Dependency-Track logov4.11

Trivy is a comprehensive and versatile security scanner by Aqua Security, supporting most popular programming languages, operating systems, and platforms. More details on scanning coverage can be found in Trivy’s documentation.

Dependency-Track integrates with Trivy using its client/server mode.

The Trivy integration requires an external Trivy server and is disabled by default.

Configuration #

To configure the Trivy integration, navigate to Analyzers -> Trivy in the administration panel. The following options are available:

Option Description Default
Enable Controls whether the Trivy integration is enabled false
Base URL Base URL of the Trivy REST API -
API Token Authentication token for the REST API -
Ignore Unfixed Whether to ignore vulnerabilities for which no fix is available yet false

Trivy Configuration

Running Trivy in Server Mode #

To run Trivy in server mode, use the server command. For example:

trivy server \
  --listen :8080 \
  --token yourAuthToken

To prevent service disruption, you need to make sure that the Trivy server keeps running, and is automatically launched after the host system reboots.
The easiest way to achieve this is to run Trivy with Docker, and using an appropriate restart policy. See below for an example with Docker Compose.

When deploying Dependency-Track via Docker Compose, Trivy can simply be added as yet another service in docker-compose.yml:

    image: aquasec/trivy:latest
    - server
    - --listen
    - :8080
    - --token
    - yourAuthToken
    - "trivy-cache:/root/.cache/trivy"
    restart: unless-stopped
  # <Dependency-Track services here>

  trivy-cache: {}
  # <Dependency-Track volumes here>

Deploying Trivy in the same Compose project allows you to specify http://trivy:8080 as base URL in the Trivy configuration.
Other deployment models will require you to configure the proper IP or hostname of the machine where Trivy is running.

Known Limitations #