Trivy

Trivy is a simple and comprehensive vulnerability scanner for containers and other artifacts.

Object Representation (YAML)

id: String
name: String
tool_version: String
type: String
depends: [String]
tags: [String]
condition: Boolean
each: Array
verbosity: String
ignore_errors: Boolean
properties:
  command: String
  repo_url: String
  path: String
  image: String
  template: String
  format: String
  input: String
  severity: [String]
  output: String
  exit_code: Number
  ignore_unfixed: Boolean
  debug: Boolean
  removed_pkgs: Boolean
  light: Boolean
  vuln_type: String
  ignorefile: String
  ignore_policy: String
  list_all_pkgs: Boolean
  command_options: String
  global_options: String
  cwd: String
  env:
    - name: String
      value: String

Fields

PropertyDetails
id *

String

A unique identifier for the step.

Can contain hyphens and underscores, but not spaces.

name *

String

A friendly name for the step. This name will appear in the pipeline designer and run output.

tool_version

String

The version to use. This version is only installed for the subprocess run by the step, and will not propagate to other operating system sessions.

type *

String

The type of the step. Can be pipeline or a step module type.

depends[]

[String]

A list of dependencies of this step.

This step will not be executed until all steps with ids in this list are finished executing.

tags[]

[String]

Tags are used to group related steps. Steps with the same tag can be retrieved using the findStepsByTag() helper function.

Can contain hyphens and underscores, but not spaces.

condition

Boolean

An expression which is evaluated before the step executes. If it evaluates to false, the step will be skipped. The step.result.status field will be "Skipped".

each

Array

An array of elements to execute the step once for each of them.

verbosity

String

Step event verbosity. Determines how much information about step execution is sent back to the application.

ignore_errors

Boolean

If true, errors in the step module will not halt pipeline execution, and subsequent steps will still be executed. The step.result.status field will be "Failed" if the step encounters an error.

properties.command *

String

The trivy command to run. One of image, filesystem, repository.

properties.repo_url

String

The URL of a remote repository to scan, if command is repository.

properties.path

String

The path to local files to scan, if command is filesystem.

properties.image

String

The name of a container image to scan, if command is image.

properties.template

String

A template to use for the output format, when format is template.

properties.format

String

The output format. One of json, table, template.

properties.input

String

The path to a local container image file, if command is image.

properties.severity[]

[String]

Filters results by these severity levels. Items should be one of UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL.

properties.output

String

Path to a local file where scan output will be written.

properties.exit_code

Number

Exit code when vulnerabilities were found.

properties.ignore_unfixed

Boolean

Display only fixed vulnerabilities.

properties.debug

Boolean

Debug mode

properties.removed_pkgs

Boolean

Detect vulnerabilities of removed packages (only for Alpine).

properties.light

Boolean

Light mode. It's faster, but vulnerability descriptions and references are not displayed.

properties.vuln_type

String

List of vulnerability types. Items should be os, library.

properties.ignorefile

String

Path to a .trivyignore file.

properties.ignore_policy

String

Path to a Rego file to evaluate each vulnerability.

properties.list_all_pkgs

Boolean

Output all packages regardless of vulnerability.

properties.command_options

String

Extra command options that will be provided to trivy command.

properties.global_options

String

Extra global options that will be provided to trivy command.

properties.cwd

String

If provided, the trivy will use this path as its working directory.

properties.env[]

[Object]

A list of environment variables that will be set for script execution.

properties.env[].name *

String

Environment variable name.

properties.env[].value *

String

Environment variable value.

Result Fields

The following are the step execution result fields available at steps.<step id>.result after a step executes.

KeyDetails
result.status

String

A string indicating the step execution status. Can be Succeeded, Failed, or Skipped.

result.exit_code

Number

Exit code of the trivy process.

result.stdout

String

Exit code of the trivy process.

result.stderr

String

Stderr of the trivy process.