How to Add Trivy and Semgrep to Woodpecker CI on Raspberry Pi
November 11, 2025If you’re running your own Woodpecker CI instance on a Raspberry Pi, you can integrate modern security tools like Trivy and Semgrep. I will walk you through on how to set it all up, fully Dockerized, ARM64-compatible, and tailored for PHP + JavaScript projects.
Why Use These Tools Together?
These three tools work best when combined, each covers a different layer of software security and maintenance.
| Tool | Purpose |
|---|---|
| Trivy | Scans dependencies for known vulnerabilities (SCA) and optionally Docker images |
| Semgrep | Performs static analysis on your source code (SAST) |
In short:
- Trivy finds vulnerable dependencies.
- Semgrep finds vulnerable code.
Together, they form a full security coverage workflow for your CI.
Add .woodpecker.yml to Your Repository
Your Woodpecker configuration file must be located in the root of your repository:
my-project/
├── src/
├── package.json
├── composer.json
└── .woodpecker.ymlThis file tells Woodpecker how to run your pipeline.
Example .woodpecker.yml
Below is a working example that runs all three tools inside Docker containers.
Each job runs independently and can be customized.
yaml
steps:
trivy-deps:
image: aquasec/trivy:latest
commands:
- trivy fs --exit-code 1 --severity HIGH,CRITICAL .
failure: ignore
semgrep:
image: returntocorp/semgrep
commands:
- semgrep ci --config auto
failure: ignoreThis configuration:
- Runs Trivy and Semgrep on every push and pull request (configured in Gitea webhooks).
Trigger Your Pipeline
Push your changes to your repository:
bash
git add .woodpecker.yml
git commit -m "Add security and maintenance pipeline"
git pushWoodpecker will automatically detect the .woodpecker.yml and start running the jobs.
By combining Trivy and Semgrep in your Woodpecker CI pipeline, you’ll gain:
- Vulnerability scanning for dependencies (Trivy)
- Secure code analysis (Semgrep)
All running seamlessly on a Raspberry Pi with Dockerized Woodpecker.