Trivy Vulnerability Scanner Collector
Automatically scans repository dependencies for known CVEs using Trivy. Supports Go, Node.js, Python, Java, Rust, and many other ecosystems. Writes normalized vulnerability data to .sca for use with the SCA policy. No secrets or vendor accounts required.
trivy to your lunar-config.yml:uses: github://earthly/lunar-lib/collectors/trivy@v1.0.5
What This Integration Collects
This integration includes 3 collectors that gather metadata from your systems.
auto
Auto-scans the repository filesystem for dependency vulnerabilities using Trivy. Writes normalized findings to .sca with severity counts, CVE IDs, affected packages, and fix versions.
cicd
Detects Trivy executions in CI pipelines. Captures the command, version, and input arguments for audit and compliance tracking.
rescan
Re-runs the dependency (SCA) scan on a schedule and overwrites .sca so
the SCA policy re-evaluates against CVEs published since the commit was
first scanned — closing the gap where a branch passes at scan time but a
dependency picks up a new CVE later. Runs the same scan as the auto
collector (the sibling auto.sh) in the Trivy collector image.
How Collectors Fit into Lunar
Lunar watches your code and CI/CD systems to collect SDLC data from config files, test results, IaC, deployment configurations, security scans, and more.
Collectors are the automatic data-gathering layer. They extract structured metadata from your repositories and pipelines, feeding it into Lunar's centralized database where guardrails evaluate it to enforce your engineering standards.
Learn How Lunar Works →Example Collected Data
This collector writes structured metadata to the Component JSON. Here's an example of the data it produces:
{
"sca": {
"source": {
"tool": "trivy",
"version": "0.69.3",
"integration": "code"
},
"vulnerabilities": {
"critical": 0,
"high": 2,
"medium": 5,
"low": 3,
"total": 10
},
"findings": [
{
"severity": "high",
"package": "golang.org/x/net",
"version": "0.7.0",
"ecosystem": "gomod",
"cve": "CVE-2023-44487",
"title": "HTTP/2 Rapid Reset Attack",
"fix_version": "0.17.0",
"fixable": true
}
],
"summary": {
"has_critical": false,
"has_high": true,
"all_fixable": true
},
"native": {
"trivy": {
"cicd": {
"cmds": [
{"cmd": "trivy fs --scanners vuln .", "version": "0.69.3"}
]
},
"results": {
"SchemaVersion": 2,
"ArtifactName": ".",
"ArtifactType": "filesystem",
"Results": [
{
"Target": "go.sum",
"Class": "lang-pkgs",
"Type": "gomod",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2023-44487",
"PkgName": "golang.org/x/net",
"InstalledVersion": "0.7.0",
"FixedVersion": "0.17.0",
"Severity": "HIGH",
"Title": "HTTP/2 Rapid Reset Attack",
"Description": "The HTTP/2 protocol allows a denial of service...",
"References": ["https://nvd.nist.gov/vuln/detail/CVE-2023-44487"],
"CVSS": {"nvd": {"V3Score": 7.5}},
"CweIDs": ["CWE-400"],
"PublishedDate": "2023-10-10T14:15:10Z"
}
]
}
]
}
}
}
}
}Documentation
View on GitHubTrivy Vulnerability Scanner Collector
Scans source code dependencies for known vulnerabilities using Trivy.
Overview
This collector runs Trivy filesystem scans against repository source code to detect known CVEs in dependencies. It supports all ecosystems Trivy covers (Go, Node.js, Python, Java, Rust, Ruby, PHP, .NET, etc.) and writes normalized vulnerability data to .sca in the Component JSON, making results immediately consumable by the existing SCA policy. A scheduled rescan re-runs the same scan on a cron and overwrites .sca, so a previously-clean commit is re-evaluated against CVEs published after it was first scanned.
No secrets or vendor accounts are required — Trivy's vulnerability database is downloaded at scan time to ensure the latest CVE data.
Collected Data
This collector writes to the following Component JSON paths:
| Path | Type | Description |
|---|---|---|
.sca.source |
object | Source metadata (tool name, version, integration method) |
.sca.vulnerabilities |
object | Severity counts (critical, high, medium, low, total) |
.sca.findings[] |
array | Individual vulnerability findings with CVE, package, fix info |
.sca.summary |
object | Summary booleans (has_critical, has_high, all_fixable) |
.sca.native.trivy.cicd |
object | CI command detection data (command, version) |
Collectors
This integration provides the following collectors (use include to select a subset):
| Collector | Hook Type | Description |
|---|---|---|
auto |
code | Auto-scans the repository filesystem for dependency vulnerabilities |
cicd |
ci-after-command | Detects Trivy executions in CI and captures command metadata |
rescan |
cron | Re-runs the auto scan on a schedule (daily by default) and overwrites .sca so the SCA policy re-evaluates against newly-published CVEs |
Installation
Add to your lunar-config.yml:
collectors:
- uses: github://earthly/lunar-lib/collectors/trivy@main
on: ["domain:your-domain"]
Zero configuration required. Works with any language Trivy supports.
By default this also enables the rescan cron sub-collector, which re-runs the
scan daily on each component's default branch and overwrites .sca. To keep the
on-push (auto) and CI-detection (cicd) scans but turn the scheduled re-scan
off, exclude it:
collectors:
- uses: github://earthly/lunar-lib/collectors/trivy@main
on: ["domain:your-domain"]
exclude: [rescan]
Note: If you already use the
snykcollector, thetrivycollector will overwrite.scadata since both write to the same paths. Use one SCA scanner per component, not both.
Open Source
This collector is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.
Common Use Cases
Explore guardrails that use data from Trivy Vulnerability Scanner Collector.
Ready to Automate Your Standards?
See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 200+ built-in guardrails.
AI agent rules & prompt files
Post-mortem action items
Security & compliance policies
Testing & quality requirements