Giter Club home page Giter Club logo

pre-commit-trivy's Introduction

pre-commit-trivy

Add this to your pre-commit .pre-commit-config.yaml config.

You can use trivy fs flags to configure Trivy filesytem scans. Insert the required flags in the args field.

You can also use the trivyconfig-docker` to scan for misconfigurations trivy config

trivyfs-docker

pre-commit will use the aquasec/trivy:0.48.1 docker image and run it inside a docker container.

repos:
-   repo: https://github.com/mxab/pre-commit-trivy.git
    rev: v0.10.0
    hooks:
    -   id: trivyfs-docker
        args:
          - --skip-dirs
          - ./tests
          - . # last arg indicates the path/file to scan
    -   id: trivyconfig-docker
        args:
          - --skip-dirs
          - ./tests
          - . # last arg indicates the path/file to scan

Cache

The hook will create a cache directory .pre-commit-trivy-cache in your repo. Add it to the .gitignore.

echo ".pre-commit-trivy-cache" >> .gitignore

Example

You can find a sample use case here https://github.com/mxab/trivy-pre-commit-demo

pre-commit-trivy's People

Contributors

jmreicha avatar kstevensonnv avatar mxab avatar smelchior avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

dirsigler jmreicha apollocatlin meysam81 smelchior da-moon

pre-commit-trivy's Issues

No cache files create 

trivyfs-docker...........................................................Failed
- hook id: trivyfs-docker
- exit code: 1

Incorrect Usage: flag provided but not defined: -cache-dir

Upon running v0.2.0 of the pre-commit hook, no cache files are create (I tried creating them manually too), I am met with the above error and am pretty sure the --cache-dir arg needs setting here

pre-commit-trivy/.pre-commit-hooks.yaml

Line 4 in 0b1d397

entry: aquasec/trivy fs --cache-dir /src/.pre-commit-trivv-cache --exit-code 1
before the fs not after e.g. trivy --cache-dir /src/.pre-commit-trivv-cache fs .

Only scan staged files

Is it possible that it only scans the files staged for commit, as it is common for other hooks?

Hook for linting IaC configs?

Stumbled across repo this from a discussion in the Trivy repo regarding pre-commit hooks. Was wondering if you would be interested in adding support for the config flag for e.g. scanning Dockerfiles and other IaC? I can create a PR to add if so.

Shared/global trivy cache

Thoughts on using ~/.pre-commit-trivy-cache as the cache location to avoid pulling the db for every repo?

Add LICENCE

Please add a Licence, ideally, MIT, otherwise your hooks is not usable for legal reason

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.