CircleCI: Trivy
Skpr provides an integration to use Trivy in CI/CD to scan images and dependency files for known security vulnerabilities.
Developers are able to utilise this out of the box using our official Docker image.
Skpr Orb
The Skpr platform team maintains a CircleCI Orb which can be used to simplify your CircleCI configuration.
Examples
Scanning a dependency file for vulnerabilities
You can use Trivy to scan a dependency file to reveal any known vulnerabilities in the Aqua Vulnerability Database.
The below example will scan the dependency lock files used by Composer and NPM. These files contain a full dependency tree and what was downloaded to the project.
CircleCI Configuration
version: 2.1
orbs:
skpr: skpr/skpr@1
jobs:
scan_file:
docker:
- image: skpr/cli:latest
steps:
- checkout
- setup_remote_docker:
version: "20.10.11"
docker_layer_caching: true
- skpr/trivy_file_scan:
file: /data/composer.lock
- skpr/trivy_file_scan:
file: /data/package-lock.json
workflows:
scan:
jobs:
- scan_file:
context: skpr-cluster-name
filters:
branches:
only: [ main ]
Scanning a packaged image for vulnerabilities
You can also use Trivy to scan an image which was built using package process.
You'll need to specify which image type you want to scan. There are two types of images which the packaging process produces:
- The Compile image - An image used to build the runtime images.
- Runtime images - Images executed on the platform
CircleCI Configuration
version: 2.1
orbs:
skpr: skpr/skpr@1
jobs:
scan_image:
docker:
- image: skpr/cli:latest
steps:
- checkout
- setup_remote_docker:
version: "20.10.11"
docker_layer_caching: true
- skpr/package:
version: "${VERSION}"
- skpr/trivy_image_scan:
type: runtime
- skpr/trivy_image_scan:
type: compile
workflows:
scan:
jobs:
- scan_image:
context: skpr-cluster-name
filters:
branches:
only: [ main ]