Skip to main content
Version: 2.28 (prerelease)

trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

Backend: pants.backend.experimental.helm.lint.trivy

Config section: [trivy]

Basic options

args

--trivy-args="[<shell_str>, <shell_str>, ...]"
PANTS_TRIVY_ARGS
pants.toml
[trivy]
args = [
  <shell_str>,
  <shell_str>,
  ...,
]
default: []

Arguments to pass directly to Trivy, e.g. --trivy-args='--scanners vuln'.

severity

--trivy-severity="['<str>', '<str>', ...]"
PANTS_TRIVY_SEVERITY
pants.toml
[trivy]
severity = [
  '<str>',
  '<str>',
  ...,
]
default: []

Severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)

skip

--[no-]trivy-skip
PANTS_TRIVY_SKIP
pants.toml
[trivy]
skip = <bool>
default: False

If true, don't use Trivy when running pants lint.

Advanced options

config

--trivy-config=<file_option>
PANTS_TRIVY_CONFIG
pants.toml
[trivy]
config = <file_option>
default: None

Path to the Trivy config file.

Setting this option will disable config discovery for the config file. Use this option if the config is located in a non-standard location.

config_discovery

--[no-]trivy-config-discovery
PANTS_TRIVY_CONFIG_DISCOVERY
pants.toml
[trivy]
config_discovery = <bool>
default: True

If true, Pants will include all relevant config files during runs.

Use [trivy].config instead if your config is in a non-standard location

extra_env_vars

--trivy-extra-env-vars="['<str>', '<str>', ...]"
PANTS_TRIVY_EXTRA_ENV_VARS
pants.toml
[trivy]
extra_env_vars = [
  '<str>',
  '<str>',
  ...,
]
default: []

Additional environment variables that would be made available to all Terraform processes.

known_versions

--trivy-known-versions="['<str>', '<str>', ...]"
PANTS_TRIVY_KNOWN_VERSIONS
pants.toml
[trivy]
known_versions = [
  '<str>',
  '<str>',
  ...,
]
default: 
[
  "0.57.0|macos_arm64|61230c8a56e463e8eba2bf922bc688b7bd40352187e1f725c79861b0801437f0|39193442",
  "0.57.0|macos_x86_64|e7955b6d38d8125d4aa8936e6af51b0de2b0e0840b4feb90b44002bf7f47bf13|41286618",
  "0.57.0|linux_arm64|29012fdb5ba18da506d1c8b6f389c2ec9d113db965c254971f35267ebb45dd64|37315561",
  "0.57.0|linux_x86_64|cf08a8cd861e5192631fc03bb21efde27c1d93e4407ab70bab32e572bafcbf07|40466119"
]

Known versions to verify downloads against.

Each element is a pipe-separated string of version|platform|sha256|length or version|platform|sha256|length|url_override, where:

  • version is the version string
  • platform is one of [linux_arm64,linux_x86_64,macos_arm64,macos_x86_64]
  • sha256 is the 64-character hex representation of the expected sha256 digest of the download file, as emitted by shasum -a 256
  • length is the expected length of the download file in bytes, as emitted by wc -c
  • (Optional) url_override is a specific url to use instead of the normally generated url for this version

E.g., 3.1.2|macos_x86_64|6d0f18cd84b918c7b3edd0203e75569e0c7caecb1367bbbe409b44e28514f5be|42813. and 3.1.2|macos_arm64 |aca5c1da0192e2fd46b7b55ab290a92c5f07309e7b0ebf4e45ba95731ae98291|50926|https://example.mac.org/bin/v3.1.2/mac-aarch64-v3.1.2.tgz.

Values are space-stripped, so pipes can be indented for readability if necessary.

url_platform_mapping

--trivy-url-platform-mapping="{'key1': val1, 'key2': val2, ...}"
PANTS_TRIVY_URL_PLATFORM_MAPPING
pants.toml
[trivy.url_platform_mapping]
key1 = val1
key2 = val2
...
default: 
{
  "linux_arm64": "Linux-ARM64",
  "linux_x86_64": "Linux-64bit",
  "macos_arm64": "macOS-ARM64",
  "macos_x86_64": "macOS-64bit"
}

A dictionary mapping platforms to strings to be used when generating the URL to download the tool.

In --url-template, anytime the {platform} string is used, Pants will determine the current platform, and substitute {platform} with the respective value from your dictionary.

For example, if you define {"macos_x86_64": "apple-darwin", "linux_x86_64": "unknown-linux"}, and run Pants on Linux with an intel architecture, then {platform} will be substituted in the --url-template option with unknown-linux.

url_template

--trivy-url-template=<str>
PANTS_TRIVY_URL_TEMPLATE
pants.toml
[trivy]
url_template = <str>
default: https://github.com/aquasecurity/trivy/releases/download/v{version}/trivy_{version}_{platform}.tar.gz

URL to download the tool, either as a single binary file or a compressed file (e.g. zip file). You can change this to point to your own hosted file, e.g. to work with proxies or for access via the filesystem through a file:$abspath URL (e.g. file:/this/is/absolute, possibly by templating the buildroot in a config file).

Use {version} to have the value from --version substituted, and {platform} to have a value from --url-platform-mapping substituted in, depending on the current platform. For example, https://github.com/.../protoc-&#123;version&#125;-&#123;platform&#125;.zip.

use_unsupported_version

--trivy-use-unsupported-version=<UnsupportedVersionUsage>
PANTS_TRIVY_USE_UNSUPPORTED_VERSION
pants.toml
[trivy]
use_unsupported_version = <UnsupportedVersionUsage>
one of: error, warning
default: error

What action to take in case the requested version of Trivy is not supported.

Supported Trivy versions: unspecified

version

--trivy-version=<str>
PANTS_TRIVY_VERSION
pants.toml
[trivy]
version = <str>
default: 0.57.0

Use this version of Trivy.

Deprecated options

None

None