trivy
Scan for vulnerabilities in container images
TLDR
Scan a Docker image for vulnerabilities and exposed secrets
Scan a Docker image filtering the output by severity
Scan a Docker image ignoring any unfixed/unpatched vulnerabilities
Scan the filesystem for vulnerabilities and misconfigurations
Scan a IaC (Terraform, CloudFormation, ARM, Helm and Dockerfile) directory for misconfigurations
Scan a local or remote Git repository for vulnerabilities
Scan a Git repository up to a specific commit hash
Generate output with a SARIF template
SYNOPSIS
trivy [global flags]
PARAMETERS
--cache-backend string
Cache backend (redis, fs, bolt)
--cache-dir string
Cache directory
--clear-cache
Clear the cache
--config-policy string
Policy file path
--exit-code int
Exit code when vulnerabilities were found
--exit-code-from string
Specify when to return exit code [os, repo, config, image]
--format string
Format of the output (table, json, template, sarif, cyclonedx, spdx, github, cosign-vuln) (default "table")
--ignore-policy string
Policy file path to ignore vulnerabilities
--input string
Input file path instead of image name
--no-progress
Suppress progress bar
--output string
Output file path
--quiet
Suppress all log output
--severity string
Severities of vulnerabilities to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
--skip-files
Skip files from scanning
--skip-dirs
Skip directories from scanning
--template string
Template file path
--timeout duration
Timeout for scanning
--version
Show version
DESCRIPTION
Trivy is a comprehensive security scanner designed to identify vulnerabilities and misconfigurations in container images, file systems, and cloud infrastructure. It's particularly useful in CI/CD pipelines to automate security checks early in the development lifecycle. Trivy supports a wide range of targets, including Docker images, Kubernetes deployments, Infrastructure as Code (IaC) configuration files (like Terraform and CloudFormation), and even Git repositories.
It's known for its simplicity, speed, and comprehensive vulnerability database. Trivy leverages vulnerability information from multiple sources to provide accurate and up-to-date scanning results. It can detect OS package vulnerabilities, language-specific vulnerabilities (e.g., in Ruby gems, Python packages, or Java libraries), and infrastructure misconfigurations. Trivy helps DevOps teams identify and address security risks before they are deployed to production.
Trivy distinguishes itself by being easy to integrate into existing workflows. It's available as a command-line tool and can be integrated into CI/CD pipelines using tools like Jenkins, GitLab CI, and GitHub Actions.
The tool returns reports in various formats like JSON, which are consumable by security tools for vulnerability management.
CAVEATS
Trivy's effectiveness depends on regularly updating its vulnerability database. Using an outdated database may result in missed vulnerabilities.
COMMANDS
trivy image: Scan container images
trivy fs: Scan local filesystem
trivy repo: Scan git repositories
trivy config: Scan misconfigurations
INTEGRATION
Trivy can be seamlessly integrated into CI/CD pipelines with tools like Jenkins, GitLab CI, and GitHub Actions for automated security checks.