Skip to main content
Plugins / Trivy

Trivy

by Woodpecker Authors
Website
checksecuritytrivyvulnerabilitiesmisconfigurationssecrets

Plugin to find vulnerabilities, misconfigurations, secrets, SBOM and more.


A plugin to find vulnerabilities, misconfigurations, secrets, SBOM and more.

The below pipeline configuration demonstrates simple usage:

pipeline:
  scan_vuln:
    image: woodpeckerci/plugin-trivy

Settings

Settings Name Default Description
exit-code 1 if an issue is detected let the step fail
skip-dirs vendor,node_modules folders excluded from scan
dir . root folder to scan from
server none use a trivy server, can be a service step or extern
severity none severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
db-repository ghcr.io/aquasecurity/trivy-db:2 specify the OCI registry URL to retrieve the vulnerability database. (e.g. docker.io/aquasec/trivy-db:2)

Advanced settings

Settings Name Default Description
service false start trivy in server mode, instead of scanning
service-port / server-port 10000 the port trivy server will listen to
server-timeout 60 timeout the scanner waits for an server to be reachable (in seconds)