mfussenegger
feat(linters): add trivy_secret
nvim-lint already have trivy linter, but it only scans for misconfig, this PR adding secret scanner functionality to make more safer development process
POC:
Would it be possible and make sense to extend the existing trivy linter to check both?
cc @pbnj @bobsrac
Would it be possible and make sense to extend the existing
trivylinter to check both?
It is possible to run multiple scanners in one go, like trivy --scanners vuln,secret,misconfig,license.
The question becomes what if a user only wants to run one or the other scanner?
Update:
According to trivy config file reference, it is possible to configure --scanners via trivy.yaml config file, like:
scan:
scanners:
- vuln
- secret
- misconfig
- license
I tested this locally and it seems to work as expected:
- Without
trivy.yaml; note the Vulnerabilities and Secrets (default scanners) table headings in the Report Summary output:
% trivy fs .
2025-05-21T08:39:35-07:00 INFO [vuln] Vulnerability scanning is enabled
2025-05-21T08:39:35-07:00 INFO [secret] Secret scanning is enabled
2025-05-21T08:39:35-07:00 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-05-21T08:39:35-07:00 INFO [secret] Please see also https://trivy.dev/v0.62/docs/scanner/secret#recommendation for faster secret detection
2025-05-21T08:39:35-07:00 INFO Number of language-specific files num=0
2025-05-21T08:39:35-07:00 WARN [report] Supported files for scanner(s) not found. scanners=[vuln]
2025-05-21T08:39:35-07:00 INFO [report] No issues detected with scanner(s). scanners=[secret]
Report Summary
┌────────┬──────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├────────┼──────┼─────────────────┼─────────┤
│ - │ - │ - │ - │
└────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
- With the above
trivy.yaml; note Licenses, Secrets, Misconfigurations, and Vulnerabilities table headings in the Report Summary output:
% trivy fs .
2025-05-21T08:39:49-07:00 INFO Loaded file_path="trivy.yaml"
2025-05-21T08:39:49-07:00 INFO [vuln] Vulnerability scanning is enabled
2025-05-21T08:39:49-07:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-05-21T08:39:49-07:00 INFO [secret] Secret scanning is enabled
2025-05-21T08:39:49-07:00 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-05-21T08:39:49-07:00 INFO [secret] Please see also https://trivy.dev/v0.62/docs/scanner/secret#recommendation for faster secret detection
2025-05-21T08:39:49-07:00 INFO [license] License scanning is enabled
2025-05-21T08:39:49-07:00 INFO Number of language-specific files num=0
2025-05-21T08:39:49-07:00 INFO Detected config files num=0
2025-05-21T08:39:49-07:00 WARN [report] Supported files for scanner(s) not found. scanners=[misconfig vuln]
2025-05-21T08:39:49-07:00 INFO [report] No issues detected with scanner(s). scanners=[license secret]
Report Summary
┌────────┬──────┬──────────┬─────────┬───────────────────┬─────────────────┐
│ Target │ Type │ Licenses │ Secrets │ Misconfigurations │ Vulnerabilities │
├────────┼──────┼──────────┼─────────┼───────────────────┼─────────────────┤
│ - │ - │ - │ - │ - │ - │
└────────┴──────┴──────────┴─────────┴───────────────────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
This approach gives users the flexibility to configure trivy uniquely for each project.
I can try adding more if conditions for each of the scanners, but I don't write in Lua, so it might not be exactly best practice code :D