Container security
Trivy
Usage
Show the different trivy component versions (core, Vulnerability DB, Check Bundle) together with download times:
trivy --version
Scan local filesystem (i.e. to check a Containerfile):
trivy config .
Ignore checks
Ignore checks with a .trivyignore
$ cat .trivyignore
# Root file system is not read-only
# https://avd.aquasec.com/misconfig/kubernetes/general/avd-ksv-0014/
AVD-KSV-0014
Inline ignores
- i.e.:
#trivy:ignore:AVD-GCP-0051 - Only work in certain files, i.e. OpenTofu files
pre-commit hook
Usage:
- repo: https://github.com/mxab/pre-commit-trivy.git
rev: v0.12.0
hooks:
- id: trivyconfig-docker
args:
- Containerfile