According to the official documentation, Trivy is a comprehensive and versatile security scanner. Trivy has scanners that look for security issues, and targets where it can find those issues.
By enabling Trivy in the integration test, the Trivy GitHub action will run a scan in the repository (fs type) or a Docker image (image type) to find vulnerabilities.
The result will be available in the integration test output.
Default configuration: will fail with exit code 1 for high and critical vulnerabilities.
Custom configurations can be set in a trivy.yaml file stored in the repository. The location should be set in trivy-image-configparameters.
In order to reduce the manual work of upgrading the .trivyignore file, include the CVEs of binaries that you have no control over by using the skip-files option of the trivy.yaml file.
jobs:
integration-tests:
uses: canonical/operator-workflows/.github/workflows/integration_test.yaml@main
secrets: inherit
with:
trivy-image-config: tests/trivy/trivy.yamlExample of trivy.yaml content:
format: json
exit-code: 1
severity: CRITICAL
scan:
skip-files:
- usr/bin/pebble # this will ignore any CVEs caused by the pebble binarySee the Config file for the options list.