The Aqua Security Trivy Plugin is a premium offering designed to enhance the security of your code repositories by seamlessly integrating with Trivy (Trivy), an industry-leading vulnerability scanner (Trivy docs). Exclusively available for Aqua Security customers, this plugin provides advanced security features beyond standard vulnerability scanning.
-
Enhanced Security Scans: Aqua Security customers benefit from advanced features including Enhenced Secret Scanning engine, SAST (Static application security testing), Reachability Checks, and more.
-
Better Secret Scanning: Detect sensitive information such as API keys and passwords within your codebase and configuration files to prevent potential leaks.
-
SAST Scanning: Analyze your source code for security vulnerabilities, including code patterns that could lead to potential exploits.
-
Reachability Check: This analysis provides more granular information to understand whether an existing vulnerability is reachable to the packages in your code repository. If a vulnerability is reachable, you may prioritize fixing it.
-
Customizable Security Policies: Tailor security policies to your organization's needs, including severity thresholds and compliance requirements. For more information, please see the Aqua official documentation.
-
Detailed Reporting: Receive comprehensive security reports, complete with actionable remediation recommendations.
-
CI/CD Pipeline Integration: Seamlessly incorporate into your CI/CD pipelines to ensure stringent security checks throughout your software development lifecycle.
To begin leveraging the Aqua Security Trivy Integration to protect your code repositories, reach out to our sales or support team to learn more about the benefits and access.
The only explicitly required environment variables are
| Variable | Purpose |
|---|---|
| AQUA_KEY | Generated through CSPM UI |
| AQUA_SECRET | Generated through CSPM UI |
| Variable | Purpose |
|---|---|
| CSPM_URL | Aqua CSPM URL (default: us-east-1 CSPM) |
| AQUA_URL | Aqua platform URL (default: us-east-1 Aqua platform) |
Trivy will attempt to resolve the following details from the available environment variables;
- repository name
- branch name
- commit id
- committing user
- build system
There are some environments variables for overriding default values and behaviors;
| Variable | Purpose |
|---|---|
| OVERRIDE_REPOSITORY | Use this environment variable to explicitly specify the repository name used by Trivy |
| FALLBACK_REPOSITORY | Use this environment variable as a backup if no other repository env vars can be found |
| OVERRIDE_BRANCH | Use this environment variable to explicitly specify the branch used by Trivy |
| FALLBACK_BRANCH | Use this environment variable as a backup if no other branch env vars can be found |
| OVERRIDE_BUILDSYSTEM | Use this environment variable to explicitly specify the build system |
| IGNORE_PANIC | Use this environment variable to return exit code 0 on cli panic error |
| OVERRIDE_REPOSITORY_URL | Use this environment variable to explicitly specify the repository link used by Trivy (For result's web link) |
| OVERRIDE_REPOSITORY_SOURCE | Use this environment variable to explicitly specify the repository source used by Trivy |
| HTTP_PROXY/HTTPS_PROXY | Use these environment variable for proxy configuration |
| XDG_DATA_HOME | use this environment variable to designate the base directory for storing user-specific data |
| XDG_CACHE_HOME | use this environment variable for setting the cache directory |
| SAST_LOGS | use this environment variable with true value for writing sast logs to a file (The file name is: ${REPOSITORY_NAME}-sast-logs.txt under the SAST_LOGS_DIR directory) |
| SAST_LOGS_DIR | use this environment variable to explicitly specify the location where the log file should be written (Default is /tmp/.trivy/plugins/aqua) |
| TRIVY_QUIET | Disable trivy output report in log |
| AQUA_ASSURANCE_EXPORT | The path to export policies results (JSON) |
| OVERRIDE_AUTHOR | Use this environment variable to override the author of the scan (commit pusher by default) |
| OVERRIDE_RUN_ID | Use this environment variable to override the run id (default to SCM run build number) |
| OVERRIDE_BUILD_ID | Use this environment variable to override the job/build id (default to SCM build id) |
| OVERRIDE_TARGET_BRANCH | Use this environment variable to override the target branch for PR scanning (default to SCM target branch) |
| OVERRIDE_SOURCE_BRANCH | Use this environment variable to override the source branch for PR scanning (default to SCM source branch) |
| OVERRIDE_COMMIT | Use this environment variable to override the commit to enrich SCM links |
| OVERRIDE_REPOSITORY_NAME | Use this environment variable to override the repository name (default to SCM repository name) |
| OVERRIDE_REPOSITORY_ID | Use this environment variable to override the repository id (default to SCM repository id) |
| OVERRIDE_PROJECT_NAME | Use this environment variable to override the project name (default to SCM project name - important in Azure) |
| OVERRIDE_PULL_REQUEST_ID | Use this environment variable to override the pull request for PR scanning - comments (default to SCM target pull request id) |
| Argument | Environment variable | Purpose | Example Usage |
|---|---|---|---|
--debug |
DEBUG | Get more detailed output as Trivy runs. | --debug / DEBUG=true |
--severities |
TRIVY_SEVERITY | The Severities that you are interested in. | --severities CRITICAL,HIGH,UNKNOWN / TRIVY_SEVERITY= CRITICAL,HIGH,UNKNOWN |
--skip-pipelines |
SKIP_PIPELINES | Skip scan repository pipeline files. | --skip-pipelines / SKIP_PIPELINES=true |
--sast |
SAST | To enable SAST scanning. | --sast / SAST=true |
--reachability |
REACHABILITY | To enable reachability scanning. | --reachability / REACHABILITY=true |
--package-json |
PACKAGE_JSON | Scan package.json files without lock files | --package-json / PACKAGE_JSON=true |
--dotnet-proj |
DOTNET_PROJ | Scan dotnet proj files without lock files | --dotnet-proj / DOTNET_PROJ=true |
--gradle |
GRADLE | Scan gradle build files without lock files | --gradle / GRADLE=true |
--skip-policies |
TRIVY_SKIP_POLICIES | Skip policies checks | --skip-policies / TRIVY_SKIP_POLICIES=true |
--skip-result-upload |
TRIVY_SKIP_RESULT_UPLOAD | Disable uploading scan results to aqua platform | --skip-result-upload / TRIVY_SKIP_RESULT_UPLOAD=true |
--skip-policy-exit-code |
TRIVY_SKIP_POLICY_EXIT_CODE | Prevent non-zero exit code if an assurance policy has failed | --skip-policy-exit-code / TRIVY_SKIP_POLICY_EXIT_CODE=true |
--file-patterns |
TRIVY_FILE_PATTERNS | This option takes regexp patterns to look for your files. For example, it may be useful when your file name of Dockerfile doesn't match the default patterns | --file-patterns="dockerfile:.*.docker" / TRIVY_FILE_PATTERNS="dockerfile:.*.docker" The prefixes are listed here |
To demonstrate the seamless integration of the Aqua Security Trivy Plugin into your development workflow, which can run triggered by push (full scan) or triggered by creating a pull request (scan the Git diff's), consider the following GitHub Actions example:
name: Code Repository Security Scan
on:
pull_request:
push:
branches:
- main
jobs:
security_scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Run Aqua scanner
uses: docker://aquasec/aqua-scanner
with:
args: trivy fs --scanners misconfig,vuln,secret .
env:
AQUA_KEY: ${{ secrets.AQUA_KEY }}
AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
GITHUB_TOKEN: ${{ github.token }}
TRIVY_RUN_AS_PLUGIN: "aqua"
# Use here any other environment variableAQUA_KEY=${AQUA_KEY} AQUA_SECRET=${AQUA_SECRET} TRIVY_RUN_AS_PLUGIN=aqua docker run -it -e AQUA_KEY -e AQUA_SECRET -e TRIVY_RUN_AS_PLUGIN -e INPUT_WORKING_DIRECTORY=/scanning -v "${YOUR_WORKSPACE}":"/scanning" aquasec/aqua-scanner trivy fs --scanners misconfig,vuln,secret .podman run --rm \
-e AQUA_KEY=${AQUA_KEY} \
-e AQUA_SECRET=${AQUA_SECRET} \
-e TRIVY_RUN_AS_PLUGIN='aqua' \
-e SAST='true' \
-e INPUT_WORKING_DIRECTORY='/scanning' \
-v ${WORKSPACE}:/scanning \
docker.io/aquasec/aqua-scanner \
git config --global --add safe.directory /scanning && trivy fs --scanners='misconfig,vuln,secret' .
When working within CI environment, it's important to include the Source Code Management (SCM) tokens for pull requests. You can find additional guidance and details on this matter within our platform for your reference about each SCM.
The "aqua-scanner" image will be used from the docker hub aquasec repository. This image will be used to scan code repositories associated with the CI build system having Admin-level privileges. If you want to scan code repositories associated with the CI build system having non-root user privileges, use the Aqua scanner image with the tag latest-limited, i.e. aquasec/aqua-scanner:latest-limited. This image is compatible with the "AMD64" and "ARM64" Linux platforms.
You can add the following example code block to Azure pipeline script with the "Push" option using aqua-scanner:latest-limited. When adding this code block to Azure pipeline script only, ensure to include options: -u 0. If you want to use aqua-scanner with limited tag and add code block from the Aqua UI to any other repository hosting platform pipeline script, replace aqua-scanner with aqua-scanner:latest-limited.
trigger:
- main
container:
image: aquasec/aqua-scanner:latest-limited
options: -u 0
env:
AQUA_KEY: $(AQUA_KEY)
AQUA_SECRET: $(AQUA_SECRET)
AZURE_TOKEN: $(AZURE_TOKEN)
TRIVY_RUN_AS_PLUGIN: aqua
steps:
- checkout: self
fetchDepth: 0
- script: |
trivy fs --scanners misconfig,vuln,secret .
displayName: Aqua scannerThe plugin is designed for Docker environments and is compatible with Linux containers. The gradle non lock supported from gradle 7.0.0, support groovy and kotlin dsl.
This GitHub repository is licensed under the Apache License 2.0. It is exclusively available for Aqua Security customers and is not open source. Please contact Aqua Security for licensing details.