Trivy is a linter for Security.

You can enable the Trivy linter with:

trunk check enable trivy

Auto Enabling

Trivy will be auto-enabled if any Lockfile, ALL, Docker, Yaml or Terraform files are present.


Trivy supports the following config files:

  • trivy-secret.yaml

You can move these files to .trunk/configs and trunk check will still find them. See Moving Linter Configs for more info.

Usage Notes

Trivy has the following subcommands:

  • config

  • Runs trivy config (docs) )to scan for misconfigurations in infrastructure-as-code files. Enabled by default

  • fx-vuln

  • Runs trivy fs --scanners vuln (docs) to scan for security vulnerabilities. Disabled by default.

  • fs-secret

  • Runs trivy fs --scanners secret (docs) to scan for secrets. Disabled by default.

To enable/disable these, add the subcommands you want enabled in your .trunk/trunk.yaml as such:

    - trivy@0.45.1:
        commands: [config, fs-vuln]

Last updated