Plugins

    Trivy plugins are add-on tools that integrate seamlessly with Trivy. They provide a way to extend the core feature set of Trivy, but without requiring every new feature to be written in Go and added to the core tool.

    • They can be added and removed from a Trivy installation without impacting the core Trivy tool.
    • They can be written in any programming language.
    • They integrate with Trivy, and will show up in Trivy help and subcommands.

    Warning

    Trivy plugins available in public are not audited for security. You should install and run third-party plugins at your own risk, since they are arbitrary programs running on your machine.

    Installing a Plugin

    A plugin can be installed using the command. This command takes a url and will download the plugin and install it in the plugin cache.

    Trivy adheres to the XDG specification, so the location depends on whether XDG_DATA_HOME is set. Trivy will now search XDG_DATA_HOME for the location of the Trivy plugins cache. The preference order is as follows:

    • XDG_DATA_HOME if set and .trivy/plugins exists within the XDG_DATA_HOME dir
    • ~/.trivy/plugins

    Under the hood Trivy leverages to download plugins. This means the following protocols are supported for downloading plugins:

    • OCI Registries
    • Local Files
    • Git
    • HTTP/HTTPS
    • Mercurial
    • Amazon S3
    • Google Cloud Storage

    Once the plugin is installed, Trivy will load all available plugins in the cache on the start of the next Trivy execution. A plugin will be made in the Trivy CLI based on the plugin name. To display all plugins, you can list them by trivy --help

    1. $ trivy --help
    2. NAME:
    3.    trivy - A simple and comprehensive vulnerability scanner for containers
    5.    trivy [global options] command [command options] target
    7. VERSION:
    8.    dev
    10. COMMANDS:
    11.    image, i          scan an image
    12.    filesystem, fs    scan local filesystem
    13.    repository, repo  scan remote repository
    14.    client, c         client mode
    15.    server, s         server mode
    16.    plugin, p         manage plugins
    18.    help, h           Shows a list of commands or help for one command

    As shown above, kubectl subcommand exists in the COMMANDS section. To call the kubectl plugin and scan existing Kubernetes deployments, you can execute the following command:

    Internally the kubectl plugin calls the kubectl binary to fetch information about that deployment and passes the using images to Trivy. You can see the detail here.

    If you want to omit even the subcommand, you can use TRIVY_RUN_AS_PLUGIN environment variable.

    1. $ TRIVY_RUN_AS_PLUGIN=kubectl trivy job your-job -- --format json

    Installing and Running Plugins on the fly

    trivy plugin run installs a plugin and runs it on the fly. If the plugin is already present in the cache, the installation is skipped.

    Specify a plugin name with trivy plugin uninstall command.

    1. $ trivy plugin uninstall kubectl

    Building Plugins

    In the example above, the plugin is contained inside of a directory named your-plugin. It has two files: plugin.yaml (required) and an executable script, your-plugin.sh (optional).

    The core of a plugin is a simple YAML file named plugin.yaml. Here is an example YAML of trivy-plugin-kubectl plugin that adds support for Kubernetes scanning.

    1. name: "kubectl"
    2. repository: github.com/aquasecurity/trivy-plugin-kubectl
    3. version: "0.1.0"
    4. usage: scan kubectl resources
    5. description: |-
    6.   A Trivy plugin that scans the images of a kubernetes resource.
    7.   Usage: trivy kubectl TYPE[.VERSION][.GROUP] NAME
    8.   - selector: # optional
    10.       arch: amd64
    11.     uri: ./trivy-kubectl # where the execution file is (local file, http, git, etc.)
    12.     bin: ./trivy-kubectl # path to the execution file
    13.   - selector: # optional
    14.       os: linux
    15.       arch: amd64
    16.     uri: https://github.com/aquasecurity/trivy-plugin-kubectl/releases/download/v0.1.0/trivy-kubectl.tar.gz
    17.     bin: ./trivy-kubectl

    The plugin.yaml field should contain the following information:

    • name: The name of the plugin. This also determines how the plugin will be made available in the Trivy CLI. For example, if the plugin is named kubectl, you can call the plugin with trivy kubectl. (required)
    • version: The version of the plugin. (required)
    • usage: A short usage description. (required)
    • description: A long description of the plugin. This is where you could provide a helpful documentation of your plugin. (required)
    • platforms: (required)
    • selector: The OS/Architecture specific variations of a execution file. (optional)
      • os: OS information based on GOOS (linux, darwin, etc.) (optional)
      • arch: The architecture information based on GOARCH (amd64, arm64, etc.) (optional)
    • uri: Where the executable file is. Relative path from the root directory of the plugin or remote URL such as HTTP and S3. (required)
    • bin: Which file to call when the plugin is executed. Relative path from the root directory of the plugin. (required)

    The following rules will apply in deciding which platform to select:

    • If both os and arch under selector match the current platform, search will stop and the platform will be used.
    • If selector is not present, the platform will be used.
    • If os matches and there is no more specific arch match, the platform will be used.

    After determining platform, Trivy will download the execution file from uri and store it in the plugin cache. When the plugin is called via Trivy CLI, command will be executed.

    The plugin is responsible for handling flags and arguments. Any arguments are passed to the plugin from the trivy command.