Aqua Blog

Scan IaC Code in Dev with Trivy’s Extensions for VS Code and JetBrains

Scan IaC Code in Dev with Trivy’s Extensions for VS Code and JetBrains

When developing new software, a key element of improving security is providing security feedback as early and seamlessly as possible. One way to do this is embed security tools directly into the development environment. Recently, Aqua’s open source scanner Trivy has added this functionality, integrating with popular developer tools Visual Studio Code and JetBrains to provide infrastructure-as-code (IaC) scanning as you write your software.

Setting up Trivy with VS Code

Getting started with Trivy in your development environment is relatively straightforward. To install the extension, only one prerequisite is needed, which is having Trivy installed. For this step, everything you need to know is on the Trivy documentation site.

Once you’ve got it installed and working, the next step is to install the Trivy extension. It’s available in the VS Code Marketplace and can be installed from there.

Trivy-extension-in-Marketplace

Once installation is complete, a new icon will appear in the left-hand bar in VS Code:

Trivy-Icon-in-VS-Code

With the extension installed, the next step is to run a scan on the current workspace. Once the scan has completed, results are displayed. In the sample repository, we can see that there are findings related to a Dockerfile and a Kubernetes manifest:

Trivy Scan results Overview

Clicking each of the results will show details about the issue that’s been identified, recommendations for remediation, and links to where to provide additional information.

Trivy-Finding-for-root-user-in-Docker-image

As you fix the identified issues, periodically rerunning Trivy will help to show a current list. There’s a handy rescan button in the Trivy pane on the top right:

Trivy-Re-scan-button

The Trivy extension is also available in the JetBrains plugin store and will work with all IntelliJ-based IDEs. As you can see from the screenshot below, Trivy integrates nicely into the IDE in a similar way to how it works with VS Code.

Trivy-Extension-with-Jetbrains

Conclusion

Making Trivy accessible in as many places as possible will help developers embed security good practices early in the development lifecycle, improving the quality of the applications that an organization deploys. Throughout this year, we’ll be adding new integrations and features to ensure that Trivy can be used effectively in a wide variety of scenarios. If there’s an integration you’d like to see for Trivy, add an issue to our GitHub page to let us know.

Rory McCune
Rory was a Cloud Native Security Advocate at Aqua. He has worked in the Information and IT Security arena for the last 20 years in a variety of roles. He is an active member of the container security community having delivered presentations at a variety of IT and Information security conferences. He has also presented at major containerization conferences and is an author of the CIS Benchmarks for Docker and Kubernetes and main author of the Mastering Container Security training course which has been delivered at numerous industry conferences including Blackhat USA.