trivy
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
APACHE-2.0 License
Bot releases are visible (Hide)
Published by knqyf263 over 4 years ago
Bug fixes
- Debug option doesn't work as expected (#515)
- Progress logged as stderr (#513)
Changelog
65cbe3c fix(alpine): support 3.12 (#517)
f94e8dc chore(README): prepare for v0.9.0 (#507)
9629303 fix(config): transpose arguments (#516)
Docker images
docker pull docker.io/aquasec/trivy:0.9.1docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
New Features
[IMPORTANT] Support GitHub Advisory Database (#467)
Trivy supports GitHub Advisory Database to detect vulnerabilities of programming language libraries. It uses multiple data sources for each language as show below.
https://github.com/aquasecurity/trivy#data-source
This allows Trivy to be more accurate and affects the number of vulnerabilities Trivy detects.
Thank you for the contribution, @masahiro331!
Filesystem scan
Scan a filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem).
When you specify the path to your project, Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.
$ trivy fs /path/to/project
Also, Trivy can scan your container from inside the container.
$ docker run --rm -it alpine:3.11
/ # apk add curl
/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin
/ # trivy fs /
Embed in Dockerfile 🎉
Scan your image as part of the build process by embedding Trivy in the Dockerfile. This approach can be used to update Dockerfiles currently using Aqua’s Microscanner
$ cat Dockerfile
FROM alpine:3.7
RUN apk add --no-cache curl \
&& curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin \
&& trivy filesystem --exit-code 1 --no-progress / \
&& trivy --reset && rm -f /usr/loca/bin/trivy && apk del curl
$ docker build -t vulnerable-image .
Git Repository scan
Scan your remote git repository.
$ trivy repo https://github.com/aquasecurity/trivy-ci-test
Only public repositories are supported.
Bug fixes
CVE duplication in scanning result
Close https://github.com/aquasecurity/harbor-scanner-trivy/issues/114
When Trivy scans an image containing multiple lock files regardless of OS and packages, it sometimes has false positives.
Changelog
020c4a3 fix(app): add ArgsUsage (#508)
2f2d1a9 feat: support repository and filesystem scan (#503)
03ad8a3 Add GHSA support (#467)
1218e11 refactor: define common options and embed them into the option for subcommand (#502)
Docker images
docker pull docker.io/aquasec/trivy:0.9.0docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
New Feature
Add image subcommand (#493)
We deprecated $ trivy IMAGE_NAME and introduced image subcommand.
$ trivy image alpine:3.11
Add CVSS Vectors to JSON output. (#484)
You can see CVSS vectors in a result JSON.
$ trivy image --format=json alpine=3.10.4
[...output snipped...]
"VendorVectors": {
"nvd": {
"v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"redhat": {
"v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
},
[...output snipped...]
Support registry token (#482)
To scan a private image, you can pass a registry token instead of ID/PW. This is useful when you develop a registry integration such as Harbor and Quay.
$ export TRIVY_REGISTRY_TOKEN=$(curl -u "username:password" "https://auth.docker.io/token?service=registry.docker.io&scope=repository:org/private_image:pull")
$ trivy org/private_image:latest
Changelog
78b7529 Add image subcommand (#493)
e2bcb44 fix: remove help template (#500)
a57c27e vulnerability: Add CVSS Vectors to JSON output. (#484)
926f323 feat: support registry token (#482)
aa20adb chore: bump up urfave/cli to v2 (#499)
3e0779a chore(doc): update README (#490)
Docker images
docker pull docker.io/aquasec/trivy:0.8.0docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
New Feature
Support OCI Image Format
An image directory compliant with "Open Container Image Layout Specification".
Buildah:
$ buildah push docker.io/library/alpine:3.11 oci:/path/to/alpine
$ trivy --input /path/to/alpine
Skopeo:
$ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine
$ trivy --input /path/to/alpine
[BREAKING] Override severity with vendor score if exists
Trivy displayed a severity from NVD, which is generic, but it's more accurate to use the severity from vendor such as Red Hat and Debian. Currently, the vendor's severity is preferred than NVD's severity.
NOTE If you filter vulnerabilities with --severity option, the result may be different because v0.7.0 uses vendor severity.
Bugs
rpc: fix output to use templates when in client/server mode. (#469)
A template didn't work in client/server mode.
fix: handle a scratch/busybox/DockerSlim image gracefully (#476)
Trivy can't detect vulnerabilities of OS packages for an image based on scratch/busybox because those images don't have any package manager such as yum and apt. But it should detect vulnerabilities of library dependencies according to lock files such as package-lock.json. This commit enables it.
Changelog
09442d6 chore(ci): move integration tests to GitHub Actions (#485)
415b99d feat: support OCI Image Format (#475)
35b038e chore(github): fix issue templates (#483)
34a95c1 contrib/gitlab.tpl: Add new id field (#468)
b282142 chore(docs): add triage.md (#473)
216a33b fix: handle a scratch/busybox/DockerSlim image gracefully (#476)
ad0bb7c rpc: Fix output to use templates when in client server mode. (#469)
17b84f6 Override with Vendor score if exists (#433)
7629f7f docs: Update installation docs for pointing to Trivy Releases. (#463)
Docker images
docker pull docker.io/aquasec/trivy:0.7.0docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
Changelog
ac5f313 feat(db): store metadata as a file (#464)
329f245 fix: replace containers/image with google/go-containerregistry (#456)
d6595ad add ubuntu 20.04 (#460)
114df7a using STDIN for docker login command (#458)
Docker images
docker pull docker.io/aquasec/trivy:0.6.0docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
Bug fixes
Crash following interrupted DB download (#288)
Changelog
e5ff5ec Fix CircleCI example in README.md (#451)
1bc02f9 fix(db): retry downloading the database if it is broken (#452)
05fa779 chore(release): add all supported versions (#445)
Docker images
docker pull docker.io/aquasec/trivy:0.5.4docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
Changelog
6fbdec6 app: Fix a few edge cases with version flag (#443)
94eb7cc Expose Trivy and VulnDB version through --version (#435)
b847e57 feat: show origin layer for vulnerabilities (#439)
07a731c Fix filepath separators on Windows (#414)
4ee7a1e fix circleci example (#431)
ede778f Merge pull request #434 from aquasecurity/license
64a07da Merge branch 'master' into license
623eb79 Remove outdated license section from README
51b8fd8 Change license to Apache 2.0, continued
6f7776e Change license to Apache 2.0
a70cee9 chore(ci): add cross-compile test (#425)
Docker images
docker pull docker.io/aquasec/trivy:0.5.3docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
Changelog
5e36cb9 fix(rpm): make it possible to scan non-RHEL images without rpm (#429)
Docker images
docker pull docker.io/aquasec/trivy:0.5.2docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
Changelog
74bf99b fix(token): use the credential from enviroment variable (#427)
Docker images
docker pull docker.io/aquasec/trivy:0.5.1docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
Changelog
3ed0cfb chore(goreleaser): drop BSD support temporarily (#424)
aca31df detector: Add LayerID to detect vulns (#419)
18b80e3 feat(cache): based on JSON (#398)
b83174f chore(README): add explanation for self-compiled binaries/packages (#413)
80bbe47 fix(gitlab): fix json generation on loop (#409)
7726963 fix(scanner): pass docker options as an argument (#408)
db2136b doc: Add Alpine Linux 3.11 to supported OS docs (#407)
Docker images
docker pull docker.io/aquasec/trivy:0.5.0docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
Changelog
42043a0 fix(client): add image name and build time (#402)
246793e fix(redhat): use binary package name for OVAL (#393)
692b0f1 cli: append warning when --template option is ignored (#391)
0629e1d fix(cli): reject multiple images (#392)
9707c7b Initial GitLab CI template to deeply integrated with GitLab Container Scanning (#376)
194fbef feat(): include GitLab template inside the docker container (#388)
f7db00c Modify template for GitLab Container Scanning (#387)
2f4b31e chore(goreleaser): bump up to 0.124.1 (#383)
9289624 doc: Update GitLab CI example documentation (#375)
Docker images
docker pull docker.io/aquasec/trivy:0.4.4docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 almost 5 years ago
New Feature
Save the results using a template
$ trivy --format template --template "@/path/to/template" golang:1.12-alpine
See here for an example
Changelog
5a8749c chore: add install script (#370)
4a7fb52 fix typo in example of .gitlab-ci.yml (#373)
8888fca chore(goreleaser): change name_template to file_name_template (#369)
63a8c6d Integrate with Gitlab Container Scanning (#367)
fc222be chore: change a licence in goreleaser.yml (#365)
6132ff9 template: Load template from paths (#202)
87556aa Dockerfile: Update to alpine 3.11 (#361)
Docker images
docker pull docker.io/aquasec/trivy:0.4.3docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 almost 5 years ago
Bug fixes
- Infinite loop when resolving dependencies of packages in Alpine #363
- Memory monster #362
Changelog
43362b2 Fix inifinite loop when resolving dependencies of packages in Alpine (#364)
db2d0c2 docker_engine_test: Add more OSes (#358)
922d493 Add EOL Date for alpine 3.11 (#359)
Docker images
docker pull docker.io/aquasec/trivy:0.4.2docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 almost 5 years ago
Bug fixes
Changelog
c4811c3 chore(dep): update (#357)
0ec840b feat(client): retry HTTP request when getting an unavailable error (#350)
0b96d08 fix(integration-test): use a snapshot database for Docker mode (#352)
Docker images
docker pull docker.io/aquasec/trivy:0.4.1docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 almost 5 years ago
New Features
Support Photon OS (#340)
$ trivy photon:3.0
Thank you, @masahiro331
Support SUSE Enterprise Linux / openSUSE (#337)
$ trivy opensuse/leap:15.0
Thank you, @masahiro331
Specify a directory to store image cache (#341)
Trivy could specify a directory to store the vulnerability database, but could not specify a directory to store image cache. Now, you can specify it with --cache-dir.
$ trivy --cache-dir /path/to/cache alpine:3.10
Add --token-headers option (#326)
Trivy uses Trivy-Token as a default token header. You can specify a custom header by --token-header.
$ trivy server --token foo --token-header x-trivy-token
$ trivy client --token foo --token-header x-trivy-token
Show progress when downloading the DB (#317)
$ trivy alpine:3.10
2019-12-27T14:44:26.345+0200 INFO Need to update DB
2019-12-27T14:44:26.346+0200 INFO Downloading DB...
3.04 MiB / 9.26 MiB [---------------------------->__________________________________________________________] 32.82% 1.14 MiB p/s ETA 5s
Buf fixes
Clear cache (#339)
$ trivy client --clear-cache
Changelog
7abd416 Delete requires for release (#345)
fcc193b Support Photon OS (#340)
44d74a7 chore(README): add 0.0.0.0 to the server example (#342)
4189855 fix(cache): specify a directory to store image cache (#341)
77f1abc Integration tests for docker mode (#335)
96d58cc fix(client): clear cache (#339)
823374b feat(client/server): add --token-headers option (#326)
b127c1c Support SUSE (#337)
b1ea09d Merge pull request #272 from aquasecurity/lizrice-patch-1
8c1c3df Merge branch 'master' into lizrice-patch-1
cee08c3 feat(db): show progress when downloading the DB (#317)
bc8f613 fix(writer): Refactor results struct (#327)
b9eddaf Merge branch 'master' into lizrice-patch-1
bdd1266 docs: note that some sources are non-commercial
Docker images
docker pull docker.io/aquasec/trivy:0.4.0docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 almost 5 years ago
Bug fix
af584a8 Revert "change mod genuinetools/reg to vanilla (#297)" (#321)
Docker images
docker pull docker.io/aquasec/trivy:0.3.1docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 almost 5 years ago
New Features
- Client/Server
-
trivy serverandtrivy clientare available - See here for details
-
- Support Oracle Linux
- Thank you, @masahiro331
Bug Fixes
- Possible false-positive on jq library #245
- fix(reset): reset before initializing DB #275
Changelog
74717b8 feat: support client/server mode (#295)
24fc88c Fix conduct strategy (#308)
1e9dcdb change mod genuinetools/reg to vanilla (#297)
7233b5f Update Gitlab example for Trivy 0.2.0 (#270)
3a53a88 refactor(app): use internal and separate configurations (#291)
6cbbb22 fix(alpine): handle rc version (#289)
b6a8af5 chore(windows): remove (#278)
30c1a00 Update readme (#287)
b345342 Add oracle linux support (#286)
438680f fix(reset): reset before initializing DB (#275)
740c2c4 chore(log): add debug messages (#284)
Docker images
docker pull docker.io/aquasec/trivy:0.3.0docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 almost 5 years ago
Changes
- Support GITHUB_TOKEN for rate limiting
- Ignore files under vendor dir to avoid false positives
- New logo
Changelog
35429e3 chore(logo): replace with new logo (#269)
fb26541 chore(clear-cache): add an explanation (#276)
15af65b feat(github): add GITHUB_TOKEN for rate limiting (#281)
c2fdfab fix(lockfile): ignore files under vendor dir (#279)
Docker images
docker pull docker.io/aquasec/trivy:0.2.1docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 almost 5 years ago
Main Features
-
Dramatically improve the scan speed on the first run 🎉🎉 🎉 🎉 🎉🎉 🎉 🎉
- Previous version: ~ 10 min
- New version: ~ 10 sec (Depending on the network)
Now, you don't need to use a cache in CI/CD. You can see an example.
https://github.com/aquasecurity/trivy-ci-test/commit/eb4d393a7178aea0118c6e9017269f258d6b3edf/checks?check_suite_id=311236898
New Features
-
--lightoption- The lightweight DB doesn't contain vulnerability detail such as descriptions and references. Because of that, the size of the DB is smaller and the download is faster.
- This option is useful when you don't need vulnerability details and is suitable for CI/CD. To find the additional information, you can search vulnerability details on the NVD website.
- e.g.
$ trivy --light alpine:3.10
-
--download-db-onlyoption (#172)- This option simply retrieves the vulnerability database without scanning.
- Thanks to @miguelbernadi
- Enable environment variables (#220)
- You can specify the options via environment variables
- e.g. TRIVY_EXIT_CODE=1 trivy alpine:3.10
- Thanks to @tboerger
Changelog
e371747 doc(README): fix missing Gitlab CI link section in ToC (#263)
514137e Merge pull request #253 from aquasecurity/remote_db
4f92d29 chore(makefile): add Makefile (#256)
8ea2e8c Add env variables for every flag (#220)
d1615bc typo fixed and GitHub Profile link added (#236)
76d920e Grammar (#232)
1f07220 docs: typo correction (#252)
f326beb Fixed broken link and some typos in Readme.md (#228)
e04e90f add new line at eof (#249)
d27eeb2 Add option to only download vulnerability database (#172)
62ea073 Enable shell autocompletion (#234)
187864a Added GitLab YML (#223)
a666c4a massage rubygems version to handle platforms (#230)
bda4ee0 add echo to CI gofmt step (#231)
63ed4eb Fixed Broken README links (#214)
Docker images
docker pull docker.io/aquasec/trivy:0.2.0docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 about 5 years ago
New feature
- Support new OSes
- Amazon Linux
- Google Distroless
- Support new build tool
- Kaniko
- New options
-
--ignorefile- Specify the .trivyignore path
-
--timeout- Specify timeout
-
--template- The result can be exported to your template
-
Update
- Go version
- 1.13
- Alpine version
- 3.10
Changelog
d03a64c Update README (#224)
20babc4 Bump Go 1.13 (#218)
a6141ed CI/CD refactor (#209)
a12bb8d fix(db): introduce db schema version (#221)
5ae10e0 Dockerfile: Update runner base to alpine 3.10 (#199)
ff873a2 Support Amazon Linux (#182)
7ad94c3 Update .gitignore (#215)
f850984 test(integration): add integration tests (#201)
9334e60 Changed to be able to specify IgnoreFile as whitelist (#175)
f198b6e Check errors passed through by filepath.Walk (#208)
cb1870e Update README.md (#206)
384205a Remove extra double quote (#204)
d9e64d2 Updated README.md (#203)
5ccb0af Added Docker image badge & missing punctuation's (#189)
da621c3 Add timeout option (#143)
3a28576 added reference for LICENSE (#195)
dbb7a55 Check returned error before deferring file close (#197)
89f2d48 docs: minor tweak (#183)
f933ab4 Improve ubuntu install (#178)
af78d2f Update README.md - typo fix (#186)
0fff415 Support Kaniko (#171)
987538f Display an error message when rpm not found (#167)
2642020 Support distroless and ignore lock files under vendor dir (#166)
c4a2b76 Add rpm to the trivy image (#165)
339d0db Add template writer (#141)
43568cc Update xerrors version (#158)
fbd73f2 Modify cache-dir usage comment (#148)
4a21ad9 env (#154)
18de7e4 README.md is out of date (#145)
90e4c15 Add the RHEL8 support to rpm repository (#138)
4f57216 use COPY on dockerfile rather than add (#132)
e6b6830 fix typo in readme (#130)
4ce651c fix gofmt (#131)
Docker images
docker pull docker.io/aquasec/trivy:0.1.7docker pull docker.io/aquasec/trivy:latest
