forked from microsoft/security-devops-azdevops
-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Jiandong Jiang edited this page Apr 5, 2023
·
2 revisions
Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle. MSDO installs, configures and runs the latest versions of static analysis tools (including, but not limited to, SDL/security and compliance tools). MSDO is data-driven with portable configurations that enable deterministic execution across multiple environments. For tools that output results in or MSDO can convert their results to SARIF, MSDO imports into a normalized file database for seamlessly reporting and responding to results across tools, such as forcing build breaks.
The microsoft/security-devops-action will run all applicable analyzers configured in the policy. By default, this action runs the GitHub policy. If a file is found that MSDO has an analyzer for, it runs the analyzer with default settings against the target.
This section contains all of the direct input options to tools (aka. analyzers).
There are a few ways configure tool inputs:
- Creating a *.gdnconfig file to save configurations
- Great for reuse between team members and local/remote runs
- Can save multiple tool configurations in a single file to run all configurations with
guardian run -c <*.gdnconfig file path>
- Using environment variables
- Great for quick configurations in build pipelines
- They follow the format
[GDN_]<ToolName>_<ArgumentId>, whereGDN_is optional andToolNameandArgumentIdare defined by the tool integration file to (*.gdntool).
Tool variables can be set within GitHub Workflows.
They can be set as top level environment variables in the build:
env:
<key>: '<value>'
job:
...Or on the action itself.
steps:
- uses: microsoft/security-devops-action
env:
<key>: '<value>'Here' an example action to configure the targets CLI option for eslint:
steps:
- uses: microsoft/security-devops-action
env:
eslint_targets: '**/*.js'Tool variables can be set within Azure Pipelines.
They can be set as top level environment variables in the build:
variables:
<key>: '<value>'
job:
...Or on the build task itself.
steps:
- with: MicrosoftSecurityDevOps@1
env:
<key>: '<value>'Here' an example action to configure the targets CLI option for eslint:
steps:
- with: MicrosoftSecurityDevOps@1
env:
eslint_targets: '**/*.js'Short description:
A command line utility for running Microsoft AntiMalware/Windows Defender tool.
Long description:
This is a command line utility for running Microsoft AntiMalware/Windows Defender tool. It must be run on a local machine (or build agent) with Windows Defender already installed.
{
"tools": [
{
"tool": {
"name": "AntiMalware",
"version": "Latest"
},
"arguments": {
"Function": "analyze",
"Command": "scan",
"ScanType": 3,
"ScanDirectoryOrFile": "$(WorkingDirectory)",
"DisableRemediation": true,
"BootSectorScan": "false",
"CommandlineArguments": "",
"EnableServices": "false",
"CollectLogsOnError": "false",
"ForceSignatureUpdate": "false",
"SignatureUpdateUsesMMPC": "false",
"SignatureUpdateFailureLoggerLevel": "Warning",
"SignatureFreshness": 3,
"OutdatedSignatureLoggerLevel": "Error",
"Output": "",
"LoggerLevel": "Standard"
}
}
]
}| Argument name | Environment variable name | Description |
|---|---|---|
| Function | GDN_ANTIMALWARE_FUNCTION | |
| Command | GDN_ANTIMALWARE_COMMAND | |
| ScanType | GDN_ANTIMALWARE_SCANTYPE | |
| ScanDirectoryOrFile | GDN_ANTIMALWARE_SCANDIRECTORYORFILE | |
| DisableRemediation | GDN_ANTIMALWARE_DISABLEREMEDIATION | |
| BootSectorScan | GDN_ANTIMALWARE_BOOTSECTORSCAN | |
| CommandlineArguments | GDN_ANTIMALWARE_COMMANDLINEARGUMENTS | |
| EnableServices | GDN_ANTIMALWARE_ENABLESERVICES | |
| CollectLogsOnError | GDN_ANTIMALWARE_COLLECTLOGSONERROR | |
| ForceSignatureUpdate | GDN_ANTIMALWARE_FORCESIGNATUREUPDATE | |
| SignatureUpdateUsesMMPC | GDN_ANTIMALWARE_SIGNATUREUPDATEUSESMMPC | |
| SignatureUpdateFailureLoggerLevel | GDN_ANTIMALWARE_SIGNATUREUPDATEFAILURELOGGERLEVEL | |
| SignatureFreshness | GDN_ANTIMALWARE_SIGNATUREFRESHNESS | |
| OutdatedSignatureLoggerLevel | GDN_ANTIMALWARE_OUTDATEDSIGNATURELOGGERLEVEL | |
| Output | GDN_ANTIMALWARE_OUTPUT | |
| LoggerLevel | GDN_ANTIMALWARE_LOGGERLEVEL |
Short description:
Security oriented static analyser for python code.
Long description:
Bandit is a tool designed to find common security issues in Python code. To do this, Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files, it generates a report.
{
"tools": [
{
"tool": {
"name": "Bandit",
"version": "Latest"
},
"arguments": {
"OutputFile": "",
"Recursive": "",
"Target": "$(DefaultBanditTargets)",
"Aggregate": "",
"ContextLines": "",
"ConfigFile": "",
"Profile": "",
"Tests": ["B102", "B110", "B112", "B303", "B304", "B312", "B321", "B324", "B413", "B501", "B502", "B503", "B504", "B505"],
"SkippedTests": "",
"SeverityLevel": "",
"ConfidenceLevel": "",
"Format": "sarif",
"MessageTemplate": "",
"Verbose": "",
"Debug": "",
"Quiet": "",
"IgnoreNosec": "",
"ExcludedPaths": "",
"Baseline": "",
"IniPath": "",
"Help": "",
"Version": ""
}
}
]
}| Argument name | Environment variable name | Description |
|---|---|---|
| OutputFile | GDN_BANDIT_OUTPUTFILE | write report to filename |
| Recursive | GDN_BANDIT_RECURSIVE | find and process files in subdirectories. |
| Target | GDN_BANDIT_TARGET | source file(s) or directory(s) to be tested |
| Aggregate | GDN_BANDIT_AGGREGATE | aggregate output by vulnerability (default) or by filename (file or vuln) |
| ContextLines | GDN_BANDIT_CONTEXTLINES | maximum number of code lines to output for each issue |
| ConfigFile | GDN_BANDIT_CONFIGFILE | optional config file to use for selecting plugins and overriding defaults |
| Profile | GDN_BANDIT_PROFILE | optional config file to use for selecting plugins and overriding defaults |
| Tests | GDN_BANDIT_TESTS | list of test IDs to run |
| SkippedTests | GDN_BANDIT_SKIPPEDTESTS | list of test IDs to skip |
| SeverityLevel | GDN_BANDIT_SEVERITYLEVEL | report only issues of a given severity level or higher. (LOW, MEDIUM, or HIGH, default LOW) |
| ConfidenceLevel | GDN_BANDIT_CONFIDENCELEVEL | report only issues of a given confidence level or higher. (LOW, MEDIUM, or HIGH, default LOW) |
| Format | GDN_BANDIT_FORMAT | the output format of the log file. Guardian supports the 'sarif' output format. Other formats that cannot be imported for post processing by Guardian are: csv,custom,html,json,screen,txt,xml,yaml |
| MessageTemplate | GDN_BANDIT_MESSAGETEMPLATE | Specify output format (only usable with --format custom) |
| Verbose | GDN_BANDIT_VERBOSE | output extra information like excluded and included files |
| Debug | GDN_BANDIT_DEBUG | turn on debug mode |
| Quiet | GDN_BANDIT_QUIET | only show output in the case of an error |
| IgnoreNosec | GDN_BANDIT_IGNORENOSEC | do not skip lines with # nosec comments |
| ExcludedPaths | GDN_BANDIT_EXCLUDEDPATHS | comma-separated list of paths (glob patterns supported to exclude from scan) |
| Baseline | GDN_BANDIT_BASELINE | path of a baseline report to compare against (only JSON-formatted files are accepted) |
| IniPath | GDN_BANDIT_INIPATH | path to a .bandit file that supplies command line arguments |
| Help | GDN_BANDIT_HELP | show a help message and exit. |
| Version | GDN_BANDIT_VERSION | show program's version number and exit |
Short description:
A portable executable scanner that validates compiler/linker settings and other security-relevant binary characteristics.
{
"tools": [
{
"tool": {
"name": "BinSkim",
"version": "Latest"
},
"arguments": {
"Function": "analyze",
"Target": "$(BinSkim.DefaultTargetPattern)",
"Output": "",
"SymbolsPath": "",
"LocalSymbolDirectories": "",
"ConfigPath": "default",
"PluginPath": "",
"IgnorePdbLoadError": "false",
"Recurse": "false",
"Verbose": "false",
"Hashes": true,
"Statistics": true,
"Environment": "false",
"Trace": "",
"Quiet": "false",
"Optimize": "false",
"Level": "",
"Kind": "",
"PrettyPrint": "false",
"Minify": "false",
"SarifOutputVersion": "OneZeroZero",
"Threads": ""
}
}
]
}| Argument name | Environment variable name | Description |
|---|---|---|
| Function | GDN_BINSKIM_FUNCTION | |
| Target | GDN_BINSKIM_TARGET | |
| Output | GDN_BINSKIM_OUTPUT | File path to which analysis output will be written. |
| SymbolsPath | GDN_BINSKIM_SYMBOLSPATH | Symbols path value, e.g., Cachec:\symbols;SRVhttp://msdl.microsoft.com/download/symbols or Cached:\symbols;Srvhttp://symweb. |
| LocalSymbolDirectories | GDN_BINSKIM_LOCALSYMBOLDIRECTORIES | A set of semicolon-delimited local directory paths that will be examined when attempting to locate PDBs. |
| ConfigPath | GDN_BINSKIM_CONFIGPATH | Path to policy file that will be used to configure analysis. |
| PluginPath | GDN_BINSKIM_PLUGINPATH | Path to plug-in that will be invoked against all targets in the analysis set. |
| IgnorePdbLoadError | GDN_BINSKIM_IGNOREPDBLOADERROR | If enabled, BinSkim won't break if we have a 'PdbLoadingException'. |
| Recurse | GDN_BINSKIM_RECURSE | Recurse into subdirectories when evaluating file specifier arguments. |
| Verbose | GDN_BINSKIM_VERBOSE | Emit verbose output. |
| Hashes | GDN_BINSKIM_HASHES | Output MD5, SHA1, and SHA-256 hash of analysis targets when emitting SARIF reports. |
| Statistics | GDN_BINSKIM_STATISTICS | Generate timing and other statistics for analysis session. |
| Environment | GDN_BINSKIM_ENVIRONMENT | Log machine environment details of run to output file. |
| Trace | GDN_BINSKIM_TRACE | (Default: ) Execution traces, expressed as a semicolon-delimited list, that should be emitted to the console and log file (if appropriate). Valid values: PdbLoad. |
| Quiet | GDN_BINSKIM_QUIET | Do not log results to the console. |
| Optimize | GDN_BINSKIM_OPTIMIZE | Omit redundant properties, producing a smaller but non-human-readable log. |
| Level | GDN_BINSKIM_LEVEL | (Default: Error Warning) Filter output of scan results to one or more failure levels. Valid values: Error, Warning and Note. |
| Kind | GDN_BINSKIM_KIND | (Default: Fail) Filter output one or more result kinds. Valid values: Fail (for literal scan results), Pass, Review, Open, NotApplicable and Informational. |
| PrettyPrint | GDN_BINSKIM_PRETTYPRINT | Produce pretty-printed JSON output rather than compact output (all white space removed). |
| Minify | GDN_BINSKIM_MINIFY | Produce compact JSON output (all white space removed) rather than pretty-printed output. |
| SarifOutputVersion | GDN_BINSKIM_SARIFOUTPUTVERSION | The SARIF version of the output log file. Valid values are OneZeroZero and Current. |
| Threads | GDN_BINSKIM_THREADS | A count of threads that should be used for multithreaded operations. |
Short description:
An extensible open source JavaScript linting utility used to find problematic patterns or code that doesn't adhere to certain guidelines
{
"tools": [
{
"tool": {
"name": "ESLint",
"version": "Latest"
},
"arguments": {
"DisableDefaultConfigurationFile": true,
"ResolvePluginsRelativeTo": "",
"ConfigurationFile": "$(SDLRequiredConfigurationFile)",
"Environments": "",
"Extensions": [".js", ".ts"],
"Globals": "",
"Parser": "",
"ParserOptions": "",
"AdditionalRulesDirectories": "",
"Plugins": "",
"Rules": "",
"Fix": "",
"FixDryRun": "",
"FixTypes": "",
"ExclusionsFilePath": "",
"DisableExclusions": "",
"ExclusionPatterns": "*.d.ts",
"Quiet": "",
"MaxWarnings": "",
"ExitOnFatalError": "",
"OutputFile": "",
"OutputFormat": "$(InstallDirectory)\\node_modules\\@microsoft\\eslint-formatter-sarif\\sarif.js",
"DisableInlineConfig": "",
"ReportUnusedDisableDirectives": "",
"Cache": "",
"CacheLocation": "",
"Debug": "",
"Help": "",
"Targets": "$(DefaultTargets)"
}
}
]
}| Argument name | Environment variable name | Description |
|---|---|---|
| DisableDefaultConfigurationFile | GDN_ESLINT_DISABLEDEFAULTCONFIGURATIONFILE | Disables use of configuration from .eslintrc.* and package.json files. Default: true |
| ResolvePluginsRelativeTo | GDN_ESLINT_RESOLVEPLUGINSRELATIVETO | Specify the working directory from which to load the plugins. Default:CWD |
| ConfigurationFile | GDN_ESLINT_CONFIGURATIONFILE | Specify an additional configuration file for ESLint. This file will override existing configurations. |
| Environments | GDN_ESLINT_ENVIRONMENTS | Specify environments, e.g.: --env browser,node. See: https://eslint.org/docs/user-guide/configuring#specifying-environments |
| Extensions | GDN_ESLINT_EXTENSIONS | Specifies file extensions to scan. |
| Globals | GDN_ESLINT_GLOBALS | Specify global variables,so that they will not be flagged as undefined by the no-undef rule. Any specified global variables are assumed to be read-only by default, but appending :true to a variable's name ensures that no-undef will also allow writes. E.g.: --global require,exports:true |
| Parser | GDN_ESLINT_PARSER | Specify a parser to be used by ESLint. When using the SDL required/recommended config, @typescript-eslint/parser will be the default. |
| ParserOptions | GDN_ESLINT_PARSEROPTIONS | Specify parser options to be used by ESLint. Note that the available parser options are determined by the parser being used. E.g.: --parser-options=ecmaVersion:7 |
| AdditionalRulesDirectories | GDN_ESLINT_ADDITIONALRULESDIRECTORIES | Specify other directories from which to load rules files. |
| Plugins | GDN_ESLINT_PLUGINS | Specifies plugins to load. You can omit the prefix eslint-plugin- fom the plugin name. Plugins must be installed using npm before being used. |
| Rules | GDN_ESLINT_RULES | Specify additional rules. These will be merged with any rules specified using other options. |
| Fix | GDN_ESLINT_FIX | Instructs ESLint to try to fix as many issues as possible. The fixes are made to the actual files themselves and only the remaining unfixed issues are output. |
| FixDryRun | GDN_ESLINT_FIXDRYRUN | Same as --fix, but instead of fixing the files, output the fixes. |
| FixTypes | GDN_ESLINT_FIXTYPES | Specify the types of fixes to apply. Choose from: problem, suggestion, layout. Multiple allowed, comma separated. |
| ExclusionsFilePath | GDN_ESLINT_EXCLUSIONSFILEPATH | Specify the file to use as your .eslintignore. By default, ESLint looks in the current working directory for .eslintignore. You can override this behavior by providing a path to a different file. |
| DisableExclusions | GDN_ESLINT_DISABLEEXCLUSIONS | Disables excluding of files from .eslintignore, --ignore-path and --ignore-pattern. |
| ExclusionPatterns | GDN_ESLINT_EXCLUSIONPATTERNS | This option allows you to specify patterns of files to ignore (in addition to those in .eslintignore). You can repeat the option to provide multiple patterns.E.g. eslint --ignore-pattern '/lib/' --ignore-pattern '/src/vendor/*' . |
| Quiet | GDN_ESLINT_QUIET | Disable reporting on warnings. |
| MaxWarnings | GDN_ESLINT_MAXWARNINGS | Specify a warning threshold, which can be used to force ESLint to exit with an error status if there are too many warning-level rule violations in your project. |
| ExitOnFatalError | GDN_ESLINT_EXITONFATALERROR | This option causes ESLint to exit with exit code 2 if one or more fatal parsing errors occur. Without this option, fatal parsing errors are reported as rule violations. |
| OutputFile | GDN_ESLINT_OUTPUTFILE | Specifies the path of the output file. |
| OutputFormat | GDN_ESLINT_OUTPUTFORMAT | Specifies the output format. Default: json. |
| DisableInlineConfig | GDN_ESLINT_DISABLEINLINECONFIG | This option prevents all inline comments like /eslint-disable/ or /global foo/ from having any effect. |
| ReportUnusedDisableDirectives | GDN_ESLINT_REPORTUNUSEDDISABLEDIRECTIVES | This option causes ESLint to report directive comments like // eslint-disable-line when no errors would have been reported on that line anyway. |
| Cache | GDN_ESLINT_CACHE | Only check changed files - default: false. |
| CacheLocation | GDN_ESLINT_CACHELOCATION | Path to the cache file or directory |
| Debug | GDN_ESLINT_DEBUG | Outputs debugging information to the console. |
| Help | GDN_ESLINT_HELP | |
| Targets | GDN_ESLINT_TARGETS | Specifies the target files, directories or globs, as a space separated list. |
Short description:
Scans ARM templates for security misconfigurations
Long description:
TemplateAnalyzer provides a simple and extensible solution to improve the security of your Azure resources before deployment and ensures your ARM templates follow best practices.
{
"tools": [
{
"tool": {
"name": "TemplateAnalyzer",
"version": "Latest"
},
"arguments": {
"AnalyzeDirectory": "$(WorkingDirectory)",
"AnalyzeTemplate": "",
"ParametersFilePath": "",
"Verbose": "true",
"IncludeNonSecurityRules": "true",
"Help": ""
}
}
]
}| Argument name | Environment variable name | Description |
|---|---|---|
| AnalyzeDirectory | GDN_TEMPLATEANALYZER_ANALYZEDIRECTORY | Recursively searches for and analyzes all ARM templates in a directory with the set of preconfigured rules |
| AnalyzeTemplate | GDN_TEMPLATEANALYZER_ANALYZETEMPLATE | Analyzes an ARM template with the set of preconfigured rules |
| ParametersFilePath | GDN_TEMPLATEANALYZER_PARAMETERSFILEPATH | File path of parameters file to use when scanning a template (optional) |
| Verbose | GDN_TEMPLATEANALYZER_VERBOSE | Shows details about the analysis |
| IncludeNonSecurityRules | GDN_TEMPLATEANALYZER_INCLUDENONSECURITYRULES | Run all the rules against the templates, including non-security rules |
| Help | GDN_TEMPLATEANALYZER_HELP | Output command line help information for the Template BPA CLI |
Short description:
Validate an IaC templates
Long description:
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
{
"tools": [
{
"tool": {
"name": "Terrascan",
"version": "Latest"
},
"arguments": {
"Init": "",
"Scan": "scan",
"Server": "",
"Version": "",
"ConfigPath": "",
"LogLevel": "",
"LogType": "",
"OutputType": "sarif",
"Categories": "",
"ConfigOnly": "",
"FindVuln": "",
"Help": "",
"IacDir": "$(WorkingDirectory)",
"IacFile": "",
"IacType": "",
"IacVersion": "",
"NonRecursive": "",
"PolicyPath": "",
"PolicyType": "",
"RemoteType": "",
"RemoteUrl": "",
"ScanRules": "",
"Severity": "",
"ShowPassed": "",
"SkipRules": "",
"UseColors": "auto",
"UseTerraformCache": "",
"Verbose": ""
}
}
]
}| Argument name | Environment variable name | Description |
|---|---|---|
| Init | GDN_TERRASCAN_INIT | Initializes Terrascan and clones policies from the Terrascan GitHub repository |
| Scan | GDN_TERRASCAN_SCAN | Detect compliance and security violations across Infrastructure as Code |
| Server | GDN_TERRASCAN_SERVER | Run Terrascan as an API server |
| Version | GDN_TERRASCAN_VERSION | Terrascan version |
| ConfigPath | GDN_TERRASCAN_CONFIGPATH | Format supported is *.TOML |
| LogLevel | GDN_TERRASCAN_LOGLEVEL | Log level (debug, info, warn, error, panic, fatal) (default 'info') |
| LogType | GDN_TERRASCAN_LOGTYPE | Log output type (console, json) (default 'console') |
| OutputType | GDN_TERRASCAN_OUTPUTTYPE | Output type (human, json, yaml, xml, junit-xml, sarif) (default 'sarif') |
| Categories | GDN_TERRASCAN_CATEGORIES | List of categories of violations to be reported by terrascan (example: --categories='category1,category2') |
| ConfigOnly | GDN_TERRASCAN_CONFIGONLY | Will output resource config (should only be used for debugging purposes) |
| FindVuln | GDN_TERRASCAN_FINDVULN | Fetches vulnerabilities identified in Docker images |
| Help | GDN_TERRASCAN_HELP | |
| IacDir | GDN_TERRASCAN_IACDIR | Path to a directory containing one or more IaC files (default '.'') |
| IacFile | GDN_TERRASCAN_IACFILE | Path to a single IaC file |
| IacType | GDN_TERRASCAN_IACTYPE | Iac type (arm, cft, docker, helm, k8s, kustomize, terraform, tfplan) |
| IacVersion | GDN_TERRASCAN_IACVERSION | Iac version (arm: v1, cft: v1, docker: v1, helm: v3, k8s: v1, kustomize: v2, v3, v4, terraform: v12, v13, v14, v15, tfplan: v1) |
| NonRecursive | GDN_TERRASCAN_NONRECURSIVE | Do not scan directories and modules recursively |
| PolicyPath | GDN_TERRASCAN_POLICYPATH | Policy path directory |
| PolicyType | GDN_TERRASCAN_POLICYTYPE | Policy type (all, aws, azure, gcp, github, k8s) (default [all]) |
| RemoteType | GDN_TERRASCAN_REMOTETYPE | Type of remote backend (git, s3, gcs, http, terraform-registry) |
| RemoteUrl | GDN_TERRASCAN_REMOTEURL | Url pointing to remote IaC repository |
| ScanRules | GDN_TERRASCAN_SCANRULES | One or more rules to scan (example: --scan-rules='ruleID1,ruleID2') |
| Severity | GDN_TERRASCAN_SEVERITY | Minimum severity level of the policy violations to be reported by terrascan |
| ShowPassed | GDN_TERRASCAN_SHOWPASSED | Display passed rules, along with violations |
| SkipRules | GDN_TERRASCAN_SKIPRULES | One or more rules to skip while scanning (example: --skip-rules='ruleID1,ruleID2') |
| UseColors | GDN_TERRASCAN_USECOLORS | Color output (auto, t, f) (default 'auto') |
| UseTerraformCache | GDN_TERRASCAN_USETERRAFORMCACHE | Use terraform init cache for remote modules (when used directory scan will be non recursive,flag applicable only with terraform IaC provider) |
| Verbose | GDN_TERRASCAN_VERBOSE | Will show violations with details (applicable for default output) |
Short description:
A security analysis tool for containers.
Long description:
A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts.
{
"tools": [
{
"tool": {
"name": "Trivy",
"version": "Latest"
},
"arguments": {
"Action": "filesystem",
"Target": ".",
"ExitCode": "100",
"Quiet": "",
"Debug": "",
"CacheDirectory": "",
"OutputTemplate": "@$(InstallDirectory)\\tools\\sarif.tpl",
"TableFormat": "template",
"ImagePath": "",
"Severities": "",
"OutputPath": "",
"SkipDBUpdate": "",
"IgnoreUnfixed": "",
"RemovedPKGS": "",
"VulnTypes": "",
"IgnoreFile": "",
"Timeout": "",
"LightMode": "",
"IgnorePolicyPath": "",
"ListAllPackages": "",
"SkipFiles": "",
"SkipDirectories": "",
"CacheBackend": "",
"ClientServerToken": "",
"ClientServerTokenHeader": "",
"ClientRemoteLocation": "",
"ClientServerCustomHeaders": ""
}
}
]
}| Argument name | Environment variable name | Description |
|---|---|---|
| Action | GDN_TRIVY_ACTION | The type of resource you would like to scan. The default is filesystem which scans local resources. Other options include image, repository, client, server. |
| Target | GDN_TRIVY_TARGET | Target of scan. For the default action (filesystem), a directory. |
| ExitCode | GDN_TRIVY_EXITCODE | Exit code to use if errors are detected. This must stay 100. |
| Quiet | GDN_TRIVY_QUIET | Suppress progress bar and log output. |
| Debug | GDN_TRIVY_DEBUG | Enable verbose debug output. |
| CacheDirectory | GDN_TRIVY_CACHEDIRECTORY | Directory for storing Trivy cache data. |
| OutputTemplate | GDN_TRIVY_OUTPUTTEMPLATE | A template to modify the output format. Output format must be set to template for this to work. The default behavior uses this option and a provided template to produce SARIF. If providing a filename, prpend @. |
| TableFormat | GDN_TRIVY_TABLEFORMAT | Format for the results output. Template is preferred by Guardian to produce SARIF, but this requires an output template to be selected as well. Other options include JSON and text. |
| ImagePath | GDN_TRIVY_IMAGEPATH | Path to image instead of image name. This is only useful if using the image scan type. See also: https://github.com/aquasecurity/trivy#scan-an-oci-image |
| Severities | GDN_TRIVY_SEVERITIES | Severities to display. Available options are: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL. Warning: this is not a threshold and all desired severities must be listed. The default is to include all findings. |
| OutputPath | GDN_TRIVY_OUTPUTPATH | Path of output file. |
| SkipDBUpdate | GDN_TRIVY_SKIPDBUPDATE | Skip the database update step. |
| IgnoreUnfixed | GDN_TRIVY_IGNOREUNFIXED | Ignore issues that aren't known to be fixed. |
| RemovedPKGS | GDN_TRIVY_REMOVEDPKGS | detect vulnerabilities of removed packages (only for Alpine) |
| VulnTypes | GDN_TRIVY_VULNTYPES | Vulnerability types to display. Options are: os, library. The default is to display both of these. |
| IgnoreFile | GDN_TRIVY_IGNOREFILE | Path to a Trivy ignorefile. See the tool documentation at: https://github.com/aquasecurity/trivy |
| Timeout | GDN_TRIVY_TIMEOUT | Timeout for Docker operations in the format 5m0s. The default is five minutes. |
| LightMode | GDN_TRIVY_LIGHTMODE | light mode: it's faster, but vulnerability descriptions and references are not displayed. |
| IgnorePolicyPath | GDN_TRIVY_IGNOREPOLICYPATH | Path to a custom Rego file to evaluate each vulnerability. This feature is experimental. See also: https://github.com/aquasecurity/trivy#filter-the-vulnerabilities-by-open-policy-agent-policy |
| ListAllPackages | GDN_TRIVY_LISTALLPACKAGES | List all packages used, whether they have vulnerabilities or not. |
| SkipFiles | GDN_TRIVY_SKIPFILES | Paths to files to skip. If you wish to ignore entire directories, use the skip directories option. This does not support complex matching patterns. |
| SkipDirectories | GDN_TRIVY_SKIPDIRECTORIES | Paths to directories to ignore. If you wish to ignore single files while scanning others in the same directory, use the skip files option. This does not support complex matching patterns. |
| CacheBackend | GDN_TRIVY_CACHEBACKEND | Location of the cache backend resource. Does not work with client action. |
| ClientServerToken | GDN_TRIVY_CLIENTSERVERTOKEN | Token to authenticate to a server. Only works with client or server actions. |
| ClientServerTokenHeader | GDN_TRIVY_CLIENTSERVERTOKENHEADER | Header to use when sending or expecting the token to authenticate to a server. Only works with client or server actions. |
| ClientRemoteLocation | GDN_TRIVY_CLIENTREMOTELOCATION | URI of a Trivy server. Only works with client action. |
| ClientServerCustomHeaders | GDN_TRIVY_CLIENTSERVERCUSTOMHEADERS | Custom headers for a Trivy server. Only works with client or server actions. |