When developing new software, a key element of improving security is providing security feedback as early and seamlessly as possible. One way to do this is embed security tools directly into the development environment. Recently, Aqua’s open source scanner Trivy has added this functionality, integrating with popular developer tools Visual Studio Code and JetBrains to provide infrastructure-as-code (IaC) scanning as you write your software.
Getting started with Trivy in your development environment is relatively straightforward. To install the extension, only one prerequisite is needed, which is having Trivy installed. For this step, everything you need to know is on the Trivy documentation site.
Once you’ve got it installed and working, the next step is to install the Trivy extension. It’s available in the VS Code Marketplace and can be installed from there.
Once installation is complete, a new icon will appear in the left-hand bar in VS Code:
With the extension installed, the next step is to run a scan on the current workspace. Once the scan has completed, results are displayed. In the sample repository, we can see that there are findings related to a Dockerfile and a Kubernetes manifest:
Clicking each of the results will show details about the issue that’s been identified, recommendations for remediation, and links to where to provide additional information.
As you fix the identified issues, periodically rerunning Trivy will help to show a current list. There’s a handy rescan button in the Trivy pane on the top right:
The Trivy extension is also available in the JetBrains plugin store and will work with all IntelliJ-based IDEs. As you can see from the screenshot below, Trivy integrates nicely into the IDE in a similar way to how it works with VS Code.
Making Trivy accessible in as many places as possible will help developers embed security good practices early in the development lifecycle, improving the quality of the applications that an organization deploys. Throughout this year, we’ll be adding new integrations and features to ensure that Trivy can be used effectively in a wide variety of scenarios. If there’s an integration you’d like to see for Trivy, add an issue to our GitHub page to let us know.
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads, wherever they are deployed.
Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.