Trivy supports the scanners listed in the table below.
It supports the following formats:
Trivy can scan the results of
You can scan by passing the file generated as shown below to Trivy:
$ terraform plan --out tfplan.binary
$ terraform show -json tfplan.binary > tfplan.json
Trivy recursively searches directories and scans all found Terraform files. It also evaluates variables, imports, and other elements within Terraform files to detect misconfigurations.
You can provide
tf-vars files to Trivy to override default values specified in the Terraform HCL code.
trivy conf --tf-vars dev.terraform.tfvars ./infrastructure/tf
Exclude Downloaded Terraform Modules
By default, downloaded modules are also scanned.
If you don't want to scan modules downloaded into the
.terraform directory, you can use the
trivy conf --tf-exclude-downloaded-modules ./configs
The secret scan is performed on plain text files, with no special treatment for Terraform.