import { ImageScannerWithTrivy } from 'image-scanner-with-trivy'
new ImageScannerWithTrivy(scope: Construct, id: string, props: ImageScannerWithTrivyProps)| Name | Type | Description |
|---|---|---|
scope |
constructs.Construct |
No description. |
id |
string |
No description. |
props |
ImageScannerWithTrivyProps |
No description. |
- Type: constructs.Construct
- Type: string
| Name | Description |
|---|---|
toString |
Returns a string representation of this construct. |
public toString(): stringReturns a string representation of this construct.
| Name | Description |
|---|---|
isConstruct |
Checks if x is a construct. |
import { ImageScannerWithTrivy } from 'image-scanner-with-trivy'
ImageScannerWithTrivy.isConstruct(x: any)Checks if x is a construct.
- Type: any
Any object.
| Name | Type | Description |
|---|---|---|
node |
constructs.Node |
The tree node. |
public readonly node: Node;- Type: constructs.Node
The tree node.
Output configuration for scan logs to CloudWatch Logs.
import { CloudWatchLogsOutputOptions } from 'image-scanner-with-trivy'
const cloudWatchLogsOutputOptions: CloudWatchLogsOutputOptions = { ... }| Name | Type | Description |
|---|---|---|
type |
ScanLogsOutputType |
No description. |
logGroupName |
string |
No description. |
public readonly type: ScanLogsOutputType;- Type: ScanLogsOutputType
public readonly logGroupName: string;- Type: string
Configuration for scan logs output to CloudWatch Logs log group.
import { CloudWatchLogsOutputProps } from 'image-scanner-with-trivy'
const cloudWatchLogsOutputProps: CloudWatchLogsOutputProps = { ... }| Name | Type | Description |
|---|---|---|
logGroup |
aws-cdk-lib.aws_logs.ILogGroup |
The log group to output scan logs. |
public readonly logGroup: ILogGroup;- Type: aws-cdk-lib.aws_logs.ILogGroup
The log group to output scan logs.
import { ImageScannerWithTrivyProps } from 'image-scanner-with-trivy'
const imageScannerWithTrivyProps: ImageScannerWithTrivyProps = { ... }| Name | Type | Description |
|---|---|---|
imageUri |
string |
Image URI for scan target. |
repository |
aws-cdk-lib.aws_ecr.IRepository |
Repository including the image URI for scan target. |
defaultLogGroupRemovalPolicy |
aws-cdk-lib.RemovalPolicy |
The removal policy to apply to Scanner Lambda's default log group. |
defaultLogGroupRetentionDays |
aws-cdk-lib.aws_logs.RetentionDays |
The number of days log events are kept in Scanner Lambda's default log group. |
exitCode |
number |
Exit Code. |
exitOnEol |
number |
Exit on EOL. |
ignoreUnfixed |
boolean |
The unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution. |
imageConfigScanners |
ImageConfigScanners[] |
Enum for ImageConfigScanners. |
memorySize |
number |
Memory Size (MB) for Scanner Lambda. |
platform |
string |
Scan Image on a specific Architecture and OS. |
scanLogsOutput |
ScanLogsOutput |
Configuration for scan logs output. |
scanners |
Scanners[] |
Enable/Disable Scanners. |
severity |
Severity[] |
Severity Selection. |
trivyIgnore |
string[] |
By Finding IDs. |
public readonly imageUri: string;- Type: string
Image URI for scan target.
public readonly repository: IRepository;- Type: aws-cdk-lib.aws_ecr.IRepository
Repository including the image URI for scan target.
Because of grantPull to CustomResourceLambda.
public readonly defaultLogGroupRemovalPolicy: RemovalPolicy;- Type: aws-cdk-lib.RemovalPolicy
- Default: Scanner Lambda creates the default log group(
/aws/lambda/${functionName}).
The removal policy to apply to Scanner Lambda's default log group.
If you use ImageScannerWithTrivy construct multiple times in the same stack, you cannot set different removal policies for the default log group.
See Notes section in the README for more details.
public readonly defaultLogGroupRetentionDays: RetentionDays;- Type: aws-cdk-lib.aws_logs.RetentionDays
- Default: Scanner Lambda creates the default log group(
/aws/lambda/${functionName}) and log events never expire.
The number of days log events are kept in Scanner Lambda's default log group.
If you use ImageScannerWithTrivy construct multiple times in the same stack, you cannot set different retention days for the default log group.
See Notes section in the README for more details.
public readonly exitCode: number;- Type: number
- Default: 1
Exit Code.
Use the exitCode option if you want to exit with a non-zero exit code.
You can specify 0 if you do not want to exit even when vulnerabilities are detected.
It defaults to 1 IN THIS CONSTRUCT for safety in CI/CD. In the original trivy, it is 0.
https://aquasecurity.github.io/trivy/latest/docs/configuration/others/#exit-code
public readonly exitOnEol: number;- Type: number
- Default: 1
Exit on EOL.
Sometimes you may surprisingly get 0 vulnerabilities in an old image:
- Enabling --ignore-unfixed option while all packages have no fixed versions.
- Scanning a rather outdated OS (e.g. Ubuntu 10.04).
An OS at the end of service/life (EOL) usually gets into this situation, which is definitely full of vulnerabilities.
exitOnEol can fail scanning on EOL OS with a non-zero code.
It defaults to 1 IN THIS CONSTRUCT for safety in CI/CD. In the original trivy, it is 0.
https://aquasecurity.github.io/trivy/latest/docs/configuration/others/#exit-on-eol
public readonly ignoreUnfixed: boolean;- Type: boolean
- Default: false
The unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution.
To hide unfixed/unfixable vulnerabilities, you can use the --ignore-unfixed flag.
https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#unfixed-vulnerabilities
public readonly imageConfigScanners: ImageConfigScanners[];- Type: ImageConfigScanners[]
- Default: []
Enum for ImageConfigScanners.
Container images have configuration. docker inspect and docker history show the information according to the configuration.
Trivy scans the configuration of container images for
- Misconfigurations
- Secrets
They are disabled by default. You can enable them with imageConfigScanners.
https://aquasecurity.github.io/trivy/latest/docs/target/container_image/#container-image-metadata
public readonly memorySize: number;- Type: number
- Default: 3008
Memory Size (MB) for Scanner Lambda.
You can specify between 3008 and 10240.
If this Construct execution terminates abnormally due to SIGKILL, try a larger size.
Default value (3008 MB) is Maximum Lambda memory size for default AWS account without quota limit increase.
public readonly platform: string;- Type: string
- Default:
Scan Image on a specific Architecture and OS.
By default, Trivy loads an image on a linux/amd64 machine.
To customize this, pass a platform argument in the format OS/Architecture for the image, such as linux/arm64
public readonly scanLogsOutput: ScanLogsOutput;- Type: ScanLogsOutput
- Default: scan logs output to default log group created by Scanner Lambda(
/aws/lambda/${functionName})
Configuration for scan logs output.
By default, scan logs are output to default log group created by Scanner Lambda.
Specify this if you want to send scan logs to other than the default log group.
Currently, only cloudWatchLogs is supported.
public readonly scanners: Scanners[];- Type: Scanners[]
- Default: [Security.VULN,Scanners.SECRET]
Enable/Disable Scanners.
You can enable/disable scanners with the scanners.
For example, container image scanning enables vulnerability (VULN) and secret scanners (SECRET) by default. If you don't need secret scanning, it can be disabled by specifying Scanners.VULN only.
https://aquasecurity.github.io/trivy/latest/docs/configuration/others/#enabledisable-scanners
public readonly severity: Severity[];- Type: Severity[]
- Default: [Severity.CRITICAL]
Severity Selection.
The severity is taken from the selected data source since the severity from vendors is more accurate. Using CVE-2023-0464 as an example, while it is rated as "HIGH" in NVD, Red Hat has marked its 'Impact' as "Low". As a result, Trivy will display it as "Low".
The severity depends on the compile option, the default configuration, etc. NVD doesn't know how the vendor distributes the software. Red Hat evaluates the severity more accurately. That's why Trivy prefers vendor scores over NVD.
It defaults to CRITICAL IN THIS CONSTRUCT for safety in CI/CD, but the default configuration of Trivy is "CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN".
https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#severity-selection
public readonly trivyIgnore: string[];- Type: string[]
- Default: []
By Finding IDs.
The ignore rules written to the .trivyignore in trivy. Put each line you write in the file into one element of the array.
https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#trivyignore
Example
$ cat .trivyignore
# Accept the risk
CVE-2018-14618
# Accept the risk until 2023-01-01
CVE-2019-14697 exp:2023-01-01
# No impact in our settings
CVE-2019-1543
# Ignore misconfigurations
AVD-DS-0002
# Ignore secrets
generic-unwanted-rule
aws-account-idOutput configurations for scan logs.
import { ScanLogsOutputOptions } from 'image-scanner-with-trivy'
const scanLogsOutputOptions: ScanLogsOutputOptions = { ... }| Name | Type | Description |
|---|---|---|
type |
ScanLogsOutputType |
No description. |
public readonly type: ScanLogsOutputType;- Type: ScanLogsOutputType
Represents the output of the scan logs.
import { ScanLogsOutput } from 'image-scanner-with-trivy'
new ScanLogsOutput()| Name | Type | Description |
|---|
| Name | Description |
|---|---|
bind |
Returns the output configuration for scan logs. |
public bind(grantee: IGrantable): ScanLogsOutputOptionsReturns the output configuration for scan logs.
- Type: aws-cdk-lib.aws_iam.IGrantable
| Name | Description |
|---|---|
cloudWatchLogs |
Scan logs output to CloudWatch Logs log group. |
import { ScanLogsOutput } from 'image-scanner-with-trivy'
ScanLogsOutput.cloudWatchLogs(options: CloudWatchLogsOutputProps)Scan logs output to CloudWatch Logs log group.
Enum for ImageConfigScanners.
https://aquasecurity.github.io/trivy/latest/docs/target/container_image/#container-image-metadata
| Name | Description |
|---|---|
CONFIG |
No description. |
SECRET |
No description. |
Enum for ScanLogsOutputType.
| Name | Description |
|---|---|
CLOUDWATCH_LOGS |
No description. |
Enum for Scanners.
https://aquasecurity.github.io/trivy/latest/docs/configuration/others/#enabledisable-scanners
| Name | Description |
|---|---|
VULN |
No description. |
CONFIG |
No description. |
SECRET |
No description. |
LICENSE |
No description. |
Enum for Severity Selection.
https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#severity-selection
| Name | Description |
|---|---|
UNKNOWN |
No description. |
LOW |
No description. |
MEDIUM |
No description. |
HIGH |
No description. |
CRITICAL |
No description. |