trivy

Scan a Docker image for vulnerabilities and exposed secrets

$ trivy image [image:tag]

$ trivy image [[-s|--severity]] [HIGH,CRITICAL] [alpine:3.15]

$ trivy image --ignore-unfixed [alpine:3.15]

$ trivy fs --security-checks [vuln,config] [path/to/project_directory]

$ trivy config [path/to/iac_directory]

$ trivy repo [path/to/local_repository_directory|remote_repository_URL]

$ trivy repo --commit [commit_hash] [repository]

$ trivy image [[-f|--format]] [template] [[-t|--template]] "[@sarif.tpl]" [[-o|--output]] [path/to/report.sarif] [image:tag]

trivy <target> [options]
Common targets include: image, fs, repo, config, kubernetes, cloud.

Examples:
trivy image nginx:latest
trivy fs .
trivy repo https://github.com/aquasecurity/trivy-repo-test.git

--help, -h
    Show help message for the command or a subcommand.

--version, -v
    Print the current version of Trivy.

--severity <SEVERITY>
    Specify vulnerability severities to report (e.g., UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL). Multiple severities can be comma-separated.

--format <FORMAT>
    Choose the output format for the report (e.g., table, json, cyclonedx, spdx, template).

--output <FILEPATH>, -o <FILEPATH>
    Write the scan report to a specified file instead of standard output.

--ignore-unfixed
    Only display vulnerabilities for which a fix is available.

--vuln-type <TYPE>
    Specify the types of vulnerabilities to scan (e.g., os, library). Multiple types can be comma-separated.

--secret
    Enable secret scanning to detect hardcoded secrets.

--config-scanners <SCANNERS>
    Enable misconfiguration scanners for various targets (e.g., misconfig, rbac).

--timeout <DURATION>
    Set a timeout for the scan operation (e.g., 5m, 1h30m).

Trivy is a versatile and user-friendly open-source security scanner designed to identify vulnerabilities, misconfigurations, secrets, and licenses across a wide range of targets. It supports scanning container images, local filesystems, Git repositories, Kubernetes clusters, and cloud environments (AWS, Azure, GCP). Trivy detects vulnerabilities in operating system packages (e.g., Alpine, Debian, Ubuntu, RHEL) and application dependencies (e.g., npm, yarn, pip, Composer, Bundler). Beyond traditional vulnerability scanning, it can also enforce security policies by scanning Infrastructure as Code (IaC) files for misconfigurations and detect sensitive information like API keys or passwords. Its ease of integration into CI/CD pipelines makes it an ideal tool for securing the software supply chain from development to deployment. Maintained by Aqua Security, Trivy provides a crucial layer of security for modern cloud-native applications.

Trivy requires an active internet connection for the initial download and subsequent updates of its vulnerability databases, which can be quite large. Scanning large targets or numerous files can be resource-intensive and time-consuming. While highly accurate, like any security tool, false positives or negatives can occur; results should always be reviewed and understood in context. The effectiveness of Trivy's vulnerability detection is directly tied to the timeliness and comprehensiveness of its vulnerability databases.

Trivy is widely used for:
1. CI/CD Integration: Automating vulnerability scans in development pipelines before deployment.
2. Container Image Scanning: Identifying vulnerabilities in Docker images and other container artifacts.
3. Filesystem Scanning: Analyzing local directories or build artifacts for security issues.
4. Configuration Auditing: Scanning Infrastructure as Code (IaC) files (e.g., Terraform, Kubernetes manifests, CloudFormation) for misconfigurations.
5. Secret Detection: Finding hardcoded secrets in source code or configuration files.

Trivy aggregates vulnerability data from multiple sources, including NVD (National Vulnerability Database), OS vendor security advisories (e.g., Debian, Ubuntu, Alpine, RHEL), and language-specific package managers (e.g., npm, Yarn, Bundler, Pip). It maintains a local cache of these databases for faster subsequent scans, which are regularly updated.

Trivy was developed by Aqua Security and first released in 2019. It quickly gained popularity within the cloud-native and container security communities due to its lightweight nature, ease of use, and comprehensive scanning capabilities across a variety of targets. As an open-source project, its development is community-driven, with active contributions ensuring it remains a relevant and effective tool for securing modern software supply chains.

clamscan(1), nmap(1), docker(1), kubectl(1)