trivy

Scan a Docker image for vulnerabilities and exposed secrets

$ trivy image [image:tag]

$ trivy image [[-s|--severity]] [HIGH,CRITICAL] [alpine:3.15]

$ trivy image --ignore-unfixed [alpine:3.15]

$ trivy fs --security-checks [vuln,config] [path/to/project_directory]

$ trivy config [path/to/iac_directory]

$ trivy repo [path/to/local_repository_directory|remote_repository_URL]

$ trivy repo --commit [commit_hash] [repository]

$ trivy image [[-f|--format]] [template] [[-t|--template]] "[@sarif.tpl]" [[-o|--output]] [path/to/report.sarif] [image:tag]

trivy [global flags] [command flags]

--cache-backend string
    Cache backend (redis, fs, bolt)

--cache-dir string
    Cache directory

--clear-cache
    Clear the cache

--config-policy string
    Policy file path

--exit-code int
    Exit code when vulnerabilities were found

--exit-code-from string
    Specify when to return exit code [os, repo, config, image]

--format string
    Format of the output (table, json, template, sarif, cyclonedx, spdx, github, cosign-vuln) (default "table")

--ignore-policy string
    Policy file path to ignore vulnerabilities

--input string
    Input file path instead of image name

--no-progress
    Suppress progress bar

--output string
    Output file path

--quiet
    Suppress all log output

--severity string
    Severities of vulnerabilities to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")

--skip-files
    Skip files from scanning

--skip-dirs
    Skip directories from scanning

--template string
    Template file path

--timeout duration
    Timeout for scanning

--version
    Show version

Trivy is a comprehensive security scanner designed to identify vulnerabilities and misconfigurations in container images, file systems, and cloud infrastructure. It's particularly useful in CI/CD pipelines to automate security checks early in the development lifecycle. Trivy supports a wide range of targets, including Docker images, Kubernetes deployments, Infrastructure as Code (IaC) configuration files (like Terraform and CloudFormation), and even Git repositories.

It's known for its simplicity, speed, and comprehensive vulnerability database. Trivy leverages vulnerability information from multiple sources to provide accurate and up-to-date scanning results. It can detect OS package vulnerabilities, language-specific vulnerabilities (e.g., in Ruby gems, Python packages, or Java libraries), and infrastructure misconfigurations. Trivy helps DevOps teams identify and address security risks before they are deployed to production.

Trivy distinguishes itself by being easy to integrate into existing workflows. It's available as a command-line tool and can be integrated into CI/CD pipelines using tools like Jenkins, GitLab CI, and GitHub Actions.

The tool returns reports in various formats like JSON, which are consumable by security tools for vulnerability management.

Trivy's effectiveness depends on regularly updating its vulnerability database. Using an outdated database may result in missed vulnerabilities.

trivy image: Scan container images
trivy fs: Scan local filesystem
trivy repo: Scan git repositories
trivy config: Scan misconfigurations

Trivy can be seamlessly integrated into CI/CD pipelines with tools like Jenkins, GitLab CI, and GitHub Actions for automated security checks.