Trivy Blocklist CVE Check
Type: Rule
ID: trivy-blocklist-cve
Source: v2/rules/sarif/trivy/blocklist-cve.yaml
Rego Source: ../blocklist-report.rego
Help: https://scribe-security.netlify.app/docs/valint/generic#trivy-integration-example
Labels: SARIF, Trivy
Verify a CVE Blocklist against a SARIF report
This rule requires SARIF Evidence. See here for more details.
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule is scoped by product.
Usage example
uses: sarif/trivy/blocklist-cve@v2
Mitigation
Ensures that any vulnerabilities matching a predefined CVE blocklist are flagged, preventing images with known high-risk vulnerabilities from progressing through the pipeline.
Description
This rule processes the SARIF report produced by the Trivy Vulnerability Scanner to verify that no vulnerabilities matching a predefined blocklist of CVE identifiers are present beyond the allowed threshold. The evaluation proceeds as follows:
The rule iterates over the vulnerability results in the SARIF report (located under
input.evidence.predicate.content.runs[0].results), and for each result, retrieves the corresponding rule definition from
input.evidence.predicate.content.runs[0].tool.driver.rules based on the result's ruleIndex. It then checks if the result's
ruleId contains any of the CVE identifiers provided in the with.rule_ids configuration parameter. If the total number of such
findings exceeds the allowed threshold (specified by with.violations_threshold), a violation is recorded with details including
the rule ID, severity (extracted from the rule’s properties), and the location where the vulnerability was detected.
Evidence Requirements
- Evidence must be provided in a generic format adhering to the SARIF 2.1.0 schema.
- The SARIF report should be generated by the "Trivy Vulnerability Scanner".
- Evidence filtering based on the product must be applied as defined in the configuration.
Evidence Requirements
| Field | Value |
|---|---|
| signed | False |
| content_body_type | generic |
| target_type | data |
| predicate_type | http://docs.oasis-open.org/sarif/sarif/2.1.0 |
| tool | Trivy Vulnerability Scanner |
| filter-by | ['product'] |
Input Definitions
| Parameter | Type | Required | Description |
|---|---|---|---|
| rule_ids | array | False | List of CVE identifiers to check for in the Trivy SARIF report. |
| violations_threshold | integer | False | The maximum number of allowed violations. |