Hamburger Cross Icon
Executed
+
Trivy Vulnerability Scanner Collector

Executed + Trivy Vulnerability Scanner Collector

Guardrail Collector Stable Security And Compliance

Enforce Executed using data collected by Trivy Vulnerability Scanner Collector. Automatically check security and compliance standards on every PR.

Guardrail: Verifies that SCA scanning was executed on the component. Fails if no scanner has written to .sca.
Data Source: Automatically scans repository dependencies for known CVEs using Trivy. Supports Go, Node.js, Python, Java, Rust, and many other ecosystems. Writes normalized vulnerability data to .sca for use with the SCA policy. No secrets or vendor accounts required.
Get Started View on GitHub

How Trivy Vulnerability Scanner Collector Powers This Guardrail

The Trivy Vulnerability Scanner Collector gathers metadata from your security systems. This data flows into Lunar's Component JSON, where the Executed guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

1
Trivy Vulnerability Scanner Collector Gathers Data Collector
Extracts metadata from code, configs, and tool outputs
2
{ } Component JSON
Data centralized in structured format for evaluation
3
Executed Checks Guardrail
Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
# Step 1: Enable the Trivy Vulnerability Scanner Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/trivy@v1.0.0
    # with: ...

# Step 2: Enable the SCA Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/sca@v1.0.0
    include: [executed]
    # with: ...

What Trivy Vulnerability Scanner Collector Collects

This collector gathers the following data that the Executed guardrail evaluates.

Collector code

auto

Auto-scans the repository filesystem for dependency vulnerabilities using Trivy. Writes normalized findings to .sca with severity counts, CVE IDs, affected packages, and fix versions.

Collector ci-after-command

cicd

Detects Trivy executions in CI pipelines. Captures the command, version, and input arguments for audit and compliance tracking.

Example Data Flow

Here's an example of the data that Trivy Vulnerability Scanner Collector writes to the Component JSON, which Executed then evaluates.

{ } component.json From Trivy Vulnerability Scanner Collector 
{
  "sca": {
    "source": {
      "tool": "trivy",
      "version": "0.69.3",
      "integration": "code"
    },
    "vulnerabilities": {
      "critical": 0,
      "high": 2,
      "medium": 5,
      "low": 3,
      "total": 10
    },
    "findings": [
      {
        "severity": "high",
        "package": "golang.org/x/net",
        "version": "0.7.0",
        "ecosystem": "gomod",
        "cve": "CVE-2023-44487",
        "title": "HTTP/2 Rapid Reset Attack",
        "fix_version": "0.17.0",
        "fixable": true
      }
    ],
    "summary": {
      "has_critical": false,
      "has_high": true,
      "all_fixable": true
    },
    "native": {
      "trivy": {
        "cicd": {
          "cmds": [
            {"cmd": "trivy fs --scanners vuln .", "version": "0.69.3"}
          ]
        }
      }
    }
  }
}

Configuration Options

SCA Guardrails Inputs

Input Required Default Description
min_severity Optional high Minimum severity to fail on (critical, high, medium, low)
max_total_threshold Required Maximum total findings allowed (must be configured)

Other Guardrails Using Trivy Vulnerability Scanner Collector

Other guardrails in SCA Guardrails that use data from Trivy Vulnerability Scanner Collector.

Guardrail + Trivy Vulnerability Scanner
Max Severity

Ensures no findings at or above the configured severity threshold. Configure min_severity to set the...
Guardrail + Trivy Vulnerability Scanner
Max Total

Ensures total vulnerabilities are under a configurable threshold.

Learn More

Guardrail · SCA Guardrails Executed View all compatible integrations
Collector Trivy Vulnerability Scanner Collector View full documentation

Ready to Automate Your Standards?

See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check Infrastructure conventions
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Turn any process doc into guardrails
Book a Demo