Skip to content

Trivy GitLab CI Component

A GitLab CI component for Trivy — the all-in-one security scanner covering container images, filesystems, repositories, Kubernetes clusters, SBOMs, and license compliance. Plug these templates directly into your pipelines to get repeatable scans, GitLab-native reports, and portable artifacts with almost no shell scripting.

Features

  • Full Surface Coverage: Containers, filesystems, root filesystems, Git repositories, VMs, SBOMs, Kubernetes clusters, and more.
  • Multiple Scanners: Vulnerability, misconfiguration/IaC, secret, and license scanning with per-job controls.
  • GitLab Reports: Emits Container Scanning, JUnit, SARIF, and JSON artifacts ready for merge-request insights.
  • Customizable Inputs: Every template exposes knobs for severities, scanners, timeouts, package types, and artifacts.
  • Composable Templates: Mix remote or local scans, SBOM workflows, Rekor attestations, and IaC checks from one component namespace.

Usage

Basic Usage

include:
  - component: $CI_SERVER_FQDN/niclas-zone/ci/trivy/main@latest

stages:
  - test

Remote Image With Custom Severity

include:
  - component: $CI_SERVER_FQDN/niclas-zone/ci/trivy/main@latest
    inputs:
      job_name: "security:remote"
      TRIVY_SCAN_REMOTE_IMAGE: "registry.gitlab.com/group/app:latest"
      severity: "CRITICAL,HIGH,MEDIUM"
      exit_on_vulnerability: true

stages:
  - test

Local Tar / OCI Layout Scan

include:
  - component: $CI_SERVER_FQDN/niclas-zone/ci/trivy/main@latest
    inputs:
      job_name: "security:local"
      TRIVY_SCAN_LOCAL_IMAGES: "dist/"
      TRIVY_SCANNERS: "vuln,secret"
      exit_on_vulnerability: false

stages:
  - test

Component Inputs & Templates

Each template below lists its available inputs and defaults as defined in the component spec, followed by a minimal working example.

Component: templates/main.yml

Input Description Default
job_name Name of the CI job "trivy scanning"
stage Pipeline stage "test"
image Container image running Trivy "ghcr.io/aquasecurity/trivy:0.68.1"
TRIVY_NEEDED_STAGE Stage that must finish before Trivy runs "build"
TRIVY_SCAN_REMOTE_IMAGE Remote image to scan ""
TRIVY_SCAN_LOCAL_IMAGES Path to tar/OCI inputs (searches . when empty) ""
TRIVY_SCANNERS Comma-separated scanners "vuln,secret,misconfig"
severity Severities to include "CRITICAL,HIGH"
exit_on_vulnerability Fail job when issues found true
TRIVY_EXTRA_ARGS Additional CLI flags ""
allow_failure Allow job failure without failing pipeline false

Example

include:
  - component: $CI_SERVER_FQDN/niclas-zone/ci/trivy/main@latest
    inputs:
      job_name: "trivy:basic"
      TRIVY_SCAN_REMOTE_IMAGE: "nginx:latest"

Component: templates/target_container.yml

Input Description Default
job_name CI job name "trivy:scan:containers"
stage Pipeline stage "test"
image Trivy container image "ghcr.io/aquasecurity/trivy:0.68.1"
TRIVY_SCAN_REMOTE_IMAGE Remote image reference ""
TRIVY_SCAN_LOCAL_IMAGES Directory/tar for local scans ""
TRIVY_SCANNERS Enabled scanners "vuln,secret,misconfig"
TRIVY_IMAGE_SRC Image source backend (remote/docker/...) ""
severity Severities "CRITICAL,HIGH"
exit_on_vulnerability Fail on severity match true
TRIVY_IGNORE_UNFIXED Ignore issues without fixes true
TRIVY_PKG_TYPES Package types "os,library"
TRIVY_VULN_TYPE Deprecated alias for pkg types ""
TRIVY_TIMEOUT Command timeout "10m"
TRIVY_EXTRA_ARGS Extra CLI args ""
TRIVY_DB_REPOSITORY Custom DB mirror ""
TRIVY_JAVA_DB_REPOSITORY Custom Java DB mirror ""
TRIVY_SKIP_FILES File glob exclusions ""
TRIVY_SKIP_DIRS Directory exclusions ""
allow_failure Allow failure without failing pipeline false

Example

include:
  - component: $CI_SERVER_FQDN/niclas-zone/ci/trivy/target_container@latest
    inputs:
      job_name: "trivy:containers"
      TRIVY_SCAN_REMOTE_IMAGE: "registry.gitlab.com/group/service:latest"
      TRIVY_SCANNERS: "vuln,secret"
      exit_on_vulnerability: true

Component: templates/target_filesystem.yml

Input Description Default
job_name CI job name "trivy:scan:filesystem"
stage Pipeline stage "test"
image Trivy image "ghcr.io/aquasecurity/trivy:0.68.1"
TRIVY_FS_PATH File or directory to scan "."
TRIVY_SCANNERS Enabled scanners "vuln,secret"
severity Severities "CRITICAL,HIGH"
exit_on_vulnerability Fail on severity match true
TRIVY_IGNORE_UNFIXED Ignore unfixed issues true
TRIVY_PKG_TYPES Package types "os,library"
TRIVY_TIMEOUT Timeout "10m"
TRIVY_SKIP_FILES File globs to skip ""
TRIVY_SKIP_DIRS Directories to skip ""
TRIVY_EXTRA_ARGS Extra CLI args ""
TRIVY_REPORT_BASENAME Artifact base name "filesystem-scan"
allow_failure Allow job failure false

Example

include:
  - component: $CI_SERVER_FQDN/niclas-zone/ci/trivy/target_filesystem@latest
    inputs:
      TRIVY_FS_PATH: "services/api"
      TRIVY_SCANNERS: "vuln,misconfig,secret"

Component: templates/target_rootfs.yml

Input Description Default
job_name Job name "trivy:scan:rootfs"
stage Stage "test"
image Trivy image "ghcr.io/aquasecurity/trivy:0.68.1"
TRIVY_ROOTFS_PATH Root filesystem path "/"
TRIVY_SCANNERS Scanners "vuln,secret"
severity Severities "CRITICAL,HIGH"
exit_on_vulnerability Fail job on findings true
TRIVY_IGNORE_UNFIXED Ignore unfixed true
TRIVY_PKG_TYPES Package types "os,library"
TRIVY_TIMEOUT Timeout "10m"
TRIVY_SKIP_FILES Files to skip ""
TRIVY_SKIP_DIRS Directories to skip ""
TRIVY_EXTRA_ARGS Extra args ""
TRIVY_REPORT_BASENAME Artifact basename "rootfs-scan"
allow_failure Allow failure false

Example

include:
  - component: $CI_SERVER_FQDN/niclas-zone/ci/trivy/target_rootfs@latest
    inputs:
      TRIVY_ROOTFS_PATH: "/mnt/root"
      TRIVY_SCANNERS: "vuln"

Component: templates/target_repository.yml

Input Description Default
job_name Job name "trivy:scan:repo"
stage Stage "test"
image Trivy image "ghcr.io/aquasecurity/trivy:0.68.1"
TRIVY_REPO_TARGET Local path or Git URL "."
TRIVY_REPO_BRANCH Remote branch ""
TRIVY_REPO_COMMIT Commit hash ""
TRIVY_REPO_TAG Tag name ""
TRIVY_SCANNERS Scanners "vuln,secret"
severity Severities "CRITICAL,HIGH"
exit_on_vulnerability Fail job on findings true
TRIVY_IGNORE_UNFIXED Ignore unfixed true
TRIVY_TIMEOUT Timeout "10m"
TRIVY_SKIP_FILES Files to skip ""
TRIVY_SKIP_DIRS Dirs to skip ""
TRIVY_EXTRA_ARGS Extra args ""
TRIVY_REPORT_BASENAME Artifact basename "repo-scan"
allow_failure Allow failure false

Example

include:
  - component: $CI_SERVER_FQDN/niclas-zone/ci/trivy/target_repository@latest
    inputs:
      TRIVY_REPO_TARGET: "https://github.com/aquasecurity/trivy"
      TRIVY_REPO_BRANCH: "main"

Component: templates/target_vm.yml

Input Description Default
job_name Job name "trivy:scan:vm"
stage Stage "test"
image Trivy image "ghcr.io/aquasecurity/trivy:0.68.1"
TRIVY_VM_TARGET Local path or ami:/ebs: identifier ""
TRIVY_AWS_REGION AWS region for AMI/EBS scans ""
TRIVY_SCANNERS Scanners "vuln"
severity Severities "CRITICAL,HIGH"
exit_on_vulnerability Fail job on findings true
TRIVY_IGNORE_UNFIXED Ignore unfixed true
TRIVY_TIMEOUT Timeout "20m"
TRIVY_EXTRA_ARGS Extra args ""
TRIVY_REPORT_BASENAME Artifact basename "vm-scan"
allow_failure Allow failure false

Example

include:
  - component: $CI_SERVER_FQDN/niclas-zone/ci/trivy/target_vm@latest
    inputs:
      TRIVY_VM_TARGET: "ami-0123456789abcdef0"
      TRIVY_AWS_REGION: "us-east-1"

Component: templates/target_kubernetes.yml

Input Description Default
job_name Job name "trivy:scan:k8s"
stage Stage "test"
image Trivy image "ghcr.io/aquasecurity/trivy:0.68.1"
TRIVY_K8S_OBJECT Scope (cluster, namespace/foo, etc.) ""
TRIVY_K8S_REPORT Report detail (summary/all) "summary"
TRIVY_K8S_KUBECONFIG Custom kubeconfig path ""
TRIVY_K8S_INCLUDE_NAMESPACES Namespaces to include ""
TRIVY_K8S_EXCLUDE_NAMESPACES Namespaces to exclude ""
TRIVY_K8S_INCLUDE_KINDS Kinds to include ""
TRIVY_K8S_EXCLUDE_KINDS Kinds to exclude ""
TRIVY_K8S_SKIP_IMAGES Skip workload image scans false
TRIVY_K8S_DISABLE_NODE_COLLECTOR Disable node collector false
TRIVY_SCANNERS Scanners "vuln,misconfig,secret"
severity Severities "CRITICAL,HIGH"
exit_on_vulnerability Fail job on findings true
TRIVY_IGNORE_UNFIXED Ignore unfixed true
TRIVY_TIMEOUT Timeout "15m"
TRIVY_K8S_EXTRA_ARGS Extra args ""
TRIVY_REPORT_BASENAME Artifact basename "k8s-scan"
allow_failure Allow failure false

Example

include:
  - component: $CI_SERVER_FQDN/niclas-zone/ci/trivy/target_kubernetes@latest
    inputs:
      TRIVY_K8S_OBJECT: "namespace/prod"
      TRIVY_K8S_REPORT: "summary"

Component: templates/scanner_iac_config.yml

Input Description Default
job_name Job name "trivy:scan:iac"
stage Stage "test"
image Trivy image "ghcr.io/aquasecurity/trivy:0.68.1"
TRIVY_CONFIG_PATH IaC directory "."
severity Severities "CRITICAL,HIGH"
exit_on_vulnerability Fail on findings true
TRIVY_CONFIG_REPORT Report detail "all"
TRIVY_CONFIG_INCLUDE_NON_FAILURES Include passes false
TRIVY_MISCONFIG_SCANNERS Misconfig scanners list "azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform"
TRIVY_TIMEOUT Timeout "10m"
TRIVY_SKIP_FILES Files to skip ""
TRIVY_SKIP_DIRS Dirs to skip ""
TRIVY_CONFIG_EXTRA_ARGS Extra args ""
TRIVY_REPORT_BASENAME Artifact basename "iac-scan"
allow_failure Allow failure false

Example

include:
  - component: $CI_SERVER_FQDN/niclas-zone/ci/trivy/scanner_iac_config@latest
    inputs:
      TRIVY_CONFIG_PATH: "examples/iac/terraform"
      severity: "CRITICAL,HIGH,MEDIUM"

Component: templates/scanner_license.yml

Input Description Default
job_name Job name "trivy:scan:license"
stage Stage "test"
image Trivy image "ghcr.io/aquasecurity/trivy:0.68.1"
TRIVY_SCAN_REMOTE_IMAGE Remote image ref ""
TRIVY_SCAN_LOCAL_IMAGES Local tar/OCI or filesystem path ""
TRIVY_SCANNERS Scanner list "license"
severity Severities "CRITICAL"
exit_on_vulnerability Fail on severity match true
TRIVY_LICENSE_FULL Enable --license-full false
TRIVY_LICENSE_CONFIDENCE Confidence threshold "0.9"
TRIVY_LICENSE_IGNORED Licenses to ignore ""
TRIVY_PKG_TYPES Package types "os,library"
TRIVY_TIMEOUT Timeout "10m"
TRIVY_EXTRA_ARGS Extra args ""
allow_failure Allow failure false

Example

include:
  - component: $CI_SERVER_FQDN/niclas-zone/ci/trivy/scanner_license@latest
    inputs:
      TRIVY_SCAN_LOCAL_IMAGES: "test.tar"
      TRIVY_LICENSE_FULL: true

Component: templates/sbom_generate_image.yml

Input Description Default
job_name Job name "trivy:sbom:image"
stage Stage "test"
image Trivy image "ghcr.io/aquasecurity/trivy:0.68.1"
TRIVY_SBOM_IMAGE Remote image ref ""
TRIVY_SBOM_INPUT Local OCI/tar input ""
TRIVY_SBOM_FORMAT SBOM format "cyclonedx"
TRIVY_SBOM_FILENAME Output filename "image-sbom.cdx.json"
TRIVY_SBOM_EXTRA_ARGS Extra args ""
TRIVY_TIMEOUT Timeout "10m"
allow_failure Allow failure false

Example

include:
  - component: $CI_SERVER_FQDN/niclas-zone/ci/trivy/sbom_generate_image@latest
    inputs:
      TRIVY_SBOM_INPUT: "test.tar"
      TRIVY_SBOM_FILENAME: "ci-image-sbom.cdx.json"

Component: templates/sbom_generate_repo.yml

Input Description Default
job_name Job name "trivy:sbom:repo"
stage Stage "test"
image Trivy image "ghcr.io/aquasecurity/trivy:0.68.1"
TRIVY_REPO_TARGET Path or remote Git URL "."
TRIVY_REPO_BRANCH Branch ""
TRIVY_REPO_COMMIT Commit hash ""
TRIVY_REPO_TAG Tag ""
TRIVY_SBOM_FORMAT Format "cyclonedx"
TRIVY_SBOM_FILENAME Output filename "repo-sbom.cdx.json"
TRIVY_REPO_SCANNERS Scanners during SBOM creation "vuln,secret"
TRIVY_REPO_EXTRA_ARGS Extra args ""
TRIVY_TIMEOUT Timeout "10m"
allow_failure Allow failure false

Example

include:
  - component: $CI_SERVER_FQDN/niclas-zone/ci/trivy/sbom_generate_repo@latest
    inputs:
      TRIVY_REPO_TARGET: "."
      TRIVY_SBOM_FORMAT: "spdx-json"

Component: templates/sbom_generate_kbom.yml

Input Description Default
job_name Job name "trivy:sbom:kbom"
stage Stage "test"
image Trivy image "ghcr.io/aquasecurity/trivy:0.68.1"
TRIVY_K8S_TARGET trivy k8s target (cluster, namespace/...) "cluster"
TRIVY_K8S_CONTEXT Kubeconfig context ""
TRIVY_K8S_EXTRA_ARGS Extra args ""
TRIVY_SBOM_FILENAME KBOM filename "kbom.cdx.json"
TRIVY_TIMEOUT Timeout "15m"
scan_kbom Run vulnerability scan on generated KBOM true
TRIVY_SBOM_SCANNERS Scanners for KBOM scan "vuln"
severity Severities for KBOM scan "CRITICAL,HIGH"
exit_on_vulnerability Fail on findings true
TRIVY_SBOM_SCAN_EXTRA_ARGS Extra args for KBOM scan ""
allow_failure Allow failure false

Example

include:
  - component: $CI_SERVER_FQDN/niclas-zone/ci/trivy/sbom_generate_kbom@latest
    inputs:
      TRIVY_K8S_TARGET: "namespace/default"
      scan_kbom: true

Component: templates/sbom_scan_file.yml

Input Description Default
job_name Job name "trivy:scan:sbom"
stage Stage "test"
image Trivy image "ghcr.io/aquasecurity/trivy:0.68.1"
TRIVY_SBOM_PATH Path to SBOM file "artifacts/trivy/image-sbom.cdx.json"
TRIVY_SBOM_REPORT_BASENAME Output basename "sbom-scan"
TRIVY_SCANNERS Scanners to run "vuln,license"
severity Severities "CRITICAL,HIGH"
exit_on_vulnerability Fail on findings true
TRIVY_SBOM_SCAN_EXTRA_ARGS Extra args ""
TRIVY_TIMEOUT Timeout "10m"
allow_failure Allow failure false

Example

include:
  - component: $CI_SERVER_FQDN/niclas-zone/ci/trivy/sbom_scan_file@latest
    inputs:
      TRIVY_SBOM_PATH: "artifacts/trivy/ci-image-sbom.cdx.json"
      TRIVY_SCANNERS: "vuln,license"

Component: templates/sbom_scan_rekor.yml

Input Description Default
job_name Job name "trivy:scan:rekor"
stage Stage "test"
image Trivy image "ghcr.io/aquasecurity/trivy:0.68.1"
TRIVY_SCAN_REMOTE_IMAGE Attested remote image ""
TRIVY_REKOR_URL Rekor API endpoint ""
TRIVY_SCANNERS Scanners "vuln"
severity Severities "CRITICAL,HIGH"
exit_on_vulnerability Fail on findings true
TRIVY_IGNORE_UNFIXED Ignore unfixed true
TRIVY_TIMEOUT Timeout "10m"
TRIVY_EXTRA_ARGS Extra args ""
allow_failure Allow failure false

Example

include:
  - component: $CI_SERVER_FQDN/niclas-zone/ci/trivy/sbom_scan_rekor@latest
    inputs:
      TRIVY_SCAN_REMOTE_IMAGE: "registry.gitlab.com/group/app@sha256:..."
      TRIVY_REKOR_URL: "https://rekor.sigstore.dev"