Vulnerability Scanning (CVEs)

Vulnerability scanning helps you identify known security flaws (Common Vulnerabilities and Exposures - CVEs) in your project's third-party dependencies. Kreate leverages Trivy to cross-reference your dependencies against a continuously updated vulnerability database.

Overview

The primary focus of vulnerability scanning in Kreate is the analysis of Gradle lockfiles. Lockfiles provide a precise snapshot of all transitive dependencies. This ensures that Trivy scans the exact versions that will be used in your application, rather than just the direct dependencies declared in your build scripts.

Configuration Example

kreate {
    project {
        trivy {
            enabled.set(true)
            vulnerability {
                // Fail the build if vulnerabilities are found
                failOnFindings.set(true)

                // Filter by severity score
                score.set(listOf(Score.CRITICAL, Score.HIGH))

                // Optionally customize which lockfiles are scanned
                lockFiles.from(fileTree(projectDir) {
                    include("*.lockfile")
                })
            }
        }
    }
}

How it Works

The trivyVulnerabilityScan task follows these steps:

File Discovery: It collects all files configured in the lockFiles collection (defaulting to all .lockfile files in the project directory).
Trivy Analysis: Trivy reads each lockfile and compares the identified libraries and versions against its local vulnerability database.
Evaluation: Findings are evaluated based on their CVSS (Common Vulnerability Scoring System) score.
Reporting: If findings reach the configured score thresholds, they are output to the terminal.

Severity Levels (Scores)

You can control which vulnerabilities trigger a report or build failure using the score property:

Score	Description	Example Risk
`CRITICAL`	Highest priority. Immediate action required.	Remote Code Execution (RCE) without authentication.
`HIGH`	Significant security risks.	Data leakage of sensitive information.
`MEDIUM`	Moderate risks, often under specific conditions.	Denial of Service (DoS) attacks.
`LOW`	Minor issues with minimal impact.	Information disclosure of non-critical data.

Tips & Best Practices

Consistent Lockfiles: Kreate requires Gradle lockfiles for vulnerability scanning. Ensure that dependency locking is enabled and you run ./gradlew dependencies --write-locks regularly to reflect the actual state of your project.
CI Integration: Enable failOnFindings.set(true) in your CI/CD pipeline to prevent code with known critical vulnerabilities from reaching production.
Remediation: If a vulnerability is found, Trivy usually suggests a version that includes a fix. Update your build.gradle.kts or libs.versions.toml accordingly.
Database Updates: Trivy automatically updates its database before each scan (provided an internet connection is available), ensuring that even brand-new CVEs are detected.

How to Run

To execute the vulnerability scan individually, use the following Gradle command:

./gradlew trivyVulnerabilityScan

06 May 2026