Security Scan Trivy

Overview

Executes Trivy security scanner using Docker to scan the project for vulnerabilities, secrets, and misconfigurations. Trivy scans filesystem, dependencies, and configuration files to identify security issues.

This skill is designed for CI/CD pipelines and local security validation before commits.

Prerequisites

• Docker 24.0 or higher installed and running
• Internet connection (for vulnerability database updates)
• Read permissions for project directory

Usage

Basic Usage

Run with default settings (all scanners, table format):

cd /path/to/charon
.github/skills/scripts/skill-runner.sh security-scan-trivy

Custom Scanners

Scan only for vulnerabilities:

.github/skills/scripts/skill-runner.sh security-scan-trivy vuln

Scan for secrets and misconfigurations:

.github/skills/scripts/skill-runner.sh security-scan-trivy secret,misconfig

Custom Severity

Scan only for critical and high severity issues:

TRIVY_SEVERITY=CRITICAL,HIGH .github/skills/scripts/skill-runner.sh security-scan-trivy

JSON Output

Get results in JSON format for parsing:

.github/skills/scripts/skill-runner.sh security-scan-trivy vuln,secret,misconfig json

Parameters

Environment Variables

Outputs

• Success Exit Code: 0 (no issues found)
• Error Exit Codes:
  • 1: Issues found
  • 2: Scanner error
• Output: Scan results to stdout in specified format

Scanner Types

Vulnerability Scanner (vuln)

Scans for known CVEs in:

• Go dependencies (go.mod)
• npm packages (package.json)
• Docker base images (Dockerfile)

Secret Scanner (secret)

Detects exposed secrets:

• API keys
• Passwords
• Tokens
• Private keys

Misconfiguration Scanner (misconfig)

Checks configuration files:

• Dockerfile best practices
• Kubernetes manifests
• Terraform files
• Docker Compose files

Examples

Example 1: Full Scan with Table Output

# Scan all vulnerability types, display as table
.github/skills/scripts/skill-runner.sh security-scan-trivy

Output:

2025-12-20T10:00:00Z	INFO	Trivy version: 0.48.0
2025-12-20T10:00:01Z	INFO	Scanning filesystem...
Total: 0 (CRITICAL: 0, HIGH: 0, MEDIUM: 0)

Example 2: Vulnerability Scan Only (JSON)

# Scan for vulnerabilities only, output as JSON
.github/skills/scripts/skill-runner.sh security-scan-trivy vuln json > trivy-results.json

Example 3: Critical Issues Only

# Scan for critical severity issues only
TRIVY_SEVERITY=CRITICAL .github/skills/scripts/skill-runner.sh security-scan-trivy

Example 4: CI/CD Pipeline Integration

# GitHub Actions example
- name: Run Trivy Security Scan
  run: .github/skills/scripts/skill-runner.sh security-scan-trivy
  continue-on-error: false

Error Handling

Common Issues

Docker not running:

Error: Cannot connect to Docker daemon
Solution: Start Docker service

Network timeout:

Error: Failed to download vulnerability database
Solution: Increase TRIVY_TIMEOUT or check internet connection

Vulnerabilities found:

Exit code: 1
Solution: Review and remediate reported vulnerabilities

Exit Codes

• 0: No security issues found
• 1: Security issues detected
• 2: Scanner error or invalid arguments

Related Skills

• security-scan-go-vuln - Go-specific vulnerability checking
• qa-precommit-all - Pre-commit quality checks

Notes

• Trivy automatically updates its vulnerability database on each run
• Scan results may vary based on database version
• Some vulnerabilities may have no fix available yet
• Consider using .trivyignore file to suppress false positives
• Recommended to run before each release
• Network access required for first run and database updates

Security Thresholds

Project Standards:

• CRITICAL: Must fix before release (blocking)
• HIGH: Should fix before release (warning)
• MEDIUM: Fix in next release cycle (informational)
• LOW: Optional, fix as time permits

Last Updated: 2025-12-20 Maintained by: Charon Project Source: Docker inline command (Trivy)