Trivy

Trivy is a linter for Security.

You can enable the Trivy linter with:

trunk check enable trivy

Auto Enabling

Trivy will be auto-enabled if any Lockfile, ALL, Docker, Yaml or Terraform files are present.

Settings

Trivy supports the following config files:

• trivy-secret.yaml

You can move these files to .trunk/configs and trunk check will still find them. See Moving Linter Configs for more info.

Usage Notes

Trivy has the following subcommands:

• config

• Runs trivy config (docs) )to scan for misconfigurations in infrastructure-as-code files. Enabled by default

• fx-vuln

• Runs trivy fs --scanners vuln (docs) to scan for security vulnerabilities. Disabled by default.

• fs-secret

• Runs trivy fs --scanners secret (docs) to scan for secrets. Disabled by default.

To enable/disable these, add the subcommands you want enabled in your .trunk/trunk.yaml as such:

lint:
  enabled:
    - trivy@0.45.1:
        commands: [config, fs-vuln]

Links

• Trivy site

• Trivy Trunk Check integration source

• Trunk Check's open source plugins repo