LinuxCommandLibrary

trivy

Scan for vulnerabilities in container images

TLDR

Scan a Docker image for vulnerabilities and exposed secrets

$ trivy image [image:tag]
copy

Scan a Docker image filtering the output by severity
$ trivy image [[-s|--severity]] [HIGH,CRITICAL] [alpine:3.15]
copy

Scan a Docker image ignoring any unfixed/unpatched vulnerabilities
$ trivy image --ignore-unfixed [alpine:3.15]
copy

Scan the filesystem for vulnerabilities and misconfigurations
$ trivy fs --security-checks [vuln,config] [path/to/project_directory]
copy

Scan a IaC (Terraform, CloudFormation, ARM, Helm and Dockerfile) directory for misconfigurations
$ trivy config [path/to/iac_directory]
copy

Scan a local or remote Git repository for vulnerabilities
$ trivy repo [path/to/local_repository_directory|remote_repository_URL]
copy

Scan a Git repository up to a specific commit hash
$ trivy repo --commit [commit_hash] [repository]
copy

Generate output with a SARIF template
$ trivy image [[-f|--format]] [template] [[-t|--template]] "[@sarif.tpl]" [[-o|--output]] [path/to/report.sarif] [image:tag]
copy

SYNOPSIS

trivy [global flags] [command flags]

PARAMETERS

--cache-backend string
    Cache backend (redis, fs, bolt)

--cache-dir string
    Cache directory

--clear-cache
    Clear the cache

--config-policy string
    Policy file path

--exit-code int
    Exit code when vulnerabilities were found

--exit-code-from string
    Specify when to return exit code [os, repo, config, image]

--format string
    Format of the output (table, json, template, sarif, cyclonedx, spdx, github, cosign-vuln) (default "table")

--ignore-policy string
    Policy file path to ignore vulnerabilities

--input string
    Input file path instead of image name

--no-progress
    Suppress progress bar

--output string
    Output file path

--quiet
    Suppress all log output

--severity string
    Severities of vulnerabilities to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")

--skip-files
    Skip files from scanning

--skip-dirs
    Skip directories from scanning

--template string
    Template file path

--timeout duration
    Timeout for scanning

--version
    Show version

DESCRIPTION

Trivy is a comprehensive security scanner designed to identify vulnerabilities and misconfigurations in container images, file systems, and cloud infrastructure. It's particularly useful in CI/CD pipelines to automate security checks early in the development lifecycle. Trivy supports a wide range of targets, including Docker images, Kubernetes deployments, Infrastructure as Code (IaC) configuration files (like Terraform and CloudFormation), and even Git repositories.

It's known for its simplicity, speed, and comprehensive vulnerability database. Trivy leverages vulnerability information from multiple sources to provide accurate and up-to-date scanning results. It can detect OS package vulnerabilities, language-specific vulnerabilities (e.g., in Ruby gems, Python packages, or Java libraries), and infrastructure misconfigurations. Trivy helps DevOps teams identify and address security risks before they are deployed to production.

Trivy distinguishes itself by being easy to integrate into existing workflows. It's available as a command-line tool and can be integrated into CI/CD pipelines using tools like Jenkins, GitLab CI, and GitHub Actions.

The tool returns reports in various formats like JSON, which are consumable by security tools for vulnerability management.

CAVEATS

Trivy's effectiveness depends on regularly updating its vulnerability database. Using an outdated database may result in missed vulnerabilities.

COMMANDS

trivy image: Scan container images
trivy fs: Scan local filesystem
trivy repo: Scan git repositories
trivy config: Scan misconfigurations

INTEGRATION

Trivy can be seamlessly integrated into CI/CD pipelines with tools like Jenkins, GitLab CI, and GitHub Actions for automated security checks.

Copied to clipboard