feat(trivy): add new trivy feature that also installs plugins

Author: JasonTheDeveloper

.github/workflows/test.yaml

@@ -14,6 +14,7 @@ jobs:
       matrix:
         features:
           - sbom
+          - trivy
         baseImage:
           - debian:latest
           - ubuntu:latest

src/trivy/README.md

@@ -0,0 +1,46 @@
+
+# Trivy (trivy)
+
+A feature to install Trivy to scan for vulnerabilities in container images, file systems, and Git repositories.
+
+## Example Usage
+
+```json
+"features": {
+    "ghcr.io/JasonTheDeveloper/features/trivy:1": {}
+}
+```
+
+## Options
+
+| Options Id | Description | Type | Default Value |
+|-----|-----|-----|-----|
+| version | Select or enter Trivy version | string | latest |
+| plugins | Select or enter additional plugins to install with Trivy (e.g., mcp for Model Context Protocol plugin) | string | - |
+
+### version
+
+The version of Trivy to install. Set to `"latest"` (default) to automatically fetch the most recent release, or specify an exact version such as `"0.69.1"`. The installer will validate that the requested version exists before proceeding.
+
+### plugins
+
+A comma or space separated list of Trivy plugins to install after Trivy itself is set up. For example:
+
+```json
+"features": {
+    "ghcr.io/JasonTheDeveloper/features/trivy:1": {
+        "version": "latest",
+        "plugins": "mcp"
+    }
+}
+```
+
+Multiple plugins can be specified:
+
+```json
+"plugins": "plugin1, plugin2"
+```
+
+---
+
+_Note: This file was auto-generated from the [devcontainer-feature.json](https://github.com/JasonTheDeveloper/features/blob/main/src/trivy/devcontainer-feature.json).  Add additional notes to a `NOTES.md`._

src/trivy/devcontainer-feature.json

@@ -0,0 +1,25 @@
+{
+    "name": "Trivy",
+    "id": "trivy",
+    "version": "1.0.0",
+    "description": "A feature to install Trivy to scan for vulnerabilities in container images, file systems, and Git repositories",
+    "options": {
+        "version": {
+            "type": "string",
+            "proposals": [
+                "latest",
+                "0.69.1"
+            ],
+            "default": "latest",
+            "description": "Select or enter Trivy version"
+        },
+        "plugins": {
+            "type": "string",
+            "proposals": [
+                "mcp"
+            ],
+            "default": "",
+            "description": "Select or enter additional plugins to install with Trivy (e.g., mcp for Model Context Protocol plugin)"
+        }
+    }
+}

src/trivy/install.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+
+TRIVY_VERSION="${VERSION:-"latest"}"
+TRIVY_PLUGINS="${PLUGINS:-""}"
+
+set -e
+
+# Clean up
+rm -rf /var/lib/apt/lists/*
+
+if [ "$(id -u)" -ne 0 ]; then
+	echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.'
+	exit 1
+fi
+
+# Checks if packages are installed and installs them if not
+check_packages() {
+	if ! dpkg -s "$@" >/dev/null 2>&1; then
+		if [ "$(find /var/lib/apt/lists/* | wc -l)" = "0" ]; then
+			echo "Running apt-get update..."
+			apt-get update -y
+		fi
+		apt-get -y install --no-install-recommends "$@"
+	fi
+}
+
+# Resolve "latest" to the actual latest version tag, and validate that the
+# requested version exists in the GitHub releases.
+resolve_and_validate_version() {
+	local requested_version=$1
+
+	if [ "${requested_version}" = "latest" ]; then
+		requested_version=$(curl -sL https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r ".tag_name")
+		if [ -z "${requested_version}" ] || [ "${requested_version}" = "null" ]; then
+			echo "Failed to fetch the latest Trivy version." >&2
+			exit 1
+		fi
+	fi
+
+	# Ensure the version starts with "v"
+	if [[ "${requested_version}" != v* ]]; then
+		requested_version="v${requested_version}"
+	fi
+
+	# Validate the version exists
+	local version_list
+	version_list=$(curl -sL https://api.github.com/repos/aquasecurity/trivy/releases | jq -r ".[].tag_name")
+	if ! echo "${version_list}" | grep -qx "${requested_version}"; then
+		echo -e "Invalid Trivy version: ${requested_version}\nValid recent versions:\n${version_list}" >&2
+		exit 1
+	fi
+
+	echo "${requested_version}"
+}
+
+# Install Trivy plugins. Accepts a comma or space separated list of plugin names.
+install_plugins() {
+	local plugins_input=$1
+
+	# Replace commas with spaces to normalize the separator
+	local plugins
+	plugins=$(echo "${plugins_input}" | tr ',' ' ')
+
+	for plugin in ${plugins}; do
+		# Trim whitespace
+		plugin=$(echo "${plugin}" | xargs)
+		if [ -n "${plugin}" ]; then
+			echo "Installing Trivy plugin: ${plugin}..."
+			trivy plugin install "${plugin}"
+		fi
+	done
+}
+
+# Make sure we have required dependencies
+check_packages curl jq ca-certificates
+
+# Resolve and validate the version
+echo "Resolving Trivy version '${TRIVY_VERSION}'..."
+TRIVY_VERSION=$(resolve_and_validate_version "${TRIVY_VERSION}")
+echo "Installing Trivy ${TRIVY_VERSION}..."
+
+# Install Trivy using the official convenience script
+curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin "${TRIVY_VERSION}"
+
+# Verify installation
+trivy --version
+
+# Install plugins if specified
+if [ -n "${TRIVY_PLUGINS}" ]; then
+	echo "Installing Trivy plugins..."
+	install_plugins "${TRIVY_PLUGINS}"
+fi
+
+# Clean up
+rm -rf /var/lib/apt/lists/*
+
+echo "Done!"

test/trivy/install_trivy_latest.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+# Scenario: install_trivy_latest
+# Verifies that trivy installs successfully when version is set to "latest"
+
+set -e
+
+source dev-container-features-test-lib
+
+# Verify trivy is installed
+check "trivy is installed" bash -c "which trivy"
+
+# Verify trivy version output is not empty
+check "trivy version reports output" bash -c "trivy --version | grep -i 'version'"
+
+# Verify trivy binary is in the expected location
+check "trivy in /usr/local/bin" bash -c "ls /usr/local/bin/trivy"
+
+reportResults

test/trivy/install_trivy_specific_version.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+# Scenario: install_trivy_specific_version
+# Verifies that a specific version of trivy (without "v" prefix) installs correctly
+
+set -e
+
+source dev-container-features-test-lib
+
+# Verify trivy is installed
+check "trivy is installed" bash -c "which trivy"
+
+# Verify the exact version is installed (0.69.1)
+check "trivy version is 0.69.1" bash -c "trivy --version | grep '0.69.1'"
+
+reportResults

test/trivy/install_trivy_with_plugin.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+# Scenario: install_trivy_with_plugin
+# Verifies that trivy installs with the mcp plugin
+
+set -e
+
+source dev-container-features-test-lib
+
+# Verify trivy is installed
+check "trivy is installed" bash -c "which trivy"
+
+# Verify trivy version runs
+check "trivy version runs" bash -c "trivy --version"
+
+# Verify the mcp plugin is installed
+check "mcp plugin is installed" bash -c "trivy plugin list | grep -i 'mcp'"
+
+reportResults

test/trivy/install_trivy_with_v_prefix.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+# Scenario: install_trivy_with_v_prefix
+# Verifies that specifying a version with the "v" prefix works correctly
+
+set -e
+
+source dev-container-features-test-lib
+
+# Verify trivy is installed
+check "trivy is installed" bash -c "which trivy"
+
+# Verify the exact version is installed (0.69.1)
+check "trivy version is 0.69.1" bash -c "trivy --version | grep '0.69.1'"
+
+reportResults

test/trivy/invalid_plugin.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+# Scenario: invalid_plugin
+# Verifies that trivy plugin install fails gracefully when given a
+# non-existent plugin name. Trivy is installed with defaults so the
+# container builds successfully, and we then test the error path.
+
+set -e
+
+source dev-container-features-test-lib
+
+# Trivy should be installed (the scenario uses "latest")
+check "trivy is installed" bash -c "which trivy"
+
+# Attempting to install a non-existent plugin should fail (non-zero exit)
+check "install of non-existent plugin fails" bash -c '
+    if trivy plugin install this-plugin-does-not-exist-xyz 2>&1; then
+        echo "ERROR: expected plugin install to fail but it succeeded"
+        exit 1
+    fi
+    echo "Correctly failed to install non-existent plugin"
+'
+
+# Verify the fake plugin does NOT appear in the plugin list
+check "non-existent plugin is not listed" bash -c \
+    "! trivy plugin list 2>&1 | grep -qi 'this-plugin-does-not-exist-xyz'"
+
+reportResults

test/trivy/invalid_version.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+# Scenario: invalid_version
+# Verifies that the install script's version validation correctly rejects
+# a non-existent version. Since the container must build successfully to
+# run tests, trivy is installed with "latest" and we then exercise the
+# validation logic manually.
+
+set -e
+
+source dev-container-features-test-lib
+
+# Trivy should be installed (the scenario uses "latest")
+check "trivy is installed" bash -c "which trivy"
+
+# Verify that a completely fake version does NOT appear in the releases list
+check "fake version not in releases" bash -c \
+    "! curl -sL https://api.github.com/repos/aquasecurity/trivy/releases | jq -r '.[].tag_name' | grep -qx 'v99.99.99'"
+
+# Simulate the install script's validation: attempt to match a non-existent
+# version against the release list and confirm it fails
+check "validation rejects non-existent version" bash -c '
+    version_list=$(curl -sL https://api.github.com/repos/aquasecurity/trivy/releases | jq -r ".[].tag_name")
+    if echo "${version_list}" | grep -qx "v99.99.99"; then
+        echo "ERROR: fake version was found in release list"
+        exit 1
+    fi
+    echo "Correctly rejected non-existent version v99.99.99"
+'
+
+# Also verify that a valid version IS accepted by the same logic
+check "validation accepts a real version" bash -c '
+    version_list=$(curl -sL https://api.github.com/repos/aquasecurity/trivy/releases | jq -r ".[].tag_name")
+    if ! echo "${version_list}" | grep -qx "v0.69.1"; then
+        echo "ERROR: valid version v0.69.1 was not found in release list"
+        exit 1
+    fi
+    echo "Correctly accepted valid version v0.69.1"
+'
+
+reportResults