{{- /*

*/ -}}

{{- define "extra.docsSection" -}}

---

title: "Trivy SBOM"

category: "scanner"

type: "Container"

state: "released"

appVersion: "{{ template "chart.appVersion" . }}"

usecase: "Container Dependency Scanner"

---

{{- end }}

{{- define "extra.dockerDeploymentSection" -}}

## Supported Tags

- `latest` (represents the latest stable release build)

- tagged releases, e.g. `{{ template "chart.appVersion" . }}`

{{- end }}

{{- define "extra.chartAboutSection" -}}

## What is Trivy SBOM?

`Trivy` (`tri` pronounced like **tri**gger, `vy` pronounced like en**vy**) is a simple and comprehensive vulnerability scanner for containers and other artifacts.

A software vulnerability is a glitch, flaw, or weakness present in the software or in an Operating System.

`Trivy` detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.).

`Trivy` is easy to use. Just install the binary, and you're ready to scan. All you need to do for scanning is to specify a target such as an image name of the container.

To learn more about the Trivy scanner itself visit [Trivy's GitHub Repository](https://github.com/aquasecurity/trivy).

This chart uses Trivy's SBOM support to generate Software Bills of Material in CycloneDX format for container images.

{{- end }}

{{- define "extra.scannerConfigurationSection" -}}

## Scanner Configuration

The following SBOM generation configuration example is based on the [Trivy Documentation](https://aquasecurity.github.io/trivy/), please take a look at the original documentation for more configuration examples.

Currently we support the following scanType, corresponding to the trivy scanning modes:

- scanType: "trivy-sbom-image"

- parameters: `[YOUR_IMAGE_NAME]`

Simply specify an image name (and a tag) when you use the scanType `trivy-sbom-image`.

A complete example is listed below in our [example docs section](https://www.securecodebox.io/docs/scanners/trivy/#examples).

{{- end }}

{{- define "extra.chartConfigurationSection" -}}

{{- end }}

{{- define "extra.scannerLinksSection" -}}

{{- end }}

# SPDX-FileCopyrightText: the secureCodeBox authors

#

# SPDX-License-Identifier: Apache-2.0

# Patterns to ignore when building packages.

# This supports shell glob matching, relative path matching, and

# negation (prefixed with !). Only one pattern per line.

.DS_Store

# Common VCS dirs

.git/

.gitignore

.bzr/

.bzrignore

.hg/

.hgignore

.svn/

# Common backup files

*.swp

*.bak

*.tmp

*~

# Various IDEs

.project

.idea/

*.tmproj

.vscode/

# Node.js files

node_modules/*

package.json

package-lock.json

src/*

config/*

Dockerfile

.dockerignore

*.tar

parser/*

scanner/*

integration-tests/*

examples/*

docs/*

Makefile

apiVersion: v2

name: trivy-sbom

description: A Helm chart for the trivy-sbom security scanner that integrates with the secureCodeBox.

type: application

version: v3.1.0-alpha1

appVersion: "0.45.0"

kubeVersion: ">=v1.11.0-0"

annotations:

versionApi: https://api.github.com/repos/aquasecurity/trivy/releases/latest

supported-platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x

keywords:

- security

- trivy

- sbom

- cyclonedx

- image-scanning

- scanner

- secureCodeBox

home: https://www.securecodebox.io/docs/scanners/trivy-sbom

icon: https://www.securecodebox.io/img/integrationIcons/Trivy.svg

sources:

- https://github.com/secureCodeBox/secureCodeBox

maintainers:

- name: iteratec GmbH

email: secureCodeBox@iteratec.com

include_guard = set

scanner = trivy-sbom

include ../../scanners.mk

title: "Trivy SBOM"

category: "scanner"

type: "Container"

state: "released"

appVersion: "0.45.0"

usecase: "Container Dependency Scanner"

<p align="center">

<a href="https://opensource.org/licenses/Apache-2.0"><img alt="License Apache-2.0" src="https://img.shields.io/badge/License-Apache%202.0-blue.svg"/></a>

<a href="https://github.com/secureCodeBox/secureCodeBox/releases/latest"><img alt="GitHub release (latest SemVer)" src="https://img.shields.io/github/v/release/secureCodeBox/secureCodeBox?sort=semver"/></a>

<a href="https://owasp.org/www-project-securecodebox/"><img alt="OWASP Lab Project" src="https://img.shields.io/badge/OWASP-Lab%20Project-yellow"/></a>

<a href="https://artifacthub.io/packages/search?repo=securecodebox"><img alt="Artifact HUB" src="https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/securecodebox"/></a>

<a href="https://github.com/secureCodeBox/secureCodeBox/"><img alt="GitHub Repo stars" src="https://img.shields.io/github/stars/secureCodeBox/secureCodeBox?logo=GitHub"/></a>

<a href="https://twitter.com/securecodebox"><img alt="Twitter Follower" src="https://img.shields.io/twitter/follow/securecodebox?style=flat&color=blue&logo=twitter"/></a>

</p>

`Trivy` (`tri` pronounced like **tri**gger, `vy` pronounced like en**vy**) is a simple and comprehensive vulnerability scanner for containers and other artifacts.

A software vulnerability is a glitch, flaw, or weakness present in the software or in an Operating System.

`Trivy` detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.).

`Trivy` is easy to use. Just install the binary, and you're ready to scan. All you need to do for scanning is to specify a target such as an image name of the container.

To learn more about the Trivy scanner itself visit [Trivy's GitHub Repository](https://github.com/aquasecurity/trivy).

This chart uses Trivy's SBOM support to generate Software Bills of Material in CycloneDX format for container images.

The trivy-sbom chart can be deployed via helm:

helm upgrade --install trivy-sbom secureCodeBox/trivy-sbom

The following SBOM generation configuration example is based on the [Trivy Documentation](https://aquasecurity.github.io/trivy/), please take a look at the original documentation for more configuration examples.

Currently we support the following scanType, corresponding to the trivy scanning modes:

- scanType: "trivy-sbom-image"

- parameters: `[YOUR_IMAGE_NAME]`

Simply specify an image name (and a tag) when you use the scanType `trivy-sbom-image`.

A complete example is listed below in our [example docs section](https://www.securecodebox.io/docs/scanners/trivy/#examples).

Kubernetes: `>=v1.11.0-0`

| Key | Type | Default | Description |

|-----|------|---------|-------------|

| cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner |

| imagePullSecrets | list | `[]` | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) |

| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |

| parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |

| parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |

| parser.image.repository | string | `"docker.io/securecodebox/parser-cyclonedx"` | Parser image repository |

| parser.image.tag | string | defaults to the charts version | Parser image tag |

| parser.resources | object | { requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } } | Optional resources lets you control resource limits and requests for the parser container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |

| parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. |

| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |

| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |

| scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) |

| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |

| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) |

| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |

| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) |

| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |

| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |

| scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |

| scanner.image.repository | string | `"docker.io/aquasec/trivy"` | Container Image to run the scan |

| scanner.image.tag | string | `nil` | defaults to the charts appVersion |

| scanner.nameAppend | string | `nil` | append a string to the default scantype name. |

| scanner.podSecurityContext | object | `{}` | Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |

| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |

| scanner.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":false}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |

| scanner.securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated |

| scanner.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the container. |

| scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode |

| scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system |

| scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user |

| scanner.suspend | bool | `false` | if set to true the scan job will be suspended after creation. You can then resume the job using `kubectl resume <jobname>` or using a job scheduler like kueue |

| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |

| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |

[](https://opensource.org/licenses/Apache-2.0)

Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license].

[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox

[scb-docs]: https://www.securecodebox.io/

[scb-site]: https://www.securecodebox.io/

[scb-github]: https://github.com/secureCodeBox/

[scb-twitter]: https://twitter.com/secureCodeBox

[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU

[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE