Aqua Trivy Scanner Reference
You can set up a Security step with Aqua Trivy to detect vulnerabilities and misconfigurations in your container images.
Important Notes
- STO supports container scans only with Aqua Trivy.
Scan types
STO supports the following policy_type
settings for Aqua-Trivy:
orchestratedScan
— A Security step in the pipeline runs the scan and ingests the results. This is the easiest to set up and supports scans with default or predefined settings.ingestionOnly
— Run the scan in a Run step, or outside the pipeline, and then ingest the results. This is useful for advanced workflows that address specific security needs. See Ingest scan results into an STO pipeline.
Required Settings
product_name
=aqua-trivy
scan_type
=containerImage
product_config_name
— Specify one of the following:aqua-trivy
— Run the Trivy image scanner with default settings.aqua-trivy-debug
— Run the Trivy image scanner in Debug mode.
container_domain
— The image registry domain, for exampledocker.io
container_project
— The image owner and project, for exampleharness/delegate
container_tag
— The tag of the image to scan, for examplelatest
container_type
— Set tolocal_image
,docker_v2
,jfrog_artifactory
, oraws_ecr
The following settings are also required, depending on the container type:
- if
container_type
=docker_v2
container_access_id
: Usernamecontainer_access_token
: Password/Token
- if
container_type
=aws_ecr
container_access_id
: Usernamecontainer_access_token
: Password/Tokencontainer_region
: Image registry AWS region
- if
container_type
=jfrog_artifactory
container_access_id
: Usernamecontainer_access_token
: Password/Token