Skip to content

Trivy + DefectDojo in CI/CD

Trivy scans for vulnerabilities in code dependencies and Docker images. Results are automatically uploaded to DefectDojo for tracking.

How It Works

  1. Trivy filesystem scan — checks dependencies (Python, npm, Go) for known CVEs
  2. Trivy image scan — checks the built Docker image for OS and library vulnerabilities
  3. Results uploaded to DefectDojo via the import-scan API
  4. Findings tracked in DefectDojo with severity levels

Pipeline Jobs

Filesystem Scan (all repos)

Runs during the test stage, scanning project dependencies:

trivy-fs:
  stage: test
  image:
    name: aquasec/trivy:latest
    entrypoint: [""]
  script:
    - trivy filesystem --format json --output trivy-fs-report.json .
    # Upload to DefectDojo
    - curl -X POST "$DEFECTDOJO_URL/api/v2/import-scan/"
      -H "Authorization: Token $DEFECTDOJO_TOKEN"
      -F "scan_type=Trivy Scan"
      -F "file=@trivy-fs-report.json"
      -F "product_name=$DEFECTDOJO_PRODUCT"
      -F "engagement_name=CI/CD Pipeline"
      -F "auto_create_context=true"
  tags:
    - small

Image Scan (repos with Docker builds)

Runs after the build stage, scanning the built Docker image:

trivy-image:
  stage: test
  image:
    name: aquasec/trivy:latest
    entrypoint: [""]
  script:
    - trivy image --format json --output trivy-image-report.json $IMAGE_TAG
    # Upload to DefectDojo
    - curl -X POST "$DEFECTDOJO_URL/api/v2/import-scan/"
      -H "Authorization: Token $DEFECTDOJO_TOKEN"
      -F "scan_type=Trivy Scan"
      -F "file=@trivy-image-report.json"
      -F "product_name=$DEFECTDOJO_PRODUCT"
      -F "engagement_name=CI/CD Pipeline"
      -F "auto_create_context=true"
  tags:
    - small

Viewing Results

  1. Open DefectDojo
  2. Navigate to the relevant product (e.g., orchestrator-server)
  3. Click Findings to see vulnerabilities grouped by severity

Responding to Findings

Severity What to Do
Critical Fix immediately — update the vulnerable dependency
High Fix before merging to main
Medium Create a task in Taiga and fix in the current sprint
Low Track for future remediation

Common fixes:

  • Dependency vulnerability: Update the package version in requirements.txt / package.json
  • Base image vulnerability: Update the Docker base image tag
  • False positive: Mark as "False Positive" in DefectDojo with a justification