Kreate v1.2.3 Help

Trivy Security & Compliance

Trivy is a comprehensive and versatile security scanner deeply integrated into the Kreate ecosystem. This integration enables developers to embed security checks directly into the build process, facilitating a "Shift Left" approach to identify vulnerabilities and compliance issues as early as possible.

In Kreate, the Trivy integration focuses on three core areas:

  • License Compliance: Automatically verify that dependencies comply with your legal requirements and organizational policies.

  • Vulnerability Scanning (CVEs): Identify known security flaws in your third-party libraries.

  • Secret Scanning: Detect hardcoded secrets such as API keys, passwords, and tokens within your source code and configuration files.

Configuration is centralized within the trivy { } block inside kreate { project { } }.

Why Use Trivy in Kreate?

Manual verification of licenses and vulnerabilities is time-consuming and prone to human error. By automating these checks with Trivy, you benefit from:

  • Early Detection: Catch issues on the developer's machine before code is even committed to the repository.

  • Automated Compliance: Ensure that no software with incompatible licenses (e.g., AGPL in proprietary projects) is shipped.

  • Infrastructure Protection: Prevent credential theft by scanning for secrets in configuration files and source code.

Prerequisites

To use the Trivy integration, the Trivy CLI must be installed on the executing system (developer machine or CI runner).

Install via Homebrew:

brew install trivy

Add the repository and install:

sudo apt-get install wget apt-transport-https gnupg lsb-release wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list sudo apt-get update sudo apt-get install trivy

Add the repository and install:

cat << 'EOF' | sudo tee /etc/yum.repos.d/trivy.repo [trivy] name=Trivy repository baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/ gpgcheck=1 enabled=1 gpgkey=https://aquasecurity.github.io/trivy-repo/rpm/public.key EOF sudo yum -y update sudo yum -y install trivy

Manual Installation (Official):

  • Download the trivy_x.xx.x_windows-64bit.zip file from the GitHub Releases page.

  • Unzip the file and copy to any folder.

Generic installation script (ideal for CI):

curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin

Dependency Locking

For License Compliance and Vulnerability Scanning (CVEs), Kreate relies on Gradle lockfiles. These files provide a precise snapshot of all transitive dependencies, which is required for Trivy to perform an accurate analysis.

1. Enable Dependency Locking

You must manually enable dependency locking in your project. This is typically done in your build.gradle.kts:

dependencyLocking { lockAllConfigurations() }

2. Generate Lockfiles

After enabling locking or when changing dependencies, you must generate or update the lockfiles using the following command:

./gradlew dependencies --write-locks

Quick Start

All Trivy scans are disabled by default. To use the module, it must be globally enabled in the trivy block:

kreate { project { trivy { // Globally enable the Trivy module enabled.set(true) } } }

Once enabled, Kreate automatically registers the following Gradle tasks for your project:

Task Name

Description

trivyScan

Lifecycle aggregator that runs all enabled Trivy scans.

trivyVulnerabilityScan

Scans lockfiles for known security vulnerabilities (CVEs).

trivyLicenseScan

Verifies dependencies for license compliance.

trivySecretScan

Searches source code for hardcoded secrets.

Running Scans

Kreate provides multiple ways to run Trivy scans, ranging from running all checks at once to executing specific, targeted scans.

Run All Enabled Scans

The most common way to run scans is through the standard Gradle check lifecycle task. Kreate registers a central trivyScan task that aggregates all individual scanners and attaches it to the check task.

To run all security checks:

./gradlew trivyScan

Run Individual Scans

If you want to perform only a specific type of scan, you can call the corresponding task directly. This is useful for faster feedback loops during development.

License Compliance:

./gradlew trivyLicenseScan

Vulnerability (CVE) Scanning:

./gradlew trivyVulnerabilityScan

Secret Detection:

./gradlew trivySecretScan

Further Reading

06 May 2026
Detekt ReportsLicense Scanning with Trivy