Skip to content

Latest commit

 

History

History
200 lines (171 loc) · 7.08 KB

README.md

File metadata and controls

200 lines (171 loc) · 7.08 KB

Trivy Pipe

Bitbucket Pipeline for Trivy

Usage

Workflow

image: 
    name: atlassian/default-image:2

pipelines:
  default:
    - step:
        service:
          docker
        script:
        - pipe: aquasecurity/trivy-pipe:latest
          variables:
            imageRef: 'docker.io/my-organization/my-app:${{ github.sha }}'
            format: 'table'
            exitCode: '1'
            ignoreUnfixed: true
            vulnType: 'os,library'
            severity: 'CRITICAL,HIGH'

Using Trivy to scan your Git repo

It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.

image: 
    name: atlassian/default-image:2

pipelines:
  default:
    - step:
        service:
          docker
        script:
          - pipe: aquasecurity/trivy-pipe:latest
            variables:
              scanType: 'fs'
              ignoreUnfixed: true
              format: 'template'
              template: '@/contrib/sarif.tpl'
              output: 'trivy-results.sarif'
              severity: 'CRITICAL'

Using Trivy to scan Infrastucture as Code

It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.

image:
  name: atlassian/default-image:2

pipelines:
  default:
    - step:
        services:
          - docker
        script:
          - pipe: aquasec/trivy-pipe:latest
            variables:
              scanType: "config"
              hideProgress: "false"
              format: "table"
              exitCode: 1
              ignoreUnfixed: "true"
              severity: "CRITICAL,HIGH"

Using Trivy to scan your private registry

It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars.

Docker Hub registry

Docker Hub needs TRIVY_USERNAME and TRIVY_PASSWORD. You don't need to set ENV vars when downloading from a public repository.

image:
  name: atlassian/default-image:2

pipelines:
  default:
    - step:
        services:
          - docker
        script:
          - pipe: aquasec/trivy-pipe:latest
            variables:
              imageRef: 'docker.io/my-organization/my-app:${{ github.sha }}'
              format: 'template'
              template: '@/contrib/sarif.tpl'
              output: 'trivy-results.sarif'
              TRIVY_USERNAME: Username
              TRIVY_PASSWORD: Password  

AWS ECR (Elastic Container Registry)

Trivy uses AWS SDK. You don't need to install aws CLI tool. You can use AWS CLI's ENV Vars.

image: 
    name: atlassian/default-image:2

pipelines:
  default:
    - step:
        services:
          - docker
        script:
          - pipe: aquasec/trivy-pipe:latest
            variables:
              imageRef: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
              format: 'template'
              template: '@/contrib/sarif.tpl'
              output: 'trivy-results.sarif'
              AWS_ACCESS_KEY_ID: key_id
              AWS_SECRET_ACCESS_KEY: access_key
              AWS_DEFAULT_REGION: us-west-2

GCR (Google Container Registry)

Trivy uses Google Cloud SDK. You don't need to install gcloud command.

If you want to use target project's repository, you can set it via GOOGLE_APPLICATION_CREDENTIAL.

image: 
    name: atlassian/default-image:2

pipelines:
  default:
    - step:
        services:
          - docker
        script:
          - pipe: aquasec/trivy-pipe:latest
            variables:
              imageRef: 'docker.io/my-organization/my-app:${{ github.sha }}'
              format: 'template'
              template: '@/contrib/sarif.tpl'
              output: 'trivy-results.sarif'
              GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json

Self-Hosted

BasicAuth server needs TRIVY_USERNAME and TRIVY_PASSWORD. if you want to use 80 port, use NonSSL TRIVY_NON_SSL=true

image: 
    name: atlassian/default-image:2

pipelines:
  default:
    - step:
        services:
          - docker
        script:
          - pipe: aquasec/trivy-pipe:latest
            variables:
              imageRef: 'docker.io/my-organization/my-app:${{ github.sha }}'
              format: 'template'
              template: '@/contrib/sarif.tpl'
              output: 'trivy-results.sarif'
              TRIVY_USERNAME: Username
              TRIVY_PASSWORD: Password   

Customizing

inputs

Following inputs can be used as step.with keys:

Name Type Default Description
scanType String image Scan type, e.g. image or fs
input String Tar reference, e.g. alpine-latest.tar
imageRef String Image reference, e.g. alpine:3.10.2
scanRef String Scan reference, e.g. .
format String table Output format (table, json, template)
template String Output template (@/contrib/sarif.tpl, @/contrib/gitlab.tpl, @/contrib/junit.tpl)
output String Save results to a file
exitCode String 0 Exit code when specified vulnerabilities are found
ignoreUnfixed Boolean false Ignore unpatched/unfixed vulnerabilities
vulnType String os,library Vulnerability types (os,library)
severity String UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL Severities of vulnerabilities to scanned for and displayed
skipDirs String Comma separated list of directories where traversal is skipped
cacheDir String Cache directory
timeout String 2m0s Scan timeout duration
ignorePolicy String Filter vulnerabilities with OPA rego language