Trivy Pack
V3 local filesystem security capability pack. By-value connector composition (service_kind=cli, no separate ingredient): one local trivy CLI ingredient exposes bounded project operations for readiness, dependency/IaC security scanning, and CycloneDX SBOM generation. Operations accept one trusted filesystem target, avoid caller-supplied Trivy flags, avoid shell wrappers, and keep findings or SBOM output as JSON. Security scans use filesystem target mode, vuln+misconfig scanners only, JSON output, and no output file; they expose no container image scan, Kubernetes scan, repo clone, server/client mode, secret scanning, license-policy scan, caller-supplied config/check/template/VEX/ignorefile paths, registry credentials, module/plugin actions, or arbitrary command execution. Approval is ask because Trivy may update vulnerability and check databases before scanning. Requires trivy on PATH. Network egress may occur for Trivy database/check updates.
What this pack installs
- trivy Ingredient
Trust & control
What installing this whole pack would let it do. Recued grants these permissions at install — review them there before approving.