Skip to content

Dependency Scanning

Aptori leverages the industry-leading Trivy tool for finding vulnerabilities in dependencies used by an application. Aptori maintains the aptori/scanners container image, so you can easily incorporate an up-to-date dependency scanner into your CI/CD pipeline. Results from running aptori/scanners dependency scanning on your source code repository are published to the Aptori Platform, alongside any security issues found by other Aptori tools.


  • Asset ID of a Repository

    • To get the asset ID of an Repository, navigate to Projects in the Aptori Platform. On the tile of the Repository asset, open the Settings by click the three dots menu and choosing Settings. The asset ID is displayed inthe popup window.
    • To create a Repository asset, navigate to Projects in the Aptori Platform. At the top of the page, click "Add +" > "Add a Repository". Select the Project to which the Repository belongs and enter a name for the Repository.
  • Platform Key

    • To create a Platform Key, navigate to Keys in the Aptori Platform.

Running on a local repository path

With container runtime CLI tools such as Docker or nerdctl, you can run aptori/scanners on a local copy of your source code repository. For example, from the root directory of the source code, use Docker CLI to run a dependency scan:

docker run --rm -v "${PWD}:/src" \
    aptori/scanners scanners dependency trivy \
        --key {{Your Platform Key}} \
        --asset-id {{Your Asset ID}} \
        --labels "repository={{Your repo URL}}, branch=main"

Alternately, the Platform Key and Asset ID may be specified in environment variables. This is particularly helpful when running in CI/CD.

export APTORI_ACCESS_KEY={{Your Platform Key}}
export APTORI_ASSET_ID={{Your Asset ID}}

docker run --rm -v "${PWD}:/src" \
    aptori/scanners scanners dependency trivy \
        --labels "repository={{Your repo URL}}, branch=main"


Labels allow you to add metadata to a run. There are two labels that have special meaning in the Aptori Platform:

  • repository: The URL of your source code repository will be used to create links from Issues back to the source code. The URL need not be accessible by the Platform, only by users that may follow a link from an Issue.
  • branch: The branch in your source code repository for which the run was performed. For source code links in an Issue, Aptori Platform uses the branch name to reference the appropriate revision of a file in the source code repository.

Running in CI/CD

Performing a dependency scan in a CI/CD pipeline is easy with the aptori/scanners container. We recommend you use CI/CD variables to store details like the Platform Key and Asset ID.

GitLab example

In the following GitLab example, a job named aptori-dependency-scan is defined to run on commits made to the default branch of the repository. The job expects the following CI/CD variables to be defined in the GitLab repository settings.

  - test

  stage: test
  image: aptori/scanners
    - scanners dependency trivy --labels="repository=${CI_PROJECT_URL}, branch=${CI_COMMIT_BRANCH}, job=${CI_JOB_URL}"

CircleCI example

In the following CircleCI example, a job named aptori-dependency-scan is defined to perform a dependency scan on the source code of the repository. The job expects the following Environment Variables to be defined in the Project Settings.

version: 2.1
    # Scan dependencies for known vulnerabilities using Aptori Scanners.
    # Requires variables to be defined: APTORI_ACCESS_KEY, APTORI_ASSET_ID
      - image: aptori/scanners
      - checkout
      - run:
          name: Run Aptori dependency scan
          command: scanners dependency trivy --labels="repository=${CIRCLE_REPOSITORY_URL}, branch=${CIRCLE_BRANCH}, job=${CIRCLE_BUILD_URL}"
      - aptori-dependency-scan

Command Reference

The dependency scan command has the following syntax:

scanners dependency trivy [OPTIONS]

Values for key and asset-id options are required, but they may be supplied by environment variables APTORI_ACCESS_KEY and APTORI_ASSET_ID, respectively. If both the CLI argument and environment variable are present, the CLI argument takes precedence.


Option Description Environment variable
--help, -h ` Show help message and exit
--asset-id, -a Asset ID of a repository defined in Aptori Platform APTORI_ASSET_ID
--command, -c Pass custom command arguments to trivy tool
--environment-id, -e Environment ID where scan is being performed APTORI_ENVIRONMENT_ID
--key, -k ` Aptori Platform key APTORI_ACCESS_KEY
--labels, -l Labels for the run, in format of "key1=value1, key2=value2"
--platform-url, -p Specify the Aptori Platform URL APTORI_PLATFORM_URL