Trivy Vulnerability Findings Check
Type: Rule
ID: trivy-verify-vulnerability-findings
Source: v2/rules/sarif/trivy/verify-cve-severity.yaml
Rego Source: verify-cve-severity.rego
Help: https://scribe-security.netlify.app/docs/valint/generic#trivy-integration-example
Labels: SARIF, Trivy
Verifies that vulnerability findings in the SARIF evidence from Trivy do not exceed the defined severity threshold.
This rule requires SARIF Evidence. See here for more details.
Evidence IS required for this rule and will fail if missing.
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule is scoped by product.
Usage example
uses: sarif/trivy/verify-cve-severity@v2
with:
severity_threshold: 0
Mitigation
Ensures that the SARIF report generated by Trivy meets the predefined security criteria, helping to detect critical vulnerabilities and configuration issues early.
Description
This rule processes the SARIF report produced by the Trivy Vulnerability Scanner to verify that it complies with a set of predefined rules. The evaluation is based on several configurable parameters:
The rule iterates over the vulnerability results in the SARIF report (provided under
input.evidence.predicate.content.runs[0].results), and for each result, it retrieves the corresponding
rule definition from input.evidence.predicate.content.runs[0].tool.driver.rules based on the result's
ruleIndex. It then evaluates whether the severity (extracted from the rule’s properties) exceeds the specified
threshold. If the number of such violations exceeds the allowed maximum, a violation is recorded.
Evidence Requirements
- Evidence must be provided in a generic format adhering to the SARIF 2.1.0 schema.
- The SARIF report should be generated by the "Trivy Vulnerability Scanner".
Evidence Requirements
| Field | Value |
|---|---|
| signed | False |
| content_body_type | generic |
| target_type | data |
| predicate_type | http://docs.oasis-open.org/sarif/sarif/2.1.0 |
| tool | Trivy Vulnerability Scanner |
| filter-by | ['product'] |
Input Definitions
| Parameter | Type | Required | Description |
|---|---|---|---|
| severity_threshold | integer | True | The maximum severity level allowed for vulnerabilities. |