Problem integrating Trivy scan results with SonarQube Dashboard

Hello SonarQube Community,

I’m currently working in a DevSecOps setup and using SonarQube Community Edition along with Trivy for container image and code scanning.

I want to integrate Trivy scan results into the SonarQube dashboard so that vulnerabilities from both static code analysis and container security are visible in one place.

Has anyone successfully implemented this? Is there any custom plugin or script to parse Trivy JSON output and feed it into SonarQube as external issues?

Any guidance, examples, or recommended practices would be highly appreciated.

Best regards,
Delowar Hossain
Security Engineer | Business Automation Ltd

Hey @Delowar_Hossain

If I understand correctly, Trivy allows you to export reports in SARIF format, which SonarQube supports importing. Would that work for you?

That sounds like a good idea. Could you please guide me on how to properly configure the SARIF export from Trivy and import it into SonarQube?

Thank you

Here are some resources to help: Trivy export formats documentation and SonarQube Sarif import documentation. You may need to fill in some gaps on your own, or return with specific questions if you need further guidance.