🤯
DevOps help for Azure Platform Engineers
  • Welcome!
  • Pages
    • About me
    • Need to know
      • SOW
      • Testing
        • End to end testing
          • Real-life example
        • Unit testing
          • Real-life example
      • Kubernetes
        • Kubernetes concepts
        • Kubernetes components
        • Questions You should have an answer for.
      • DevOps Lifecycle Management
      • The 12 Factor App
      • Zero Trust Model
        • Real life senarios
      • SIEM and SOAR
      • Cloud compliance
        • ISO/IEC 27001:2022
        • ISO 22301:2019
        • PCI DSS
        • CSA STAR
      • Public Cloud Security Frameworks
        • AWS SRA
        • MCRA
        • Google Cloud Architecture Framework: Security
      • Design for self healing
      • Guide to Blue-Green, Canary, and Rolling Deployments
    • Should Learn
      • Python
      • Terraform
        • Install
        • Terraform tools
          • TFLint
          • Terrascan
          • Chekov
          • Terraform-docs
        • Tips
          • Terraform For_each
          • Conditional Expressions
        • Testing
          • End-to-End (E2E) Testing
          • Terratest
          • Static Code testing
        • Functions
        • Modules
          • Create a Custom Terraform Module
        • Configuration
          • GCP
          • AWS
          • Azure
            • Authenticate Terraform to Azure
              • Specify service principal credentials in environment variables
              • Specify service principal credentials in a Terraform provider block
              • Service Principal for terraform
            • Store Terraform state in Azure Storage
            • Azurerm
            • AzAPI provider
            • Terraform with GitHub Actions
          • Kubernetes provider
          • Backend Best-Practise
      • Bicep
        • Template Spec for bicep
        • Integrate Bicep with Azure Pipelines
        • Bicep with GitHub Actions
        • Use inline scripts
        • Load script file
        • Kubernetes provider
        • Modules
          • Creating Azure Bicep modules 💪
      • Ansible
      • Puppet
      • AZ-CLI
        • Querying dictionary results
          • Advanced use of az-cli in bash
        • Available Azure CLI extensions
      • Azure PowerShell
        • Query output of Azure PowerShell
        • Format Azure PowerShell cmdlet output
        • Conversion to other data formats
        • AKS example
      • Linux
        • Commands
          • envsubst
          • SED
          • AWK
          • Ssh
            • How to Use SSH Config
            • Port Forwarding and Proxying Using OpenSSH
          • JQ
        • OS
          • Linux Tuning
          • Linux Permissions
          • How to avoid multiple sudo commands in one-liners
            • Bash Shortcuts Every Linux User Needs to Know
          • Linux File system hierarchy
        • Services
          • Tmux terminal
          • RDP
        • Configuration
          • Cloud-init
            • Cloud-init examples
      • Go-lang
      • Kubernetes
        • Tips
          • K8s Troubleshooting — Pod in Container Creating Status
          • Kubernetes: Resources for Pods and Containers
        • Tools
          • kubectl
          • kubectx | kubens
          • K8s — Kustomize
          • Helm
        • API
        • Service Mesh
          • Istio
          • Linkerd
        • Ingress controllers
          • Traefik
          • Nginx
          • Contour
          • Gloo Edge
          • Kong
        • Troubleshooting
          • Kubernetes Pod Troubleshooting Commands
      • YAML
        • yq
        • How to create Kubernetes YAML files
      • Java
      • Rust
    • DevOps
      • Tools to install
        • Visual Studio Code
        • PowerShell
          • Oh-my-Posh for PowerShell
          • Scoop for Windows
          • Chocolatey for Windows
        • .Net SDK
        • Azure-cli
        • Lunarvim
          • Lunarvim plugins
        • Winget for Windows
        • Nerd Fonts
        • Windows Terminal
        • Kubernetes
          • Linux
          • Windows
          • Minikube
            • Expose minikube to windows from wsl2
          • K8sgpt
          • Klone
        • WSL2
          • RHEL in WSL2
          • Fedora XX in WSL2
          • Logo-ls ( Icons in WSL terminal)
          • Azul Zulu Java
          • Make Your Terminal DevOps and Kubernetes Friendly
          • Bat a modern alternative to the cat
          • Homebrew
      • GitOps
        • Flux
          • Use GitOps with Flux, GitHub, and AKS to implement CI/CD
      • CI/CD Platforms
        • Azure DevOps
          • Pipelines
            • Create work item on failure
            • Stages
            • Extends
            • Jobs
            • Steps
          • Boards & Work Items
            • New work item
            • PR with work items
          • Azure DevOps: Managing Settings on a Per-Branch Basis
        • GitHub
          • GitHub Action
          • GitHub SecOps
        • GitHub Enterprise
        • Argo CD
          • ArgoCD reallife test
        • Tekton
          • Build and push an image with Tekton
        • Crossplane
          • Intro
          • Azure provider
          • AWS provider
          • GCP provider
        • Flagger
      • Agile Development
        • Team Agreements
          • Definition of Done
          • Definition of Ready
          • Team Manifesto
          • Sections of a Working Agreement
      • Testing
        • E2E Testing
          • E2E Testing Methods
        • Different Testing methods
        • Fault Injection Testing
        • Integration Testing
        • Performance Testing
          • Load Testing
            • Azure Load Testing
            • Apache JMeter
        • Smoke Testing
        • Templates
          • ~Customer Project~ Case Study
          • Insert Test Technique Name Here
      • Code Reviews
        • FAQ
      • Continuous Delivery
        • Secrets Management
        • Blue and Green Deployment in real-life
      • Continuous Integration
      • Documentation
        • Projects and Repositories
        • How to create a static website for your documentation based on mkdocs and mkdocs-material
        • Create Release Notes with pipeline
      • Observability
        • Dashboard
        • Logging
          • Collecting and visualizing Kubernetes events using Loki and Kubernetes Event Exporter for effective
          • Log Management and Distributed Tracing using Grafana Loki and Tempo
        • Metrics
          • Understanding SLI,SLO and SLA
        • Tracing
        • Observability as Code
        • Observability of CI/CD Pipelines
      • Reliability
      • Security
        • Rules of Engagement
        • Overview
        • Threat Modeling
        • Kubernetes
          • Build Phase
          • Deploy Phase
          • Runtime Phase
          • References
      • Source Control
        • Component Versioning
        • Merge strategies
        • Naming branches
        • Working with Secrets in Source Control
      • Engineering Fundamentals Checklist
      • Design
        • Non-Functional Requirements Capture
    • Dev SecOps
      • Real life examples
      • Dependency and Container Scanning
      • Penetration Testing
      • Credential Scanning
        • Running detect-secrets in Azure DevOps Pipelines
      • Secrets Rotation
        • Running detect-secrets in Azure DevOps Pipelines
        • Automate the rotation of a secret for resources that have two sets of authentication credentials
      • Static Code Analysis
        • SonarCloud Scans in AzDO
        • OWASP Zap Scan
        • Checkov
        • Mend ( WhiteSource )
        • Trivy
          • Trivy GitHub Actions
          • Azure DevOps Trivy sans
        • Terrascan
        • TFLint
        • TFSec
        • Configure the Microsoft Security DevOps Azure DevOps extension
        • ARM TTK
    • SRE
      • Toil
      • Simplicity
    • Public Clouds
      • Azure
        • Best Practise
          • Architecture Best Practises
          • Security Best Practise
          • Azure naming standards
          • Azure Tags
        • Azure landing zone
          • Terraform
          • Bicep
          • Landing Zone scenarios
            • AKS
            • OpenShift
            • AKS Cluster for Regulated Workloads
        • Services
          • Azure Databricks
            • Bicep
              • Workspace
            • Terraform
              • Manage Databricks workspaces
          • AKS
            • Terraform
            • Bicep
        • Monitoring
          • OpenTelemetry
            • .Net
      • Google Cloud
      • AWS
    • Private Cloud
    • Best Practises
      • Containers
        • Docker
          • Terraform
          • Bicep
          • Docker-compose
          • Dockerfile
        • Kubernetes
          • K8s tools
            • Kubens
            • Kubectx
            • Kubectl
            • Kustomize
            • K9s
            • Kubeval
            • Kubeaudit
            • Kubecfg
            • k8spacket
          • Kubernetes Best Practices
            • Resource limits
              • JVM memory limits
            • Network Policies
            • Pod security
          • Deployment
            • CI/CD for AKS apps with Azure Pipelines
            • CI/CD for AKS apps with GitHub Actions and GitFlow
          • Vcluster
        • OpenShift
Powered by GitBook
On this page
Edit on GitHub
  1. Pages
  2. Dev SecOps
  3. Static Code Analysis

Trivy

PreviousMend ( WhiteSource )NextTrivy GitHub Actions

Last updated 1 year ago

Trivy () is a comprehensive and versatile security scanner. Trivy has scanners that look for security issues, and targets where it can find those issues.

Targets (what Trivy can scan):

  • Container Image

  • Filesystem

  • Git Repository (remote)

  • Virtual Machine Image

  • Kubernetes

  • AWS

Scanners (what Trivy can find there):

  • OS packages and software dependencies in use (SBOM)

  • Known vulnerabilities (CVEs)

  • IaC issues and misconfigurations

  • Sensitive information and secrets

  • Software licenses

Trivy supports most popular programming languages, operating systems, and platforms. For a complete list, see the page.

To learn more, go to the for feature highlights, or to the for detailed information.

pronunciation
Scanning Coverage
Trivy homepage
Documentation site