Verify Trivy SARIF Report Compliance
Type: Rule
ID: trivy-report
Source: v2/rules/sarif/trivy/verify-trivy-report.yaml
Rego Source: ../verify-sarif.rego
Help: https://scribe-security.netlify.app/docs/valint/generic#trivy-integration-example
Labels: SARIF, Trivy
Verify the Trivy SARIF report complies with predefined rules to ensure compliance and detect issues.
This rule requires SARIF Evidence. See here for more details.
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule is scoped by product.
Usage example
uses: sarif/trivy/verify-trivy-report@v2
Mitigation
Ensures that the SARIF report generated by Trivy meets the predefined security criteria, helping to detect critical vulnerabilities and configuration issues early.
Description
This rule processes the SARIF report produced by the Trivy Vulnerability Scanner to verify that it complies with a set of predefined rules. The evaluation is based on several configurable parameters:
The rule iterates over the vulnerability results in the SARIF report (provided under
input.evidence.predicate.content.runs[0].results), and for each result, it retrieves the corresponding
rule definition from input.evidence.predicate.content.runs[0].tool.driver.rules based on the result's
ruleIndex. It then evaluates whether the severity (extracted from the rule’s properties) exceeds the specified
threshold. If the number of such violations exceeds the allowed maximum, a violation is recorded.
Evidence Requirements
- Evidence must be provided in a generic format adhering to the SARIF 2.1.0 schema.
- The SARIF report should be generated by the "Trivy Vulnerability Scanner".
- The evidence must include proper filtering based on the product as defined in the configuration.
Evidence Requirements
| Field | Value |
|---|---|
| signed | False |
| content_body_type | generic |
| target_type | data |
| predicate_type | http://docs.oasis-open.org/sarif/sarif/2.1.0 |
| tool | Trivy Vulnerability Scanner |
| filter-by | ['product'] |
Input Definitions
| Parameter | Type | Required | Description |
|---|---|---|---|
| rule_level | array | False | List of rule levels to check for in the Trivy SARIF report. |
| precision | array | False | List of precision levels to check for in the Trivy SARIF report. |
| rule_ids | array | False | List of rule IDs to check for in the Trivy SARIF report. |
| ignore | array | False | List of rule IDs to ignore in the Trivy SARIF report. |
| max_allowed | integer | False | The maximum number of allowed violations. |