Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
APACHE-2.0 License
Bot releases are hidden (Show)
Published by knqyf263 over 3 years ago
[EXPERIMENTAL] This feature might change without preserving backwards compatibility.
Scan your image in Podman (>=2.0) running locally. The remote Podman is not supported. Before performing Trivy commands, you must enable the podman.sock systemd service on your machine. For more details, see here
$ systemctl --user enable --now podman.socket
Then, you can scan your image in Podman.
$ cat Dockerfile
FROM alpine:3.12
RUN apk add --no-cache bash
$ podman build -t test .
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/test latest efc372d4e0de About a minute ago 7.94 MB
$ trivy image test
Trivy is able to scan RHEL 8/CentOS 8 more accurately now.
Trivy can be deployed to Kubernetes with Redis cache.
Thanks, @czunker!
Trivy is able to scan Python vulnerabilities more accurately now.
Trivy is able to scan Alpine Linux 3.13 now.
cdabe7f Fix compatibility for Jenkins xunit plugin (#820)
b0fe439 README: add Gitlab job that uses a container with trivy (#823)
6685cd4 feat: support Podman (#825)
7a683bd fix(eol): update EOL dates (#824)
6ed03a8 fix(python): follow PEP 440 (#816)
182cb80 Support alpine 3.13 (#819)
2acd1ca Changed the output string to "Using your github token". (#814)
dd35bfd Align comment with code (#812)
1f17e71 Parse redis backend url (#804)
0954f6b Update README.md (#810)
6b29bf1 Added nodeSelector, affinity and tolerations to helm chart (#803)
f6afdf0 Fix readme typo in policy flag (#805)
412847d Fix errors in SARIF format (#801)
5b27862 Fix env variable for github token (#796)
6ed25c1 fix(vulnerability): set unknown severity for empty values (#793)
e2c483f Remove global flags from filesystem command (#772)
5c5e0cb Add imagePullSecrets to helm Chart (#789)
b9b84cd Add redis cache backend configuration options (#784)
e517bcc Update README.md (#735)
7f5a6d4 feat(redhat): support modular packages (#790)
8de09dd Fix formatting of log message (#785)
e08ae8d chore(ci): migrate unit tests to GitHub Actions (#779)
a00d719 shifted: brews.github to brews.tap (#780)
docker pull docker.io/aquasec/trivy:0.16.0
docker pull docker.io/aquasec/trivy:latest
docker pull ghcr.io/aquasecurity/trivy:0.16.0
docker pull ghcr.io/aquasecurity/trivy:latest
Published by knqyf263 almost 4 years ago
Trivy now supports a lock file packages.lock.json
of NuGet.
packages.lock.json
==================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+-------------+------------------+----------+-------------------+----------------+--------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------+------------------+----------+-------------------+----------------+--------------------------------------+
| MessagePack | CVE-2020-5234 | MEDIUM | 1.9.10 | 2.1.90, 1.9.11 | Untrusted data can lead to DoS |
| | | | | | attack due to hash collisions and... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-5234 |
+-------------+------------------+----------+-------------------+----------------+--------------------------------------+
Thanks to @Johannestegner
For the detail, see here
$ docker run -d --name redis -p 6379:6379 redis:5.0
$ trivy server --cache-backend redis://localhost:6379
$ trivy client alpine:3.11
$ trivy image -f template --template "@contrib/html.tpl" -o report.html alpine:3.12
Thanks to @irrandon
For the detail, see here
$ cd helm/trivy
$ helm install my-release .
Thanks to @czunker
Close https://github.com/aquasecurity/trivy/issues/771 and https://github.com/aquasecurity/trivy/issues/741
Thanks to @masahiro331
alpine:3.10 (alpine 3.10.5)
===========================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2020-1971 | MEDIUM | 1.1.1g-r0 | 1.1.1i-r0 | openssl: EDIPARTYNAME |
| | | | | | NULL pointer de-reference |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-1971 |
+--------------+ + + + + +
| libssl1.1 | | | | | |
| | | | | | |
| | | | | | |
+--------------+------------------+ +-------------------+---------------+---------------------------------------+
| musl | CVE-2020-28928 | | 1.1.22-r3 | 1.1.22-r4 | In musl libc through 1.2.1, |
| | | | | | wcsnrtombs mishandles particular |
| | | | | | combinations of destination buffer... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-28928 |
+--------------+ + + + + +
| musl-utils | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
08ca1b0 Feat: NuGet Scanner (#686)
7b86f81 feat(cache): support Redis (#770)
8cd4afe fix(redhat): skip module packages (#776)
b606b62 chore: migrate from master to main (#778)
5c2b14b chore(circleci): remove gofmt (#777)
a19a023 chore(README): remove experimental (#775)
e6cef75 NVD: Add timestamps. (#761)
1371f72 (fix): Make the table output less wide. (#763)
8ecaa2f Add gitHubToken to prevent rate limit problems (#769)
8132174 Add helm chart to install trivy in server mode. (#751)
bcc2850 chore(docs): add nix install (#762)
cb36972 HTML template (#567)
docker pull docker.io/aquasec/trivy:0.15.0
docker pull docker.io/aquasec/trivy:latest
docker pull ghcr.io/aquasecurity/trivy:0.15.0
docker pull ghcr.io/aquasecurity/trivy:latest
Published by knqyf263 almost 4 years ago
Trivy shows a primary URL in the result as follows.
alpine:3.10 (alpine 3.10.5)
===========================
Total: 2 (UNKNOWN: 2, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+------------+------------------+----------+-------------------+---------------+--------------------------------+------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | URL |
+------------+------------------+----------+-------------------+---------------+--------------------------------+------------------------------------+
| musl | CVE-2020-28928 | UNKNOWN | 1.1.22-r3 | 1.1.22-r4 | In musl libc through 1.2.1, | avd.aquasec.com/nvd/cve-2020-28928 |
| | | | | | wcsnrtombs mishandles | |
| | | | | | particular combinations of | |
| | | | | | destination buffer... | |
+------------+ + + + + + +
| musl-utils | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
+------------+------------------+----------+-------------------+---------------+--------------------------------+------------------------------------+
[
{
"Target": "alpine:3.10 (alpine 3.10.5)",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2020-28928",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28928",
...
}
]
}
]
In these cases, you can see https://avd.aquasec.com/nvd/cve-2020-28928
as a primary URL.
Trivy no longer requires the rpm
command on the host. You can scan a RHEL-based image without rpm.
$ rpm
bash: rpm: command not found
$ trivy image -o /dev/null centos:7
centos:7 (centos 7.9.2009)
==========================
Total: 601 (UNKNOWN: 0, LOW: 358, MEDIUM: 240, HIGH: 3, CRITICAL: 0)
There was a bug where vulnerabilities with unknown severity do not appear in the result when using the --light
option.
9bdbeab feat: remove rpm dependency (#753)
d85cb77 fix(vulnerability): make an empty severity UNKNOWN (#759)
1bee83c chore(README): add TRIVY_INSECURE (#760)
4d18943 feat(vulnerability): add primary URLs (#752)
docker pull docker.io/aquasec/trivy:0.14.0
docker pull docker.io/aquasec/trivy:latest
docker pull ghcr.io/aquasecurity/trivy:0.14.0
docker pull ghcr.io/aquasecurity/trivy:latest
Published by knqyf263 almost 4 years ago
npm and RubyGems have different versioning/constraint semantics from other languages, so we developed libraries for them. In the future, we will probably develop libraries for other languages such as Python.
Once the vulnerability DB is downloaded, it will not be updated within one hour so that Trivy will not download the same DB many times by mistake.
Provide binaries for FreeBSD & OpenBSD
Provide binaries for the ppc64le (Power) architecture.
Skip ksplice advisories when the installed package is not a ksplice package during Oracle Linux scanning. Also, if the package is a ksplice one, we should not use the normal advisories.
Skip scanning RPM packages installed from the remi repository
1391b3b fix(oracle): handle ksplice advisories (#745)
b6d5b82 fix: version comparison (#740)
9dfb0fe updated Readme.md (#737)
4555469 Add suse sles 15.2 to the EOL list as well (#734)
c189aa6 Update README.md (#731)
8442528 Warn when a user attempts to use trivy without a detectable lockfile (#729)
d09787e Add back support for FreeBSD & OpenBSD (#728)
0285a89 Add support for ppc64le architecture (#724)
7d7784f Skip packages from unsupported repository (remi) (#695)
ca6f196 Skip downloading DB if a remote DB is not updated (#717)
e621cf2 Sunsetting VendorVectors (#718)
906ab54 Add GitHub Container Registry to README (#712)
1549c25 update BUG_REPORT.md using H2 instead of bold formatting (#714)
fe1d07e fix(ci/deb): do not remove old packages for EOL versions (#706)
793a1aa Add linter check support (#679)
4a94477 Optimize images (#696)
9bc2b19 Update triage.md (#701)
docker pull docker.io/aquasec/trivy:0.13.0
docker pull docker.io/aquasec/trivy:latest
docker pull ghcr.io/aquasecurity/trivy:0.13.0
docker pull ghcr.io/aquasecurity/trivy:latest
Published by knqyf263 about 4 years ago
Trivy traversals directories and looks for all lock files by default. If your image contains lock files which are not maintained by you, you can skip the file.
$ trivy image --skip-files "/Gemfile.lock,/app/Pipfile.lock" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
$ trivy server &
$ curl http://127.0.0.1:4954/healthz
ok
$ trivy fs -h | grep skip-update
--skip-update skip db update (default: false) [$TRIVY_SKIP_UPDATE]
$ docker pull ghcr.io/aquasecurity/trivy:latest
Trivy server responds CWE-ID
in a scan result.
$ trivy image
NAME:
trivy image - scan an image
USAGE:
trivy image [command options] image_name
OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, template) (default: "table") [$TRIVY_FORMAT]
--input value, -i value input file path instead of image name [$TRIVY_INPUT]
...
49691ba ci(circle): update remote docker version (#683)
87ff0c1 suse: update end of life dates for SLES service packs (#676)
de30c3f update readme for parallel run issue (#660)
4c3bfb8 fix link for Clear images section in README (#659)
8b21cfe add link to Gitlab CI pipeline in README (#658)
46700f7 test: add tests for mux (#645)
014be7e chore: bump up Go to 1.15 (#646)
b3ff2c3 Add contrib/ to the release chain for Docker (#638)
9c786de Add health check endpoint to trivy server (#644)
188e108 fix(cli): show help for subcommands (#629)
7d7842f Add --skip-update option to fs and repo subcommand (#641)
901a371 goreleaser.yml: Add all templates to archive (#636)
095b5ce fix(cli): show help when no argument is passed (#628)
1d3f70e chore(image): push the official image to GitHub Container Registry as well (#627)
5e308da feat(cli): add --skip-files option (#624)
2231e40 chore(docs): update comparison table (#623)
b3680f0 logo: Add new Trivy logo (#615)
8952779 fix(Readme) - Results using a template (#622)
165d593 Improve Gitlab CI installation step in README (#621)
d8b0962 feat(rpc): add CWE-ID (#614)
d35e8ec Add all templates to the docker image (#619)
docker pull docker.io/aquasec/trivy:0.12.0
docker pull docker.io/aquasec/trivy:latest
docker pull ghcr.io/aquasecurity/trivy:0.12.0
docker pull ghcr.io/aquasecurity/trivy:latest
Published by knqyf263 about 4 years ago
See here for the detail.
Specify the directory where the traversal is skipped.
$ trivy image --skip-dirs "/usr/lib/ruby/gems,/etc" fluent/fluentd:edge
Your custom data source can be added into trivy-db. See #613 for details.
IMPORTANT: Trivy shows sub packages which are actually installed in the image, instead of an origin package. You should clear the cache once after Trivy is updated to v0.11.0.
For example, the origin package of libcrypto1.1
is openssl
and Trivy used to display vulnerabilities of openssl
even when openssl
is not installed. Now, Trivy displays vulnerabilities of libcrypto1.1
.
Before:
alpine:3.10.2 (alpine 3.10.2)
=============================
Total: 5 (UNKNOWN: 0, LOW: 1, MEDIUM: 4, HIGH: 0, CRITICAL: 0)
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1549 | MEDIUM | 1.1.1c-r0 | 1.1.1d-r0 | openssl: information |
| | | | | | disclosure in fork() |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2019-1551 | | | 1.1.1d-r2 | openssl: Integer overflow in |
| | | | | | RSAZ modular exponentiation on |
| | | | | | x86_64 |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2019-1563 | | | 1.1.1d-r0 | openssl: information |
| | | | | | disclosure in PKCS7_dataDecode |
| | | | | | and CMS_decrypt_set1_pkey |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2020-1967 | | | 1.1.1g-r0 | openssl: Segmentation fault in |
| | | | | | SSL_check_chain causes denial |
| | | | | | of service |
+ +------------------+----------+ +---------------+--------------------------------+
| | CVE-2019-1547 | LOW | | 1.1.1d-r0 | openssl: side-channel weak |
| | | | | | encryption vulnerability |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
After
alpine:3.10.2 (alpine 3.10.2)
=============================
Total: 10 (UNKNOWN: 0, LOW: 2, MEDIUM: 8, HIGH: 0, CRITICAL: 0)
+--------------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+---------------+--------------------------------+
| libcrypto1.1 | CVE-2019-1549 | MEDIUM | 1.1.1c-r0 | 1.1.1d-r0 | openssl: information |
| | | | | | disclosure in fork() |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2019-1551 | | | 1.1.1d-r2 | openssl: Integer overflow in |
| | | | | | RSAZ modular exponentiation on |
| | | | | | x86_64 |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2019-1563 | | | 1.1.1d-r0 | openssl: information |
| | | | | | disclosure in PKCS7_dataDecode |
| | | | | | and CMS_decrypt_set1_pkey |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2020-1967 | | | 1.1.1g-r0 | openssl: Segmentation fault in |
| | | | | | SSL_check_chain causes denial |
| | | | | | of service |
+ +------------------+----------+ +---------------+--------------------------------+
| | CVE-2019-1547 | LOW | | 1.1.1d-r0 | openssl: side-channel weak |
| | | | | | encryption vulnerability |
+--------------+------------------+----------+ + +--------------------------------+
| libssl1.1 | CVE-2019-1549 | MEDIUM | | | openssl: information |
| | | | | | disclosure in fork() |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2019-1551 | | | 1.1.1d-r2 | openssl: Integer overflow in |
| | | | | | RSAZ modular exponentiation on |
| | | | | | x86_64 |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2019-1563 | | | 1.1.1d-r0 | openssl: information |
| | | | | | disclosure in PKCS7_dataDecode |
| | | | | | and CMS_decrypt_set1_pkey |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2020-1967 | | | 1.1.1g-r0 | openssl: Segmentation fault in |
| | | | | | SSL_check_chain causes denial |
| | | | | | of service |
+ +------------------+----------+ +---------------+--------------------------------+
| | CVE-2019-1547 | LOW | | 1.1.1d-r0 | openssl: side-channel weak |
| | | | | | encryption vulnerability |
+--------------+------------------+----------+-------------------+---------------+--------------------------------
Before:
$ trivy
2020-06-18T10:28:44.983+0100 ERROR trivy requires at least 1 argument or --input option
NAME:
trivy - A simple and comprehensive vulnerability scanner for containers
...
After:
$ trivy
NAME:
trivy - A simple and comprehensive vulnerability scanner for containers
...
f50b0ce feat(library): support a custom data source (#613)
ed8607b fix(alpine): use source package (#607)
ea28d3b test(vulnerability): fix usages of new trivy-db refactor changes (#611)
827cea3 refactor(bundler): remove unnecessary code (#610)
b2a0d83 codecov: Move into root directory (#608)
85e0139 fix: fullDescription field in SARIF output is not correctly escaped (#605)
80d5df0 chore(docs): add AWS Security Hub (#598)
3a54e5b refactor(writer): define the constructor for TemplateWriter (#597)
acc6a9b circleci: Allow coverage changes without a failure (#599)
96af6dc feat: add --skip-directories option (#595)
675e1b4 Added test and support of ASFF template (#594)
8ca484f fix: remove error using no options (#539)
docker pull docker.io/aquasec/trivy:0.11.0
docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 about 4 years ago
9a25f4f Fix comparison table to use words instead of symbols (#587)
467ec46 sarif: Remove extra periods from short descriptions (#590)
52feff2 Added template fucntion to escape string before output (#583)
docker pull docker.io/aquasec/trivy:0.10.2
docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 about 4 years ago
add65f2 Revert Dockerfile changes (#581)
docker pull docker.io/aquasec/trivy:0.10.1
docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 about 4 years ago
This change has been reverted in v0.10.1.
Trivy runs as a non-root user in the docker image. If you run Trivy in the docker image and specify the root directory as a cache directory as follows, it may fail due to permission denied.
$ docker run --rm -v $PWD:/root/.cache/ aquasec/trivy:latest --cache-dir /root/.cache image centos:7
In that case, you can try a different directory like
$ docker run --rm -v $PWD:/tmp/.cache/ aquasec/trivy:latest --cache-dir /tmp/.cache image centos:7
See also: https://github.com/aquasecurity/trivy#others
$ trivy image --severity MEDIUM alpine:3.10.2
2020-07-30T16:16:37.890+0300 INFO Detecting Alpine vulnerabilities...
alpine:3.10.2 (alpine 3.10.2)
=============================
Total: 4 (MEDIUM: 4)
Trivy supports Open Policy Agent (OPA) to filter vulnerabilities. You can specify a Rego file with --ignore-policy option.
$ trivy image --policy contrib/example_filter/basic.rego centos:7
For more details: https://github.com/aquasecurity/trivy#filter-the-vulnerabilities-by-open-policy-agent-policy
$ trivy image -f json alpine:3.10.2
[
{
"Target": "alpine:3.10.2 (alpine 3.10.2)",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1549",
"CweIDs": [
"CWE-330"
],
...
--list-all-pkgs
option outputs all the installed packages/libraries even though there are no vulnerabilities.
$ trivy image -f json --list-all-pkgs alpine:3.10.2
[
{
"Target": "alpine:3.10.2 (alpine 3.10.2)",
"Type": "alpine",
"Packages": [
{
"Name": "alpine-baselayout",
"Version": "3.1.2-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
}
},
{
"Name": "alpine-keys",
"Version": "2.1-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
}
},
...
20f2bae Fix non-root directory permission denied error (#578)
8eb9df8 .circleci: Add code coverage (#572)
88aaffa Added support of list-all-packages (#574)
469c0b4 fix: only show severity total from filter flags (#559)
4a34f72 Update README.md (#575)
4d721e1 SARIF: Tweak format for GitHub UI (#571)
9c91da8 Add non root user (#570)
5b9d942 rpc: Add CVSS information to client/server (#564)
d6b37cb Fix --timeout flag (#569)
9c6f077 feat(report): support OPA to filter vulnerabilities (#562)
0b5d936 Fixed case when pre-release is in suffix (#565)
6eebed3 improve ruby comparison version check. (#552)
43085a8 Added sarif template (#558)
4f90b11 feat(vulnerability): add CWE-ID (#561)
docker pull docker.io/aquasec/trivy:0.10.0
docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
You can see the result on the dashboard if your CI service supports JUnit XML. This is an example of CircleCI.
Azure DevOps (Thank you, @lgulliver)
This is implemented by @rahul2393.
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "openssl",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V2Score": 1.9,
"V3Score": 4.7
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
...
}
Error retrieving template from path
when --format is not template but template is provided (#556)d9fa353 Fixing Error retrieving template from path
when --format is not template but template is provided (#556)
9a1d746 Adding contrib/junit.tpl to docker image (#554)
d18d17b db: Update trivy-db to include CVSS score info (#530)
4b57c0d docs: fix markdown (#553)
ccd9b2d Added function to escape string in failure message title and descriptions (#551)
ec770cd Added JUNIT support (#541)
b7ec633 chore(docs): mention air-gapped environment (#544)
7aabff1 chore(README): add programming languages (#543)
9dc1bdf fix(log): write error messages to stderr (#538)
2ac672a Use StoreMetadata from trivy-db (#509)
11ae6b2 docs: add more CI options to README (#535)
f201f59 chore(Dockerfile): bump up alpine to 3.12 (#528)
25d45e1 fix(alpine): replace go-deb-version with go-apk-version (#520)
298ba99 fix: MissingBlobs is implemented different in FS and S3 the method log… (#522)
docker pull docker.io/aquasec/trivy:0.9.2
docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
65cbe3c fix(alpine): support 3.12 (#517)
f94e8dc chore(README): prepare for v0.9.0 (#507)
9629303 fix(config): transpose arguments (#516)
docker pull docker.io/aquasec/trivy:0.9.1
docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
Trivy supports GitHub Advisory Database to detect vulnerabilities of programming language libraries. It uses multiple data sources for each language as show below.
https://github.com/aquasecurity/trivy#data-source
This allows Trivy to be more accurate and affects the number of vulnerabilities Trivy detects.
Thank you for the contribution, @masahiro331!
Scan a filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem).
When you specify the path to your project, Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.
$ trivy fs /path/to/project
Also, Trivy can scan your container from inside the container.
$ docker run --rm -it alpine:3.11
/ # apk add curl
/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin
/ # trivy fs /
Scan your image as part of the build process by embedding Trivy in the Dockerfile. This approach can be used to update Dockerfiles currently using Aqua’s Microscanner
$ cat Dockerfile
FROM alpine:3.7
RUN apk add --no-cache curl \
&& curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin \
&& trivy filesystem --exit-code 1 --no-progress / \
&& trivy --reset && rm -f /usr/loca/bin/trivy && apk del curl
$ docker build -t vulnerable-image .
Scan your remote git repository.
$ trivy repo https://github.com/aquasecurity/trivy-ci-test
Only public repositories are supported.
Close https://github.com/aquasecurity/harbor-scanner-trivy/issues/114
When Trivy scans an image containing multiple lock files regardless of OS and packages, it sometimes has false positives.
020c4a3 fix(app): add ArgsUsage (#508)
2f2d1a9 feat: support repository and filesystem scan (#503)
03ad8a3 Add GHSA support (#467)
1218e11 refactor: define common options and embed them into the option for subcommand (#502)
docker pull docker.io/aquasec/trivy:0.9.0
docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
We deprecated $ trivy IMAGE_NAME
and introduced image
subcommand.
$ trivy image alpine:3.11
You can see CVSS vectors in a result JSON.
$ trivy image --format=json alpine=3.10.4
[...output snipped...]
"VendorVectors": {
"nvd": {
"v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"redhat": {
"v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
},
[...output snipped...]
To scan a private image, you can pass a registry token instead of ID/PW. This is useful when you develop a registry integration such as Harbor and Quay.
$ export TRIVY_REGISTRY_TOKEN=$(curl -u "username:password" "https://auth.docker.io/token?service=registry.docker.io&scope=repository:org/private_image:pull")
$ trivy org/private_image:latest
78b7529 Add image subcommand (#493)
e2bcb44 fix: remove help template (#500)
a57c27e vulnerability: Add CVSS Vectors to JSON output. (#484)
926f323 feat: support registry token (#482)
aa20adb chore: bump up urfave/cli to v2 (#499)
3e0779a chore(doc): update README (#490)
docker pull docker.io/aquasec/trivy:0.8.0
docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
An image directory compliant with "Open Container Image Layout Specification".
Buildah:
$ buildah push docker.io/library/alpine:3.11 oci:/path/to/alpine
$ trivy --input /path/to/alpine
Skopeo:
$ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine
$ trivy --input /path/to/alpine
Trivy displayed a severity from NVD, which is generic, but it's more accurate to use the severity from vendor such as Red Hat and Debian. Currently, the vendor's severity is preferred than NVD's severity.
NOTE If you filter vulnerabilities with --severity
option, the result may be different because v0.7.0 uses vendor severity.
A template didn't work in client/server mode.
Trivy can't detect vulnerabilities of OS packages for an image based on scratch/busybox because those images don't have any package manager such as yum
and apt
. But it should detect vulnerabilities of library dependencies according to lock files such as package-lock.json. This commit enables it.
09442d6 chore(ci): move integration tests to GitHub Actions (#485)
415b99d feat: support OCI Image Format (#475)
35b038e chore(github): fix issue templates (#483)
34a95c1 contrib/gitlab.tpl: Add new id field (#468)
b282142 chore(docs): add triage.md (#473)
216a33b fix: handle a scratch/busybox/DockerSlim image gracefully (#476)
ad0bb7c rpc: Fix output to use templates when in client server mode. (#469)
17b84f6 Override with Vendor score if exists (#433)
7629f7f docs: Update installation docs for pointing to Trivy Releases. (#463)
docker pull docker.io/aquasec/trivy:0.7.0
docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
ac5f313 feat(db): store metadata as a file (#464)
329f245 fix: replace containers/image with google/go-containerregistry (#456)
d6595ad add ubuntu 20.04 (#460)
114df7a using STDIN for docker login command (#458)
docker pull docker.io/aquasec/trivy:0.6.0
docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
Crash following interrupted DB download (#288)
e5ff5ec Fix CircleCI example in README.md (#451)
1bc02f9 fix(db): retry downloading the database if it is broken (#452)
05fa779 chore(release): add all supported versions (#445)
docker pull docker.io/aquasec/trivy:0.5.4
docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
6fbdec6 app: Fix a few edge cases with version flag (#443)
94eb7cc Expose Trivy and VulnDB version through --version (#435)
b847e57 feat: show origin layer for vulnerabilities (#439)
07a731c Fix filepath separators on Windows (#414)
4ee7a1e fix circleci example (#431)
ede778f Merge pull request #434 from aquasecurity/license
64a07da Merge branch 'master' into license
623eb79 Remove outdated license section from README
51b8fd8 Change license to Apache 2.0, continued
6f7776e Change license to Apache 2.0
a70cee9 chore(ci): add cross-compile test (#425)
docker pull docker.io/aquasec/trivy:0.5.3
docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
5e36cb9 fix(rpm): make it possible to scan non-RHEL images without rpm (#429)
docker pull docker.io/aquasec/trivy:0.5.2
docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
74bf99b fix(token): use the credential from enviroment variable (#427)
docker pull docker.io/aquasec/trivy:0.5.1
docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
3ed0cfb chore(goreleaser): drop BSD support temporarily (#424)
aca31df detector: Add LayerID to detect vulns (#419)
18b80e3 feat(cache): based on JSON (#398)
b83174f chore(README): add explanation for self-compiled binaries/packages (#413)
80bbe47 fix(gitlab): fix json generation on loop (#409)
7726963 fix(scanner): pass docker options as an argument (#408)
db2136b doc: Add Alpine Linux 3.11 to supported OS docs (#407)
docker pull docker.io/aquasec/trivy:0.5.0
docker pull docker.io/aquasec/trivy:latest