According to the official documentation, Trivy is a comprehensive and versatile security scanner. Trivy has scanners that look for security issues, and targets where it can find those issues.
By enabling Trivy in the integration test, the Trivy GitHub action will run a scan in the repository (fs type) or a Docker image (image type) to find vulnerabilities.
The result will be available in the integration test output.
- Environment variables have preference over configuration set by
trivy-fs-configortrivy-image-configparameters.
If there is no need for customization, the test can be enabled by setting the parameter trivy-fs-enabled to true.
For fs, the trivy-fs-ref has "." as default value.
Default configuration: will fail with exit code 1 for high and critical vulnerabilities.
Custom configurations can be set in a trivy.yaml file stored in the repository for both types of testing. The location should be set in trivy-fs-config and/or trivy-image-configparameters.
jobs:
integration-tests:
uses: canonical/operator-workflows/.github/workflows/integration_test.yaml@main
secrets: inherit
with:
trivy-fs-enabled: trueSince trivy-fs-ref is not set, the current directory (repository root) will be used as the target.
jobs:
integration-tests:
uses: canonical/operator-workflows/.github/workflows/integration_test.yaml@main
secrets: inherit
with:
trivy-fs-enabled: true
trivy-fs-config: tests/trivy/trivy.yamlExample of trivy.yaml content:
format: json
exit-code: 1
severity: CRITICALSee the Config file for the options list.