Yong Yan 60a4e7e5d4 Update SARIF report template (#935 ) * Update SARIF repot template * Update test data sarif.golden * Fix golangci-lint issue * Add test cases * Address review feedbacks * Inline value in assert statement * Fix location Uri format issue		3 days ago
.github	Docker multi-platform image build with `buildx`, using Goreleaser (#915)	3 weeks ago
ci	chore(ci): migrate CircleCI to GitHub Actions (#850)	2 months ago
cmd/trivy	refactor(internal): export internal packages (#887)	1 month ago
contrib	Update SARIF report template (#935)	3 days ago
docs	Update install docs to make commands consistent (#933)	1 week ago
helm/trivy	feat: publish helm repository (#888)	1 month ago
integration	Update SARIF report template (#935)	3 days ago
misc	chore(triage): add lifecycle/active label (#909)	1 month ago
pkg	Update SARIF report template (#935)	3 days ago
rpc	feat(java): support jar/war/ear (#837)	2 months ago
.clang-format	feat: support client/server mode (#295)	1 year ago
.dockerignore	SARIF: Tweak format for GitHub UI (#571)	9 months ago
.gitignore	feat: publish helm repository (#888)	1 month ago
.golangci.yaml	feat: support plugins (#878)	1 month ago
CONTRIBUTING.md	typo fixed and GitHub Profile link added (#236)	1 year ago
Dockerfile	feat: remove rpm dependency (#753)	5 months ago
LICENSE	Change license to Apache 2.0	1 year ago
Makefile	docs: migrate README to MkDocs (#884)	1 month ago
NOTICE	Change license to Apache 2.0	1 year ago
README.md	docs: migrate README to MkDocs (#884)	1 month ago
codecov.yml	codecov: Move into root directory (#608)	8 months ago
go.mod	feat: support plugins (#878)	1 month ago
go.sum	feat: support plugins (#878)	1 month ago
goreleaser.yml	Docker multi-platform image build with `buildx`, using Goreleaser (#915)	3 weeks ago
mkdocs.yml	docs: add white logo (#914)	4 weeks ago

README.md

A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI.

Abstract

Trivy (tri pronounced like trigger, vy pronounced like envy) is a simple and comprehensive vulnerability scanner for containers and other artifacts. A software vulnerability is a glitch, flaw, or weakness present in the software or in an Operating System. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Trivy is easy to use. Just install the binary and you're ready to scan. All you need to do for scanning is to specify a target such as an image name of the container.

Trivy can be run in two different modes:

Trivy can scan three different artifacts:

It is considered to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily. See here for details.

Features

Detect comprehensive vulnerabilities
- OS packages (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- Application dependencies (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, and Maven)
Simple
- Specify only an image name or artifact name
- See Quick Start and Examples
Fast
- The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
- Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
Easy installation
- apt-get install, yum install and brew install is possible (See Installation)
- No pre-requisites such as installation of DB, libraries, etc.
High accuracy
- Especially Alpine Linux and RHEL/CentOS
- Other OSes are also high
DevSecOps
- Suitable for CI such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
- See CI Example
Support multiple formats
- container image
  - A local image in Docker Engine which is running as a daemon
  - A local image in Podman (>=2.0) which is exposing a socket
  - A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
  - A tar archive stored in the docker save / podman save formatted file
  - An image directory compliant with OCI Image Format
- local filesystem
- remote git repository

Please see LICENSE for Trivy licensing information. Note that Trivy uses vulnerability information from a variety of sources, some of which are licensed for non-commercial use only.

Documentation

The official documentation, which provides detailed installation, configuration, and quick start guides, is available at https://aquasecurity.github.io/trivy/.

Installation

See here

Quick Start

Simply specify an image name (and a tag).

$ trivy image [YOUR_IMAGE_NAME]

For example:

$ trivy image python:3.4-alpine

Result

2019-05-16T01:20:43.180+0900    INFO    Updating vulnerability database...
2019-05-16T01:20:53.029+0900    INFO    Detecting Alpine vulnerabilities...

python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543    | MEDIUM   | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305     |
|         |                  |          |                   |               | with long nonces               |
+---------+------------------+----------+-------------------+---------------+--------------------------------+

Examples

See here

Continuous Integration (CI)

See here

Vulnerability Detection

See here

Usage

See here

Author

Teppei Fukuda (knqyf263)