6/__init__.py"
Controls whether the security scan is blocking or not. This is done by setting the exit code of the plugin. If the exit code is set to 0, the pipeline will continue. If the exit code is set to 1, the pipeline will fail. (Defaults to 0)
Controls the maximum amount of time a scan will run for by passing the
--timeout
argument to trivy.
Controls the severity of the vulnerabilities to be scanned. (Defaults to "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
Controls whether to display only fixed vulnerabilities. (Defaults to false)
Controls the security checks to be performed. This option is deprecated and may
be removed in the future. Use scanners
instead. (Defaults to "vuln,misconfig")
Controls the security scanners to be used. This replaced security-checks (Defaults to "vuln,misconfig")
Controls the security checks to be ignored as specified in a YAML file. Note: This trivy feature is experimental and might change in the future.
Controls the files to be skipped during the scan. (Defaults to "")
Controls the directories to be skipped during the scan. (Defaults to "")
Important: Please ensure the target Docker image is built prior to the trivy plugin running when using this option. The trivy plugin does not build Docker images; it only scans existing images.
Controls the image reference to be scanned. If no image is specified, the image
scanning step is skipped. This is also able to infer the image from the
docker-metadata
plugin.
(Defaults to "")
Controls the version of trivy to be used.
To pass helm override values to trivy config scan
Enable debug flag for trivy.
Sets the helm-kube-version
passed to trivy.
To run the tests:
make test
Run the tests with debug logging enabled:
TEST_DEBUG=1 make test
To enable debug logging for a stubbed command in the test, you need to set or
uncomment the export for the necessary command in the .bats
file.
e.g. to view the debug logging for the trivy
command, set the following at the
top of the .bats
file:
export TRIVY_STUB_DEBUG=/dev/tty
and then run the tests with debug logging enabled:
TEST_DEBUG=1 make test