trivy-plugin-aqua

module
v0.77.0-github-enter-1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 11, 2022 License: Apache-2.0

README

trivy-plugin-aqua

Trivy plugin for integration with Aqua Security SaaS platform

Usage

Trivy's options need to be passed after --. Trivy receives a target directory containing IaC files

Set Aqua plugin as Trivy's current default plugin by exporting an environment variable

  export TRIVY_RUN_AS_PLUGIN=aqua
Scan an IaC target
  trivy  <target>
Scan an IaC target and tag the scan
  trivy  <target>
Scan an IaC target and report only specific severities
  trivy --severities CRITICAL,HIGH <target>

Command Line Arguments

Argument Purpose Example Usage
--debug Get more detailed output as Trivy runs.
--severities The Severities that you are interested in. --severities CRITICAL,HIGH,UNKNOWN
--tags Arbitrary tags to be stored with the scan. --tags 'BUILD_HOST=$HOSTNAME,foo=bar'
--pipelines Scan repository pipeline files. --pipelines / PIPELINES=1 trivy ...
--package-json Scan package.json files without lock files --package-json / PACKAGE_JSON=1 trivy ...

Environment Variables

Required

The only explicitly required environment variables are

Variable Purpose
AQUA_KEY Generated through CSPM UI
AQUA_SECRET Generated through CSPM UI
Optional
Variable Purpose
CSPM_URL URL to generate Aqua Platform token (default: us-east-1 CSPM)
AQUA_URL Aqua platform URL (default: us-east-1 Aqua platform)

Trivy will attempt to resolve the following details from the available environment variables;

  • repository name
  • branch name
  • commit id
  • committing user
  • build system

There are some special case env vars;

Variable Purpose
OVERRIDE_REPOSITORY Use this environment variable to explicitly specify the repository used by Trivy
FALLBACK_REPOSITORY Use this environment variable as a backup if no other repository env vars can be found
OVERRIDE_BRANCH Use this environment variable to explicitly specify the branch used by Trivy
FALLBACK_BRANCH Use this environment variable as a backup if no other branch env vars can be found
OVERRIDE_BUILDSYSTEM Use this environment variable to explicitly specify the build system
OVERRIDE_SCMID Use this environment variable to explicitly specify the scm id
IGNORE_PANIC Use this environment variable to return exit code 0 on cli panic

Scanners

Certain scanners have additional behaviors

Pipelines

The pipelines scanner is enabled by providing either --pipelines flag or PIPELINES=1 environment variable. It uses Pipeline Parser to parse the pipelines, and therefore, supports only the platforms that are supported by the package.

The results of the scanner are:

  • parsed version of the pipeline files
  • pipeline misconfigurations

Deployment of a new version

To deploy a new version, create a new tag from master

make update-plugin

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL