Trivy Container vulnerability scanning

What is it?

We have added Trivy to our Sourcegraph pipeline to help us identify security vulnerabilities in our Containers.

How does this impact you?

Any finding reported by Trivy will need to corrected. If it cannot be corrected immediately, a security-issue will need to be created, the proper suppression created, the #security slack channel needs to be alerted, and then please tag the security in the PR. Please see these instruction on suppressing a vulnerability for Trviy.

If Trivy finds vulnerabilities will it fail the pipeline?

Not at the moment. Once we finish optimizing the results and have the neccessary procedures in place, this will be begin failing.

I have a vulnerability that is a false positive, or one that we will not fix. Can I make Trivy ignore it?

Yes. Simply follow the instructions in filtering vulnerabilities and then tag the security team to review the PR.

Are there any IDE Plugins for Trivy?

Yes. Trivy is available as a plugin for VSCode:

  • VSCode
  • Also Trivy can be installed locally on macOS via homebrew: $ brew install aquasecurity/trivy/trivy