A pre-commit hook that integrates Trivy security scanning to detect vulnerabilities in your codebase before commits are finalized. This hook helps you catch security issues early in the development process.
- π Security First: Automatically scan for vulnerabilities before every commit
- π― Configurable: Customize severity levels, scanners, and output formats
- β‘ Fast: Skip database updates for faster repeated scans
- π§ Flexible: Pass-through support for all Trivy options
- π§ͺ Well-Tested: Comprehensive test suite with >90% coverage
- π Modern Python: Built with Python 3.9+ using best practices
- Python 3.9 or higher
- Trivy: Must be installed separately
Choose your preferred installation method:
macOS (Homebrew):
brew install trivyLinux (apt):
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivyBinary Download: See Trivy Installation Guide
- Install pre-commit:
pip install pre-commit- Add this to your
.pre-commit-config.yaml:
repos:
- repo: https://github.com/cebidhem/pre-commit-trivy
rev: v0.1.0 # Use the latest version
hooks:
- id: trivy-scan
# Optional: customize arguments
args: ['--severity', 'HIGH,CRITICAL', '--skip-db-update']- Install the hook:
pre-commit installpip install pre-commit-trivyOnce installed as a pre-commit hook, it will automatically run on every commit:
git commit -m "Your commit message"You can also run the scanner directly:
trivy-scanThe hook supports extensive configuration through command-line arguments:
| Argument | Default | Description |
|---|---|---|
--severity |
HIGH,CRITICAL |
Comma-separated list of severities to check (UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL) |
--format |
table |
Output format (table, json, sarif, template, cyclonedx, spdx, github) |
--exit-code |
1 |
Exit code when vulnerabilities are found |
--scanners |
vuln |
Comma-separated list of scanners (vuln, misconfig, secret, license) |
--config |
- | Path to custom trivy.yaml configuration file |
--skip-db-update |
false |
Skip Trivy database update (faster for repeated scans) |
--timeout |
- | Timeout for the scan (e.g., 5m0s) |
--ignore-unfixed |
false |
Ignore unfixed vulnerabilities |
--trivyignore |
- | Path to .trivyignore file |
--dependency-tree |
false |
Show dependency tree with vulnerabilities |
Check only CRITICAL vulnerabilities:
- id: trivy-scan
args: ['--severity', 'CRITICAL']Output as JSON:
- id: trivy-scan
args: ['--format', 'json']Use multiple scanners:
- id: trivy-scan
args: ['--scanners', 'vuln,secret,misconfig']Skip database update for faster scans:
- id: trivy-scan
args: ['--skip-db-update']Use custom Trivy configuration:
- id: trivy-scan
args: ['--config', 'trivy.yaml']Ignore specific vulnerabilities:
- id: trivy-scan
args: ['--trivyignore', '.trivyignore']Show dependency tree:
- id: trivy-scan
args: ['--dependency-tree']Comprehensive configuration:
- id: trivy-scan
args:
- '--severity'
- 'MEDIUM,HIGH,CRITICAL'
- '--scanners'
- 'vuln,secret'
- '--format'
- 'table'
- '--ignore-unfixed'
- '--skip-db-update'For complex configurations, create a trivy.yaml file (see trivy.yaml.example):
severity:
- HIGH
- CRITICAL
scan:
scanners:
- vuln
- secret
timeout: 5m0s
ignore-unfixed: falseThen use it:
- id: trivy-scan
args: ['--config', 'trivy.yaml']Create a .trivyignore file (see .trivyignore.example):
# Ignore this CVE because we use this library in a sandboxed environment
CVE-2023-12345
# False positive - this vulnerability doesn't affect our usage
CVE-2023-67890
- Clone the repository:
git clone https://github.com/cebidhem/pre-commit-trivy.git
cd pre-commit-trivy- Install dependencies using uv:
pip install uv
uv venv
source .venv/bin/activate # On Windows: .venv\Scripts\activate
uv pip install -e ".[dev]"Run tests with coverage:
pytest tests/ --cov=pre_commit_hooks --cov-report=term-missing -vFormat code with black:
black pre_commit_hooks testsCheck code quality with pylint:
pylint pre_commit_hooks# Format check
black --check pre_commit_hooks tests
# Linting
pylint pre_commit_hooks
# Tests with coverage
pytest tests/ --cov=pre_commit_hooks --cov-report=term-missing -v- Installation Check: Verifies that Trivy is installed on your system
- Configuration: Parses command-line arguments and configuration files
- Scanning: Runs
trivy fsscan on your project directory - Reporting: Displays vulnerabilities in the specified format
- Exit Code: Returns appropriate exit code (0 = success, 1 = vulnerabilities found, 2 = error)
If vulnerabilities are found matching your severity criteria, the commit will be blocked, allowing you to review and address the issues before committing.
0: No vulnerabilities found (or below severity threshold)1: Vulnerabilities found matching severity criteria2: Execution error (e.g., Trivy not installed, configuration error)
Contributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change.
- Follow PEP 8 style guidelines
- Add tests for new features
- Maintain test coverage above 90%
- Update documentation as needed
- Use conventional commits for commit messages
This project is licensed under the MIT License - see the LICENSE file for details.
- Trivy - The comprehensive security scanner
- pre-commit - A framework for managing git hooks
If you encounter any issues or have questions:
- Check the Trivy documentation
- Review existing GitHub issues
- Open a new issue with details about your problem
- Add support for container image scanning
- Implement caching for faster repeated scans
- Add configuration templates for common use cases
- Integration with CI/CD platforms
- Enhanced reporting with HTML output