bundler-trivy is a Bundler plugin that integrates Aqua Security's Trivy vulnerability scanner into the Ruby dependency management workflow. The plugin automatically scans Gemfile.lock for known security vulnerabilities in dependencies, bringing container and infrastructure scanning capabilities to Ruby projects. It provides an additional security layer by checking dependencies against Trivy's vulnerability databases during bundle operations.
The plugin hooks into Bundler's lifecycle to run Trivy scans after dependency resolution, reporting vulnerabilities with severity ratings, CVE identifiers, and remediation guidance. It leverages Trivy's comprehensive vulnerability databases covering not just Ruby gems but also dependencies' native extensions and system libraries. bundler-trivy supports configurable severity thresholds, allowing teams to fail builds on high-severity vulnerabilities while warning on lower-severity issues. The plugin can output results in multiple formats for integration with CI/CD pipelines and security dashboards.
bundler-trivy is essential for security-conscious Ruby applications, particularly those requiring compliance with security standards or handling sensitive data. It's valuable in CI/CD pipelines where automated vulnerability scanning prevents insecure dependencies from reaching production. The plugin complements tools like bundler-audit by leveraging Trivy's broader vulnerability database and integration with infrastructure scanning workflows. It's particularly useful for organizations already using Trivy for container scanning who want consistent vulnerability scanning across their infrastructure and application dependencies.
gem install bundler-trivy Run this gem instantly in your browser without any installation:
Open in RunRuby.dev →Direct dependencies and their transitive dependencies
| Name | Level | Type | Version | Dependencies |
|---|---|---|---|---|
| bundler | Direct | runtime | ~> 2.0 | - |
| minitest | Direct | development | ~> 5.0 | - |
| rake | Direct | development | ~> 13.0 | - |
| rubocop | Direct | development | ~> 1.0 | - |
| standard | Direct | development | >= 1.35.1 | - |
All 1 versions available for installation