github.com/ishita82/trivy-gitaction@v0.0.0-20240206054925-e937cc05f8e3/docs/ecosystem/cicd.md (about) 1 # CI/CD Integrations 2 3 ## Azure DevOps (Official) 4 [Azure Devops](https://azure.microsoft.com/en-us/products/devops/#overview) is Microsoft Azure cloud native CI/CD service. 5 6 Trivy has a "Azure Devops Pipelines Task" for Trivy, that lets you easily introduce security scanning into your workflow, with an integrated Azure Devops UI. 7 8 👉 Get it at: <https://github.com/aquasecurity/trivy-azure-pipelines-task> 9 10 ## GitHub Actions 11 [GitHub Actions](https://github.com/features/actions) is GitHub's native CI/CD and job orchestration service. 12 13 ### trivy-action (Official) 14 15 GitHub Action for integrating Trivy into your GitHub pipeline 16 17 👉 Get it at: <https://github.com/aquasecurity/trivy-action> 18 19 ### trivy-action (Community) 20 21 GitHub Action to scan vulnerability using Trivy. If vulnerabilities are found by Trivy, it creates a GitHub Issue. 22 23 👉 Get it at: <https://github.com/marketplace/actions/trivy-action> 24 25 ### trivy-github-issues (Community) 26 27 In this action, Trivy scans the dependency files such as package-lock.json and go.sum in your repository, then create GitHub issues according to the result. 28 29 👉 Get it at: <https://github.com/marketplace/actions/trivy-github-issues> 30 31 ## Buildkite Plugin (Community) 32 33 The trivy buildkite plugin provides a convenient mechanism for running the open-source trivy static analysis tool on your project. 34 35 👉 Get it at: https://github.com/equinixmetal-buildkite/trivy-buildkite-plugin 36 37 ## Dagger (Community) 38 [Dagger](https://dagger.io/) is CI/CD as code that runs anywhere. 39 40 The Dagger module for Trivy provides functions for scanning container images from registries as well as Dagger Container objects from any Dagger SDK (e.g. Go, Python, Node.js, etc). 41 42 👉 Get it at: <https://daggerverse.dev/mod/github.com/jpadams/daggerverse/trivy> 43 44 45 ## Semaphore (Community) 46 [Semaphore](https://semaphoreci.com/) is a CI/CD service. 47 48 You can use Trivy in Semaphore for scanning code, containers, infrastructure, and Kubernetes in Semaphore workflow. 49 50 👉 Get it at: <https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy> 51 52 ## CircleCI (Community) 53 [CircleCI](https://circleci.com/) is a CI/CD service. 54 55 You can use the Trivy Orb for Circle CI to introduce security scanning into your workflow. 56 57 👉 Get it at: <https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb> 58 Source: <https://github.com/15five/trivy-orb> 59 60 ## Woodpecker CI (Community) 61 62 Example Trivy step in pipeline 63 64 ```yml 65 pipeline: 66 securitycheck: 67 image: aquasec/trivy:latest 68 commands: 69 # use any trivy command, if exit code is 0 woodpecker marks it as passed, else it assumes it failed 70 - trivy fs --exit-code 1 --skip-dirs web/ --skip-dirs docs/ --severity MEDIUM,HIGH,CRITICAL . 71 ``` 72 73 Woodpecker does use Trivy itself so you can [see it in use there](https://github.com/woodpecker-ci/woodpecker/pull/1163). 74 75 ## Concourse CI (Community) 76 [Concourse CI](https://concourse-ci.org/) is a CI/CD service. 77 78 You can use Trivy Resource in Concourse for scanning containers and introducing security scanning into your workflow. 79 It has capabilities to fail the pipeline, create issues, alert communication channels (using respective resources) based on Trivy scan output. 80 81 👉 Get it at: <https://github.com/Comcast/trivy-resource/>