Get Started on Cloud
BasicsPipelinesActions & ServicesEnvironmentsIntegrationsTargetsTestsDomainsSandboxesAgents & TunnelsYAMLBuddy GitFAQCLIAPI

YAML for Security Audit

View as Markdown

Scan Docker images or filesystem for vulnerabilities, secrets, misconfigurations and license issues using Trivy.

YAML parameters for Security Audit

PARAMETERS
scanrequiredScanYaml
Configuration of the scan target, enabled scanners, severities and failure policy.
typerequiredstring

Value: SECURITY_AUDIT

actionrequiredstring
Unique identifier for the action within the pipeline.
ignoreIgnoreYaml
Rules that suppress specific findings from the scan report. Each rule type is keyed by the finding category it applies to.
trigger_timestring enum
Specifies when the action should be executed.
Allowed enum:
ON_EVERY_EXECUTION,
ON_SUCCESS,
ON_FAILURE,
ON_BACK_TO_SUCCESS,
ON_WARNING,
ON_WAIT_FOR_APPROVE,
ON_TERMINATE
loopstring[]
The list of variables for dynamic action execution. The action runs once for each value.
run_only_on_first_failureboolean
Defines whether the action should be executed on each failure. Restricted to and required if the trigger_time is ON_FAILURE.
disabledboolean
When set to true the action is disabled. By default it is set to false.
timeoutinteger
The timeout in seconds.
ignore_errorsboolean
If set to true the execution will proceed, mark action as a warning and jump to the next action. Doesn't apply to deployment actions.
retry_intervalinteger
Delay time between auto retries in seconds.
retry_countinteger
Number of retries if the action fails.
run_nextstring enum
Defines whether the action should run in parallel with the next one.
Allowed enum:
WAIT_ON_SUCCESS,
IN_SOFT_PARALLEL,
IN_HARD_PARALLEL
trigger_conditionsTriggerConditionYaml[]
The list of trigger conditions to meet so that the action can be triggered.
variablesVariableYaml[]
The list of variables you can use in the action.

Last modified on May 25, 2026

Previous pageRun Docker containerNext pageSentry notification

YAML examples for Security Audit

Scan image produced by the previous action

yaml
  - action: "Security audit"
    type: "SECURITY_AUDIT"
    scan:
      type: "IMAGE"
      image:
        image_location: "ACTION"
        from_action: "Build Docker image"

Scan a public image from Docker Hub

yaml
  - action: "Security audit"
    type: "SECURITY_AUDIT"
    scan:
      type: "IMAGE"
      image:
        docker_registry: "DOCKER_HUB"
        name: "alpine"
        tag: "3.18"
      scanners:
        - "VULNERABILITY"
      severities:
        - "CRITICAL"
        - "HIGH"

Scan the pipeline's filesystem with default path

yaml
  - action: "Security audit"
    type: "SECURITY_AUDIT"
    scan:
      type: "FILESYSTEM"
      scanners:
        - "VULNERABILITY"
        - "MISCONFIGURATION"
        - "SECRET"
      severities:
        - "CRITICAL"
        - "HIGH"
        - "MEDIUM"

Scan an image from a private Docker Hub repository

yaml
  - action: "Security audit"
    type: "SECURITY_AUDIT"
    scan:
      type: "IMAGE"
      image:
        image_location: "PRIVATE_REGISTRY"
        docker_registry: "DOCKER_HUB"
        integration: "docker-hub"
        name: "my-org/my-app"
        tag: "v1.2.3"
      scanners:
        - "VULNERABILITY"
        - "SECRET"
        - "MISCONFIGURATION"
      severities:
        - "CRITICAL"
        - "HIGH"
        - "MEDIUM"
        - "LOW"
      fail_only_on_fixable: true

Scan an image from a private Docker Hub repository

yaml
  - action: "Security audit"
    type: "SECURITY_AUDIT"
    scan:
      type: "IMAGE"
      image:
        image_location: "PRIVATE_REGISTRY"
        docker_registry: "DOCKER_HUB"
        integration: "docker-hub"
        name: "my-org/my-app"
        tag: "v1.2.3"
      scanners:
        - "VULNERABILITY"
        - "SECRET"
        - "MISCONFIGURATION"
      severities:
        - "CRITICAL"
        - "HIGH"
        - "MEDIUM"
        - "LOW"
      fail_only_on_fixable: true

Scan filesystem with skipped directories

yaml
  - action: "Security audit"
    type: "SECURITY_AUDIT"
    scan:
      type: "FILESYSTEM"
      path: "/buddy/app"
      skip_paths:
        - "vendor/"
        - "node_modules/"
        - "dist/"
      scanners:
        - "VULNERABILITY"
        - "SECRET"
      severities:
        - "CRITICAL"
        - "HIGH"

Scan filesystem with ignore rules for all kinds

yaml
  - action: "Security audit"
    type: "SECURITY_AUDIT"
    scan:
      type: "FILESYSTEM"
      scanners:
        - "VULNERABILITY"
        - "SECRET"
        - "MISCONFIGURATION"
        - "LICENSE"
      severities:
        - "CRITICAL"
        - "HIGH"
    ignore:
      vulnerabilities:
        - id: "CVE-2023-45853"
          paths:
          - "vendor/"
        statement: "No upstream fix available, accepted risk"
        expires_at: "2026-09-21"
      misconfigurations:
        - id: "AVD-DS-0001"
          statement: "Intentional configuration"
      secrets:
        - id: "generic-api-key"
          paths:
          - "tests/fixtures/"
        statement: "Test data, not a real secret"
      licenses:
        - id: "0BSD"
          statement: "Approved by legal"

Scan image and report every finding regardless of fix availability

yaml
  - action: "Security audit"
    type: "SECURITY_AUDIT"
    scan:
      type: "IMAGE"
      image:
        image_location: "ACTION"
        from_action: "Build Docker image"
      scanners:
        - "VULNERABILITY"
        - "SECRET"
        - "MISCONFIGURATION"
      severities:
        - "CRITICAL"
        - "HIGH"
        - "MEDIUM"
      fail_only_on_fixable: false

Scan a public image from a custom registry

yaml
  - action: "Security audit"
    type: "SECURITY_AUDIT"
    scan:
      type: "IMAGE"
      image:
        image_location: "PUBLIC_REGISTRY"
        docker_registry: "OTHER"
        registry: "myregistry.example.com"
        name: "my-app"
        tag: "v1.2.3"
      scanners:
        - "VULNERABILITY"
      severities:
        - "CRITICAL"
        - "HIGH"

Scan a private image from a custom registry using basic authentication

yaml
  - action: "Security audit"
    type: "SECURITY_AUDIT"
    scan:
      type: "IMAGE"
      image:
        image_location: "PRIVATE_REGISTRY"
        docker_registry: "OTHER"
        registry: "myregistry.example.com"
        login: "registry-user"
        password: "registry-password"
        name: "my-app"
        tag: "v1.2.3"
      scanners:
        - "VULNERABILITY"
      severities:
        - "CRITICAL"
        - "HIGH"