Skip to content

CircleCI: Trivy

Skpr provides an integration to use Trivy in CI/CD to scan images and dependency files for known security vulnerabilities.

Developers are able to utilise this out of the box using our official Docker image.

Skpr Orb

The Skpr platform team maintains a CircleCI Orb which can be used to simplify your CircleCI configuration.

Examples

Scanning a dependency file for vulnerabilities

You can use Trivy to scan a dependency file to reveal any known vulnerabilities in the Aqua Vulnerability Database.

The below example will scan the dependency lock files used by Composer and NPM. These files contain a full dependency tree and what was downloaded to the project.

CircleCI Configuration

version: 2.1

orbs:
  skpr: skpr/skpr@1

jobs:
  scan_file:
    docker:
      - image: skpr/cli:latest
    steps:
      - checkout
      - setup_remote_docker:
          version: "20.10.11"
          docker_layer_caching: true
      - skpr/trivy_file_scan:
          file: /data/composer.lock
      - skpr/trivy_file_scan:
          file: /data/package-lock.json

workflows:
  scan:
    jobs:
      - scan_file:
          context: skpr-cluster-name
          filters:
            branches:
              only: [ main ]

Scanning a packaged image for vulnerabilities

You can also use Trivy to scan an image which was built using package process.

You'll need to specify which image type you want to scan. There are two types of images which the packaging process produces:

  • The Compile image - An image used to build the runtime images.
  • Runtime images - Images executed on the platform

CircleCI Configuration

version: 2.1

orbs:
  skpr: skpr/skpr@1

jobs:
  scan_image:
    docker:
      - image: skpr/cli:latest
    steps:
      - checkout
      - setup_remote_docker:
          version: "20.10.11"
          docker_layer_caching: true
      - skpr/package:
          version: "${VERSION}"
      - skpr/trivy_image_scan:
          type: runtime
      - skpr/trivy_image_scan:
          type: compile

workflows:
  scan:
    jobs:
      - scan_image:
          context: skpr-cluster-name
          filters:
            branches:
              only: [ main ]