What is Trivy?

Trivy is a vulnerability scanner for containers, designed to detect vulnerabilities within your container images, file systems, and Git repositories. It stands out for its simplicity and comprehensive database of vulnerabilities. Trivy scans for vulnerabilities in OS packages (Alpine, Red Hat, etc.) and application dependencies (NPM, RubyGems, etc.).

Installing Trivy

With Trunk Check, you can automatically install and configure Trivy along with any relevant linters in a few straightforward steps. Here's how:

First, if you haven't already installed Trunk CLI, you can do so with the command below:

1curl -fsSL | bash

Next, you can initialize Trunk from the root of your git repository:

1trunk init

This command will scan your repository and create a .trunk/trunk.yaml file that enables all linters, formatters, and security analyzers, recommended by Trunk Check. This includes Trivy if applicable to your project.

To see all available linters Trunk Check installed, simply run:

1trunk check list

If you find Trivy is not automatically enabled, you can do so by running:

1trunk check enable Trivy

Alternatively, to disable Trivy run the command below. To disable other tooling applied by Trunk Check, simply replace Trivy with the respective tool you're looking to disable.

1trunk check disable Trivy

For more details on Trunk Check setup, see here.

Configuring Trivy

Most linters provide some mechanism to tweak their configuration, e.g. .eslintrc or Cargo.toml. Trunk is aware of all the ways individual tools are configured and supports them. This means linters you've already configured will continue to work exactly the same, just now supercharged by Trunk Check.

Like many linters, Trivy works out of the box with Trunk so there's no need to set up a configuration. However, if you're interested in a more custom configuration like the ability to adjust severity, we recommend checking out Trivy's docs.

If you're interested in choosing which scanners to enable within Trivvy, view our docs on enabling Trivy subcommands. Also, feel free to check out our open-source repository to see how we define and support 90+ linters.

Running Trivy

To check your code with Trivy, run the command below. This command executes Trivy, along with any other linters Trunk Check has enabled on files you've modified. Since Trunk is git-aware, it knows what you've changed, and by adding batched execution and caching, you end up with a much faster and smoother way to run Trivy and other tools.

1trunk check

If you prefer to check files you've modified with Trivy only, run the following:

1trunk check --filter=trivy

Although we'd recommend against it depending on the size of your repository, you can check all files with Trivy by running the command below.

1trunk check --all --filter=trivy

In most scenarios, you'll want to execute against modified files. Since Trunk is git-aware, it knows what you've changed, and by adding batched execution and caching, you end up with a much faster and smoother way to run Trivy and other tools.

Updating Trunk Check & Trivy

To upgrade the Trunk CLI along with all plugins and linters in your trunk.yaml simply run:

1trunk upgrade

We highly recommend running on the latest validated versions of tools as updates will frequently include important security fixes and additional valuable checks. Trunk only auto-suggests linter upgrades to versions that we have tested and support, so you may see a slight lag time when a new linter version is released.

Upgrade will also recommend new tools that have become applicable since the last time your repository was scanned. This can be a result of using new technologies in your repository or Trunk itself adding support for more tools. If you don't like a particular recommendation, you can always run trunk check disable <linter> to teach trunk not to recommend it.

Recommended Linters to Pair with Trivy

Pairing Trivy with linters enhances both code security and quality. Some recommended security linters to integrate alongside Trivy are:

  • TruffleHog: Searches through git repositories for high-entropy strings and secrets, digging deep into commit history.

  • Gitleaks: Focuses on detecting hard-coded secrets like passwords, API keys, and tokens in your Git repositories.

  • osv-scanner: Scans vulnerabilities listed in the Open Source Vulnerabilities (OSV) database.

  • Nancy: Checks against the Sonatype OSS Index, ensuring your Go projects remain secure against known vulnerabilities.

We recommend pairing Trivy with either Gitleaks or Trufflehog as they serve similar purposes as security linters.