Skip to content

Scanner Registry Modules


BoostSecurity supports several scanner modules that are available through the BoostSecurity module registry. Any scanner module can be easily configured as part of your Continuous Integration (CI) to scan your code or artifacts resources for vulnerabilities. The scanners are available for different security categories, such as:

The list of supported scanners is growing continuously, so check the What's New page for regular updates.

In the tables below, the column Pull Request Flow indicates whether the scanner module can be configured to scan in a pull request flow. Scanner modules that don't support the pull request flow should be configured to scan on the main branch's flow.

  • Some scanners require environment variables that need to be configured in order, for example, to scan generated artifacts. For example, for container image scanning.
  • The scanner requires the image name to scan to be set in an environment variable.
  • The tables below include a column for configuration, indicating whether environment variables must be set.

Container Image Scanning


Scanner registry_module name Pull Request Flow Configuration Description
Trivy Image boostsecurityio/trivy-image no BOOST_IMAGE_NAME The Trivy module scans container images for vulnerabilities using the Trivy tool with the command image. Note that the Trivy module uses the environment variable BOOST_IMAGE_NAME to know which image to scan. The continuous integration (CI) workflow calling the Trivy module must do so after the container image is built and by setting the environment with the image name to scan.

Example


GitHub Actions Example

- name: scan-image
  uses: boostsecurityio/boostsec-scanner-github@v4
  with:
      registry_module: boostsecurityio/trivy-image
      api_token: ${{ secrets.BOOST_API_TOKEN }}
  env:
      BOOST_IMAGE_NAME: node:20.17.0-alpine
      BOOST_SCAN_LABEL: node_20_17_0_alpine

GitLab Pipelines Example

include:
  - remote: "https://raw.githubusercontent.com/boostsecurityio/boostsec-scanner-gitlab/main/scanner.yml"

scan-image:
  stage: build
  extends:
    - .boost_scan
  variables:
    BOOST_SCANNER_REGISTRY_MODULE: boostsecurityio/trivy-image
    BOOST_IMAGE_NAME: node:20.17.0-alpine
    BOOST_SCAN_LABEL: node_20_17_0_alpine

Software Bill of Materials


Scanner registry_module name Pull Request Flow Configuration Description
Trivy SBOM boostsecurityio/trivy-sbom no - The Trivy module for SBOM collects the components inventory from source code using the trivy CLI tool.
Trivy SBOM for container images boostsecurityio/trivy-sbom-image no BOOST_IMAGE_NAME The Trivy module for SBOM collects the components inventory from container images using the Trivy tool. The environment variable BOOST_IMAGE_NAME must be set with the container image name to scan. The continuous integration (CI) workflow calling the Trivy module needs must do so after the container image is built and by setting the environment with the image name to scan.