sonar-trivy-plugin/trivy.yaml at main · seanly/sonar-trivy-plugin · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# Trivy Configuration File
# Configuration for Trivy filesystem scanning

# Global settings
quiet: false
debug: false
insecure: false
timeout: 5m

# Filesystem scan settings
fs:
  # Scanners to use
  scanners:
    - vuln      # Vulnerability scanner
    - secret    # Secret scanner
    - config    # Misconfiguration scanner

  # Severity levels to report
  severity:
    - CRITICAL
    - HIGH
    - MEDIUM
    - LOW

  # Skip directories
  skip-dirs:
    - target/
    - .git/
    - .idea/
    - .vscode/
    - reports/

  # Skip files
  skip-files:
    - "*.jar"
    - "*.war"
    - "*.ear"
    - "*.log"
    - "*.tmp"
    - "*.temp"
    - ".DS_Store"
    - "Thumbs.db"

  # File patterns to scan
  include-paths:
    - "src/"
    - "pom.xml"
    - "*.java"
    - "*.xml"
    - "*.yml"
    - "*.yaml"
    - "*.properties"
    - "*.json"

# Vulnerability scanner settings
vuln:
  # Database settings
  db:
    repository: "ghcr.io/aquasecurity/trivy-db"
    skip-update: false
    download-only: false

  # Policy settings
  policy:
    namespaces:
      - "appshield"
      - "defsec"
      - "avd"

  # Ignore unfixed vulnerabilities
  ignore-unfixed: false

  # Include non-compliant packages
  include-non-compliant: true

# Secret scanner settings
secret:
  # Scan for secrets in files
  scan:
    - "*.java"
    - "*.xml"
    - "*.yml"
    - "*.yaml"
    - "*.properties"
    - "*.json"
    - "*.sh"
    - "*.bash"

  # Secret patterns to look for
  patterns:
    - "api[_-]?key"
    - "password"
    - "secret"
    - "token"
    - "private[_-]?key"

# Misconfiguration scanner settings
config:
  # Policy bundles to use
  policy-bundle: "ghcr.io/aquasecurity/defsec:latest"

  # Include deprecated policies
  include-deprecated: false

  # Include experimental policies
  include-experimental: false

# Output settings
output:
  format: "sarif"
  template: ""
  output: "reports/trivy-fs-scan.sarif"

# Cache settings
cache:
  backend: "fs"
  dir: ".trivycache"
  ttl: "24h"