Scan IaC Code in Dev with Trivy’s Extensions for VS Code and JetBrains
When developing new software, a key element of improving security is providing security feedback as early and seamlessly as possible. One way to do this is embed security tools directly into the development environment. Recently, Aqua’s open source scanner Trivy has added this functionality, integrating with popular developer tools Visual Studio Code and JetBrains to provide infrastructure-as-code (IaC) scanning as you write your software.
Setting up Trivy with VS Code
Getting started with Trivy in your development environment is relatively straightforward. To install the extension, only one prerequisite is needed, which is having Trivy installed. For this step, everything you need to know is on the Trivy documentation site.
Once you’ve got it installed and working, the next step is to install the Trivy extension. It’s available in the VS Code Marketplace and can be installed from there.
Once installation is complete, a new icon will appear in the left-hand bar in VS Code:
With the extension installed, the next step is to run a scan on the current workspace. Once the scan has completed, results are displayed. In the sample repository, we can see that there are findings related to a Dockerfile and a Kubernetes manifest:
Clicking each of the results will show details about the issue that’s been identified, recommendations for remediation, and links to where to provide additional information.
As you fix the identified issues, periodically rerunning Trivy will help to show a current list. There’s a handy rescan button in the Trivy pane on the top right:
The Trivy extension is also available in the JetBrains plugin store and will work with all IntelliJ-based IDEs. As you can see from the screenshot below, Trivy integrates nicely into the IDE in a similar way to how it works with VS Code.
Making Trivy accessible in as many places as possible will help developers embed security good practices early in the development lifecycle, improving the quality of the applications that an organization deploys. Throughout this year, we’ll be adding new integrations and features to ensure that Trivy can be used effectively in a wide variety of scenarios. If there’s an integration you’d like to see for Trivy, add an issue to our GitHub page to let us know.