trivy

Changelog

42043a0 fix(client): add image name and build time (#402)
246793e fix(redhat): use binary package name for OVAL (#393)
692b0f1 cli: append warning when --template option is ignored (#391)
0629e1d fix(cli): reject multiple images (#392)
9707c7b Initial GitLab CI template to deeply integrated with GitLab Container Scanning (#376)
194fbef feat(): include GitLab template inside the docker container (#388)
f7db00c Modify template for GitLab Container Scanning (#387)
2f4b31e chore(goreleaser): bump up to 0.124.1 (#383)
9289624 doc: Update GitLab CI example documentation (#375)

Docker images

• docker pull docker.io/aquasec/trivy:0.4.4
• docker pull docker.io/aquasec/trivy:latest

New Feature

Save the results using a template

$ trivy --format template --template "@/path/to/template" golang:1.12-alpine

See here for an example

Changelog

5a8749c chore: add install script (#370)
4a7fb52 fix typo in example of .gitlab-ci.yml (#373)
8888fca chore(goreleaser): change name_template to file_name_template (#369)
63a8c6d Integrate with Gitlab Container Scanning (#367)
fc222be chore: change a licence in goreleaser.yml (#365)
6132ff9 template: Load template from paths (#202)
87556aa Dockerfile: Update to alpine 3.11 (#361)

Docker images

• docker pull docker.io/aquasec/trivy:0.4.3
• docker pull docker.io/aquasec/trivy:latest

Bug fixes

• Infinite loop when resolving dependencies of packages in Alpine #363
• Memory monster #362

Changelog

43362b2 Fix inifinite loop when resolving dependencies of packages in Alpine (#364)
db2d0c2 docker_engine_test: Add more OSes (#358)
922d493 Add EOL Date for alpine 3.11 (#359)

Docker images

• docker pull docker.io/aquasec/trivy:0.4.2
• docker pull docker.io/aquasec/trivy:latest

Bug fixes

• https://github.com/aquasecurity/trivy/issues/354
• https://github.com/aquasecurity/trivy/issues/353

Changelog

c4811c3 chore(dep): update (#357)
0ec840b feat(client): retry HTTP request when getting an unavailable error (#350)
0b96d08 fix(integration-test): use a snapshot database for Docker mode (#352)

Docker images

• docker pull docker.io/aquasec/trivy:0.4.1
• docker pull docker.io/aquasec/trivy:latest

New Features

Support Photon OS (#340)

$ trivy photon:3.0

Thank you, @masahiro331

Support SUSE Enterprise Linux / openSUSE (#337)

$ trivy opensuse/leap:15.0

Thank you, @masahiro331

Specify a directory to store image cache (#341)

Trivy could specify a directory to store the vulnerability database, but could not specify a directory to store image cache. Now, you can specify it with --cache-dir.

$ trivy --cache-dir /path/to/cache alpine:3.10

Add --token-headers option (#326)

Trivy uses Trivy-Token as a default token header. You can specify a custom header by --token-header.

$ trivy server --token foo --token-header x-trivy-token

$ trivy client --token foo --token-header x-trivy-token

Show progress when downloading the DB (#317)

$ trivy alpine:3.10
2019-12-27T14:44:26.345+0200    INFO    Need to update DB
2019-12-27T14:44:26.346+0200    INFO    Downloading DB...
3.04 MiB / 9.26 MiB [---------------------------->__________________________________________________________] 32.82% 1.14 MiB p/s ETA 5s

Buf fixes

Clear cache (#339)

$ trivy client --clear-cache

Changelog

7abd416 Delete requires for release (#345)
fcc193b Support Photon OS (#340)
44d74a7 chore(README): add 0.0.0.0 to the server example (#342)
4189855 fix(cache): specify a directory to store image cache (#341)
77f1abc Integration tests for docker mode (#335)
96d58cc fix(client): clear cache (#339)
823374b feat(client/server): add --token-headers option (#326)
b127c1c Support SUSE (#337)
b1ea09d Merge pull request #272 from aquasecurity/lizrice-patch-1
8c1c3df Merge branch 'master' into lizrice-patch-1
cee08c3 feat(db): show progress when downloading the DB (#317)
bc8f613 fix(writer): Refactor results struct (#327)
b9eddaf Merge branch 'master' into lizrice-patch-1
bdd1266 docs: note that some sources are non-commercial

Docker images

• docker pull docker.io/aquasec/trivy:0.4.0
• docker pull docker.io/aquasec/trivy:latest

Bug fix

af584a8 Revert "change mod genuinetools/reg to vanilla (#297)" (#321)

Docker images

• docker pull docker.io/aquasec/trivy:0.3.1
• docker pull docker.io/aquasec/trivy:latest

New Features

• Client/Server
  • trivy server and trivy client are available
  • See here for details
• Support Oracle Linux
  • Thank you, @masahiro331

Bug Fixes

• Possible false-positive on jq library #245
• fix(reset): reset before initializing DB #275

Changelog

74717b8 feat: support client/server mode (#295)
24fc88c Fix conduct strategy (#308)
1e9dcdb change mod genuinetools/reg to vanilla (#297)
7233b5f Update Gitlab example for Trivy 0.2.0 (#270)
3a53a88 refactor(app): use internal and separate configurations (#291)
6cbbb22 fix(alpine): handle rc version (#289)
b6a8af5 chore(windows): remove (#278)
30c1a00 Update readme (#287)
b345342 Add oracle linux support (#286)
438680f fix(reset): reset before initializing DB (#275)
740c2c4 chore(log): add debug messages (#284)

Docker images

• docker pull docker.io/aquasec/trivy:0.3.0
• docker pull docker.io/aquasec/trivy:latest

Changes

• Support GITHUB_TOKEN for rate limiting
• Ignore files under vendor dir to avoid false positives
• New logo

Changelog

35429e3 chore(logo): replace with new logo (#269)
fb26541 chore(clear-cache): add an explanation (#276)
15af65b feat(github): add GITHUB_TOKEN for rate limiting (#281)
c2fdfab fix(lockfile): ignore files under vendor dir (#279)

Docker images

• docker pull docker.io/aquasec/trivy:0.2.1
• docker pull docker.io/aquasec/trivy:latest

Main Features

• Dramatically improve the scan speed on the first run 🎉🎉 🎉 🎉 🎉🎉 🎉 🎉
  • Previous version: ~ 10 min
  • New version: ~ 10 sec (Depending on the network)

Now, you don't need to use a cache in CI/CD. You can see an example.
https://github.com/aquasecurity/trivy-ci-test/commit/eb4d393a7178aea0118c6e9017269f258d6b3edf/checks?check_suite_id=311236898

New Features

• --light option
  • The lightweight DB doesn't contain vulnerability detail such as descriptions and references. Because of that, the size of the DB is smaller and the download is faster.
  • This option is useful when you don't need vulnerability details and is suitable for CI/CD. To find the additional information, you can search vulnerability details on the NVD website.
  • e.g. $ trivy --light alpine:3.10
• --download-db-only option (#172)
  • This option simply retrieves the vulnerability database without scanning.
  • Thanks to @miguelbernadi
• Enable environment variables (#220)
  • You can specify the options via environment variables
  • e.g. TRIVY_EXIT_CODE=1 trivy alpine:3.10
  • Thanks to @tboerger

Changelog

e371747 doc(README): fix missing Gitlab CI link section in ToC (#263)
514137e Merge pull request #253 from aquasecurity/remote_db
4f92d29 chore(makefile): add Makefile (#256)
8ea2e8c Add env variables for every flag (#220)
d1615bc typo fixed and GitHub Profile link added (#236)
76d920e Grammar (#232)
1f07220 docs: typo correction (#252)
f326beb Fixed broken link and some typos in Readme.md (#228)
e04e90f add new line at eof (#249)
d27eeb2 Add option to only download vulnerability database (#172)
62ea073 Enable shell autocompletion (#234)
187864a Added GitLab YML (#223)
a666c4a massage rubygems version to handle platforms (#230)
bda4ee0 add echo to CI gofmt step (#231)
63ed4eb Fixed Broken README links (#214)

Docker images

• docker pull docker.io/aquasec/trivy:0.2.0
• docker pull docker.io/aquasec/trivy:latest

New feature

• Support new OSes
  • Amazon Linux
  • Google Distroless
• Support new build tool
  • Kaniko
• New options
  • --ignorefile
    • Specify the .trivyignore path
  • --timeout
    • Specify timeout
  • --template
    • The result can be exported to your template

Update

• Go version
  • 1.13
• Alpine version
  • 3.10

Changelog

d03a64c Update README (#224)
20babc4 Bump Go 1.13 (#218)
a6141ed CI/CD refactor (#209)
a12bb8d fix(db): introduce db schema version (#221)
5ae10e0 Dockerfile: Update runner base to alpine 3.10 (#199)
ff873a2 Support Amazon Linux (#182)
7ad94c3 Update .gitignore (#215)
f850984 test(integration): add integration tests (#201)
9334e60 Changed to be able to specify IgnoreFile as whitelist (#175)
f198b6e Check errors passed through by filepath.Walk (#208)
cb1870e Update README.md (#206)
384205a Remove extra double quote (#204)
d9e64d2 Updated README.md (#203)
5ccb0af Added Docker image badge & missing punctuation's (#189)
da621c3 Add timeout option (#143)
3a28576 added reference for LICENSE (#195)
dbb7a55 Check returned error before deferring file close (#197)
89f2d48 docs: minor tweak (#183)
f933ab4 Improve ubuntu install (#178)
af78d2f Update README.md - typo fix (#186)
0fff415 Support Kaniko (#171)
987538f Display an error message when rpm not found (#167)
2642020 Support distroless and ignore lock files under vendor dir (#166)
c4a2b76 Add rpm to the trivy image (#165)
339d0db Add template writer (#141)
43568cc Update xerrors version (#158)
fbd73f2 Modify cache-dir usage comment (#148)
4a21ad9 env (#154)
18de7e4 README.md is out of date (#145)
90e4c15 Add the RHEL8 support to rpm repository (#138)
4f57216 use COPY on dockerfile rather than add (#132)
e6b6830 fix typo in readme (#130)
4ce651c fix gofmt (#131)

Docker images

• docker pull docker.io/aquasec/trivy:0.1.7
• docker pull docker.io/aquasec/trivy:latest

Changelog

ab8b73e Fix libraly cache directotry (#129)
a77984a Suppress log output when --quiet flag is on (#125)
31a1f59 Fix cannot found docker image (#123)
4ca73f0 Merge pull request #120 from aquasecurity/readme_migration
0909f94 Clarify migration instructions
d1c01c1 Small wording change
f8cdd60 Slight wording change
2e4b83b Add migration section on README

Changelog

6fbcbb3 Merge pull request #119 from aquasecurity/transfer
a843682 Transfer repositoriy
0611bf9 Display a warning for OS that has reached EOL (#118)
9a9cb01 Add tests to utils (#116)
74a66fb Add data source (#117)
aedfd3b Fix README
a2e13bd Remove old results (#115)
a7d991f Reimplement --cache-dir option (#114)
11bc00d Revert "Allow user specified cache directory (#12)" (#111)
5005d79 Adding instructions for Install in Arch Linux (#107)
c2a05c7 use multiple ISSUE_TEMPLATE (#98)
51bbc1d [docker] Compress binary using upx (#97)
7b5e340 fix CircleCI link in README (#91)
52ab4e9 Add code snippet reminder on how to print distribution codename (#89)

Changelog

9bfbff9 Embed trivy version in Docker (#88)
6af2d32 Support unusual YAML (#87)
75b944f update go.mod (#86)
bbb6719 feat: improve nvd update (#81)

Changelog

6be2ebd Update manual installation
a4f1f25 remove nonsense struct tags (#76)
c29f6f5 Fix --skip-update (#70)
edb899b Update README
a8f7ece Update dependencies
ec1afc2 feat: add vulnerability type filter to get only os or packages vulnerabilities (#50)
f12284a Fix debug log (#65)

Changelog

a9ff0b5 add -debug to ISSUE_TEMPLATE (#57)
0a271a0 Added alpine into dbnames (#55)
6fa78df auth for private docker registry from ENV vars (#52)
b62536f Added --only-update option (#43)
9741d4a Simpler Homebrew install instructions (#51)
68f326d feat: add --depth option to git clone (#46)

Changelog

76ee729 Support Poetry (#49)
d31f090 add ISSUE_TEMPLATE.md (#48)
8d7c2e6 Fix yarn parser (#47)
9269a30 update readme (#42)

Changelog

073b315 No error on unsupported OS (#40)
47c46fb Fix some typos in the README or improve phrasing (#38)
3957296 fixed cache bug (#36)
4383764 fix: unknown format case (#35)
e0ef056 Some code improvements. (#34)
d9cf2c4 Update JSON schema (#33)

Changelog

58bf4b2 fix quiet bug (#32)

Changelog

f82ff5a Change log format (#30)
fa72bef Add auto-refresh option (#29)

Changelog

2f7f1f8 Change Dockerfile (#28)
90d0834 Enable --clear-cache and --refresh without specifying an image name (#27)
295cd29 Suppress the warning message when specifying --clear-cache option (#25)
1c844aa show scanned os type if unsupported (#24)
e0cd18e [ImgBot] Optimize images (#22)
9f9faf2 Suggest putting the apt source in its own file (#21)
3907a60 Update README
e85e961 Update fanal version (#15)
61cbae2 fixed provided (#14)
2d512c5 Allow user specified cache directory (#12)
936297a Fix License badge
ad0f9e8 Update README