You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
AndreyLevchenko 7cb1598991
chore (release): add ubuntu esm versions to deploy script (#1151)
1 day ago
.github update cyclonedx github action to v0.3.0 (#1127) 1 week ago
ci chore (release): add ubuntu esm versions to deploy script (#1151) 1 day ago
cmd/trivy refactor(internal): export internal packages (#887) 4 months ago
contrib fix(asff): replace slice with substr (#1058) 2 months ago
docs docs(troubleshooting) add urls which are required to download vuls db (#1137) 6 days ago
examples/misconf docs: add misconfiguration (#1101) 2 weeks ago
helm/trivy fix(helm-chart): parametrized ingress host path (#1049) 2 months ago
integration feat(config): support --trace (#1106) 2 weeks ago
misc chore(label): add kind/security-advisory (#1068) 1 month ago
pkg Added EOL for Ubuntu 21.10 (#1131) 1 week ago
rpc feat: support config scanning (#931) 3 weeks ago
.clang-format feat: support client/server mode (#295) 2 years ago
.dockerignore SARIF: Tweak format for GitHub UI (#571) 1 year ago
.gitignore feat: support config scanning (#931) 3 weeks ago
.golangci.yaml feat: support config scanning (#931) 3 weeks ago
CONTRIBUTING.md typo fixed and GitHub Profile link added (#236) 2 years ago
Dockerfile Updated the Alpine Image to 3.14 (latest) (#1130) 1 week ago
LICENSE Change license to Apache 2.0 1 year ago
Makefile chore: bump golangci-lint to v1.41.1 (#1104) 2 weeks ago
NOTICE Change license to Apache 2.0 1 year ago
README.md docs: add misconfiguration (#1101) 2 weeks ago
go.mod fix(image): disabled scanning of config files within container images (#1133) 1 week ago
go.sum fix(image): disabled scanning of config files within container images (#1133) 1 week ago
goreleaser.yml Generate SBOM (#1076) 1 month ago
mkdocs.yml docs(misconf): add comparison with Conftest and tfsec (#1111) 2 weeks ago

README.md

Documentation

Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues

GitHub Release Test Go Report Card License: Apache-2.0 GitHub All Releases Docker Pulls

Abstract

Trivy (tri pronounced like trigger, vy pronounced like envy) is a simple and comprehensive scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and language-specific packages (Bundler, Composer, npm, yarn, etc.). In addition, Trivy scans Infrastructure as Code (IaC) files such as Terraform, Dockerfile and Kubernetes, to detect potential configuration issues that expose your deployments to the risk of attack. Trivy is easy to use. Just install the binary and you're ready to scan.

Trivy Overview

Demo: Vulnerability Detection (Container Image)

Vulnerability Detection

Demo: Misconfiguration Detection (IaC Files)

Misconfiguration Detection

Quick Start

Scan Image for Vulnerabilities

Simply specify an image name (and a tag).

$ trivy image [YOUR_IMAGE_NAME]

For example:

$ trivy image python:3.4-alpine
Result
2019-05-16T01:20:43.180+0900    INFO    Updating vulnerability database...
2019-05-16T01:20:53.029+0900    INFO    Detecting Alpine vulnerabilities...

python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543    | MEDIUM   | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305     |
|         |                  |          |                   |               | with long nonces               |
+---------+------------------+----------+-------------------+---------------+--------------------------------+

Scan Filesystem for Vulnerabilities and Misconfigurations

Simply specify a directory to scan.

$ trivy fs --security-checks vuln,config [YOUR_PROJECT_DIR]

For example:

$ trivy fs --security-checks vuln,config myproject/
Result
2021-07-09T12:03:27.564+0300    INFO    Number of language-specific files: 1
2021-07-09T12:03:27.564+0300    INFO    Detecting pipenv vulnerabilities...
2021-07-09T12:03:27.566+0300    INFO    Detected config files: 1

Pipfile.lock (pipenv)
=====================
Total: 1 (HIGH: 1, CRITICAL: 0)

+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| httplib2 | CVE-2021-21240   | HIGH     | 0.12.1            | 0.19.0        | python-httplib2: Regular              |
|          |                  |          |                   |               | expression denial of                  |
|          |                  |          |                   |               | service via malicious header          |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-21240 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+

Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

+---------------------------+------------+----------------------+----------+------------------------------------------+
|           TYPE            | MISCONF ID |        CHECK         | SEVERITY |                 MESSAGE                  |
+---------------------------+------------+----------------------+----------+------------------------------------------+
| Dockerfile Security Check |   DS002    | Image user is 'root' |   HIGH   | Last USER command in                     |
|                           |            |                      |          | Dockerfile should not be 'root'          |
|                           |            |                      |          | -->avd.aquasec.com/appshield/ds002       |
+---------------------------+------------+----------------------+----------+------------------------------------------+

Scan Directory for Misconfigurations

Simply specify a directory containing IaC files such as Terraform and Dockerfile.

$ trivy config [YOUR_IAC_DIR]

For example:

$ ls build/
Dockerfile
$ trivy config ./build
Result
2021-07-09T10:06:29.188+0300    INFO    Need to update the built-in policies
2021-07-09T10:06:29.188+0300    INFO    Downloading the built-in policies...
2021-07-09T10:06:30.520+0300    INFO    Detected config files: 1

Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+---------------------------+------------+----------------------+----------+------------------------------------------+
|           TYPE            | MISCONF ID |        CHECK         | SEVERITY |                 MESSAGE                  |
+---------------------------+------------+----------------------+----------+------------------------------------------+
| Dockerfile Security Check |   DS002    | Image user is 'root' |   HIGH   | Last USER command in                     |
|                           |            |                      |          | Dockerfile should not be 'root'          |
|                           |            |                      |          | -->avd.aquasec.com/appshield/ds002       |
+---------------------------+------------+----------------------+----------+------------------------------------------+

Features

  • Comprehensive vulnerability detection
    • OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
    • Language-specific packages (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
  • Misconfiguration detection (IaC scanning)
    • A wide variety of built-in policies are provided out of the box
      • Kubernetes, Docker, Terraform, and more coming soon
    • Support custom policies
  • Simple
    • Specify only an image name, a path to config files, or an artifact name
  • Fast
    • The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
  • Easy installation
    • apt-get install, yum install and brew install are possible.
    • No pre-requisites such as installation of DB, libraries, etc.
  • High accuracy
    • Especially Alpine Linux and RHEL/CentOS
    • Other OSes are also high
  • DevSecOps
    • Suitable for CI such as GitHub Actions, Jenkins, GitLab CI, etc.
  • Support multiple targets
    • container image, local filesystem and remote git repository

Integrations

Documentation

The official documentation, which provides detailed installation, configuration, and quick start guides, is available at https://aquasecurity.github.io/trivy/.