Trivy

This plugin allows you to scan the Terraform code with trivy and provide output.

trivy is a static analysis security scanner that can be used for Terraform code.

• Home page
• Source code on GitHub

Configuration options

1. Name: This is Brainboard field to describe what this task is about.
2. Version: always points to the latest version to give you the latest security checks released.
3. Extra environment variables: variables that you can define here that will be used as environment variables in the execution shell.
4. Ignore status: list of vulnerability status to ignore:
   1. unknown
   2. not_affected
   3. affected
   4. fixed
   5. under_investigation
   6. will_not_fix
   7. fix_deferred
   8. end_of_life
5. Scanners: list of what security issues to detect:
   1. vuln
   2. misconfig
   3. secret
   4. license
6. Severity: severities of security issues to be displayed:
   1. UNKNOWN
   2. LOW
   3. MEDIUM
   4. HIGH
   5. CRITICAL
7. Ignore failure: if enabled, the execution of the following stage will be triggered even if the task fails.
8. Offline scan: do not issue API requests to identify dependencies
9. Require approval: means that this task will not be executed until approved by people added in the approvers' list.

   • The task remains blocked until all approvers added in the list approve it.

   • When enabled, it allows you to add approvers to the list
     

     

   • The approver has to be Brainboard user

10. Config: can be used to pass any valid Trivy configuration page (see documentation)
11. Skip files: specify the files or glob patterns to skip

Sample output

The output includes clickable links that open the relevant documentation pages listed in the 'More Information' section.