Hamburger Cross Icon
Trivy Vulnerability Scanner Collector - Lunar Collector

Trivy Vulnerability Scanner Collector

Collector Beta Security

Automatically scans repository dependencies for known CVEs using Trivy. Supports Go, Node.js, Python, Java, Rust, and many other ecosystems. Writes normalized vulnerability data to .sca for use with the SCA policy. No secrets or vendor accounts required.

Add trivy to your lunar-config.yml:
uses: github://earthly/lunar-lib/collectors/trivy@v1.0.0
Get Started View on GitHub

What This Integration Collects

This integration includes 2 collectors that gather metadata from your systems.

Collector code

auto

Auto-scans the repository filesystem for dependency vulnerabilities using Trivy. Writes normalized findings to .sca with severity counts, CVE IDs, affected packages, and fix versions.

trivy vulnerability cve sca dependency scanning auto
Book a demo
Collector ci-after-command

cicd

Detects Trivy executions in CI pipelines. Captures the command, version, and input arguments for audit and compliance tracking.

trivy ci cicd command detection audit
Book a demo

How Collectors Fit into Lunar

Lunar watches your code and CI/CD systems to collect SDLC data from config files, test results, IaC, deployment configurations, security scans, and more.

Collectors are the automatic data-gathering layer. They extract structured metadata from your repositories and pipelines, feeding it into Lunar's centralized database where guardrails evaluate it to enforce your engineering standards.

Learn How Lunar Works
1
Collectors Gather Data This Integration
Triggered by code changes or CI pipelines, collectors extract metadata from config files, tool outputs, test results, and scans
2
{ } Centralized as JSON
All data merged into each component's unified metadata document
3
Guardrails Enforce Standards
Real-time feedback in PRs and AI workflows

Example Collected Data

This collector writes structured metadata to the Component JSON. Here's an example of the data it produces:

{ } component.json Component JSON 
{
  "sca": {
    "source": {
      "tool": "trivy",
      "version": "0.69.3",
      "integration": "code"
    },
    "vulnerabilities": {
      "critical": 0,
      "high": 2,
      "medium": 5,
      "low": 3,
      "total": 10
    },
    "findings": [
      {
        "severity": "high",
        "package": "golang.org/x/net",
        "version": "0.7.0",
        "ecosystem": "gomod",
        "cve": "CVE-2023-44487",
        "title": "HTTP/2 Rapid Reset Attack",
        "fix_version": "0.17.0",
        "fixable": true
      }
    ],
    "summary": {
      "has_critical": false,
      "has_high": true,
      "all_fixable": true
    },
    "native": {
      "trivy": {
        "cicd": {
          "cmds": [
            {"cmd": "trivy fs --scanners vuln .", "version": "0.69.3"}
          ]
        }
      }
    }
  }
}

Related

Policy Security And Compliance
SCA Guardrails

Enforces SCA vulnerability thresholds

Documentation

View on GitHub

Trivy Vulnerability Scanner Collector

Scans source code dependencies for known vulnerabilities using Trivy.

Overview

This collector runs Trivy filesystem scans against repository source code to detect known CVEs in dependencies. It supports all ecosystems Trivy covers (Go, Node.js, Python, Java, Rust, Ruby, PHP, .NET, etc.) and writes normalized vulnerability data to .sca in the Component JSON, making results immediately consumable by the existing SCA policy.

No secrets or vendor accounts are required — Trivy's vulnerability database is downloaded at scan time to ensure the latest CVE data.

Collected Data

This collector writes to the following Component JSON paths:

Path Type Description
.sca.source object Source metadata (tool name, version, integration method)
.sca.vulnerabilities object Severity counts (critical, high, medium, low, total)
.sca.findings[] array Individual vulnerability findings with CVE, package, fix info
.sca.summary object Summary booleans (has_critical, has_high, all_fixable)
.sca.native.trivy.cicd object CI command detection data (command, version)

Collectors

This integration provides the following collectors (use include to select a subset):

Collector Hook Type Description
auto code Auto-scans the repository filesystem for dependency vulnerabilities
cicd ci-after-command Detects Trivy executions in CI and captures command metadata

Installation

Add to your lunar-config.yml:

collectors:
  - uses: github://earthly/lunar-lib/collectors/trivy@main
    on: ["domain:your-domain"]

Zero configuration required. Works with any language Trivy supports.

Note: If you already use the snyk collector, the trivy collector will overwrite .sca data since both write to the same paths. Use one SCA scanner per component, not both.

Open Source

This collector is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.

View Repository

Common Use Cases

Explore guardrails that use data from Trivy Vulnerability Scanner Collector.

+
Executed + Trivy Vulnerability Scanner Collector Verifies that SCA scanning was executed on the component. Fails if no scanner...
+
Max Severity + Trivy Vulnerability Scanner Collector Ensures no findings at or above the configured severity threshold. Configure...
+
Max Total + Trivy Vulnerability Scanner Collector Ensures total vulnerabilities are under a configurable threshold.

Ready to Automate Your Standards?

See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check Infrastructure conventions
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Turn any process doc into guardrails
Book a Demo