Trivy

SCA tool

Software Configuration Analysis (SCA) is an application security technique that enables developers to track and analyze the open source components introduced into a shared project. SCA solutions scan dependencies to identify security vulnerabilities. - aquacsec

Trivy comprehensive vulnerability scanner for code repositories, binary artifacts, container images, Kubernetes clusters, and more.

You can run it locally in your project using the CLI and get a report. It will scan the code and identify libraries that have vulnerabilities, their severity, and whether fixes are available.

But we can do better, we can add it to the CI pipeline to scan the code and fail the build if any vulnerabilities are found.

We will run it with the fs scan type, which will scan the files in the project, and find

  • Vulnerabilities
  • Misconfigurations
  • Secrets
  • Licenses
name: trivy

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]

permissions:
  contents: read

jobs:
  build:
    permissions:
      contents: read 
      security-events: write
      actions: read 
    name: Build
    runs-on: "ubuntu-20.04"
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'
trivy report on ci pipeline

We can improve the scanning by using specific flags:

--ignore-unfixed: will show only vulnerabities with status fixed and when we can do something about it, so we dont get a verbose log and alerts anf create unecessery friction.

--severity HIGH,CRITICAL: will only show vulnerabilities with severity HIGH or CRITICAL.

For better visibility of vulnerabilities and their impact on the project, we can use this small project trivy-pr-report that adds a Trivy report as a comment directly to the pull request. But we need to Allow GitHub Actions to create and approve pull requests in settings for this to work.

trivy report on ci pipeline

repo: https://github.com/freeitas/trivy