A Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI

Overview

GitHub release CircleCI Go Report Card License: Apache-2.0 Docker image codecov

A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI.

Table of Contents

Abstract

Trivy (tri pronounced like trigger, vy pronounced like envy) is a simple and comprehensive vulnerability scanner for containers and other artifacts. A software vulnerability is a glitch, flaw, or weakness present in the software or in an Operating System. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Trivy is easy to use. Just install the binary and you're ready to scan. All you need to do for scanning is to specify a target such as an image name of the container.

It is considered to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily. See here for details.

Features

  • Detect comprehensive vulnerabilities
    • OS packages (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
    • Application dependencies (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, and Maven)
  • Simple
  • Fast
    • The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
    • Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
  • Easy installation
    • apt-get install, yum install and brew install is possible (See Installation)
    • No pre-requisites such as installation of DB, libraries, etc.
  • High accuracy
    • Especially Alpine Linux and RHEL/CentOS
    • Other OSes are also high
  • DevSecOps
    • Suitable for CI such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
    • See CI Example
  • Support multiple formats
    • container image
      • A local image in Docker Engine which is running as a daemon
      • A local image in Podman (>=2.0) which is exposing a socket
      • A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
      • A tar archive stored in the docker save / podman save formatted file
      • An image directory compliant with OCI Image Format
    • local filesystem
    • remote git repository

Please see LICENSE for Trivy licensing information. Note that Trivy uses vulnerability information from a variety of sources, some of which are licensed for non-commercial use only.

Installation

Replace {TRIVY_VERSION} with the latest released version of Trivy. You can find the latest releases on this page: https://github.com/aquasecurity/trivy/releases

RHEL/CentOS

Add repository setting to /etc/yum.repos.d.

$ sudo vim /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/
gpgcheck=0
enabled=1
$ sudo yum -y update
$ sudo yum -y install trivy

or

$ rpm -ivh https://github.com/aquasecurity/trivy/releases/download/{TRIVY_VERSION}/trivy_{TRIVY_VERSION}_Linux-64bit.rpm

Debian/Ubuntu

Add repository to /etc/apt/sources.list.d.

$ sudo apt-get install wget apt-transport-https gnupg lsb-release
$ wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
$ echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
$ sudo apt-get update
$ sudo apt-get install trivy

or

$ wget https://github.com/aquasecurity/trivy/releases/download/{TRIVY_VERSION}/trivy_{TRIVY_VERSION}_Linux-64bit.deb
$ sudo dpkg -i trivy_{TRIVY_VERSION}_Linux-64bit.deb

Arch Linux

Package trivy-bin can be installed from the Arch User Repository. Examples:

pikaur -Sy trivy-bin

or

yay -Sy trivy-bin

Homebrew

You can use homebrew on macOS and Linux.

$ brew install aquasecurity/trivy/trivy

Nix/NixOS

You can use nix on Linux or macOS and on others unofficially.

Note that trivy is currently only in the unstable channels.

$ nix-env --install trivy

Or through your configuration on NixOS or with home-manager as usual

Install Script

This script downloads Trivy binary based on your OS and architecture.

$ curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin

Binary

Get the latest version from this page, and download the archive file for your operating system/architecture. Unpack the archive, and put the binary somewhere in your $PATH (on UNIX-y systems, /usr/local/bin or the like). Make sure it has execution bits turned on.

From source

$ mkdir -p $GOPATH/src/github.com/aquasecurity
$ cd $GOPATH/src/github.com/aquasecurity
$ git clone https://github.com/aquasecurity/trivy
$ cd trivy/cmd/trivy/
$ export GO111MODULE=on
$ go install

Quick Start

Image

Simply specify an image name (and a tag).

Basic

$ trivy image [YOUR_IMAGE_NAME]

For example:

$ trivy image python:3.4-alpine
Result
2019-05-16T01:20:43.180+0900    INFO    Updating vulnerability database...
2019-05-16T01:20:53.029+0900    INFO    Detecting Alpine vulnerabilities...

python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543    | MEDIUM   | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305     |
|         |                  |          |                   |               | with long nonces               |
+---------+------------------+----------+-------------------+---------------+--------------------------------+

Docker

Docker Hub

Replace [YOUR_CACHE_DIR] with the cache directory on your machine.

$ docker run --rm -v [YOUR_CACHE_DIR]:/root/.cache/ aquasec/trivy [YOUR_IMAGE_NAME]

Example for macOS:

$ docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy python:3.4-alpine

If you would like to scan the image on your host machine, you need to mount docker.sock.

$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
    -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy python:3.4-alpine

Please re-pull latest aquasec/trivy if an error occurred.

Result
2019-05-16T01:20:43.180+0900    INFO    Updating vulnerability database...
2019-05-16T01:20:53.029+0900    INFO    Detecting Alpine vulnerabilities...

python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543    | MEDIUM   | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305     |
|         |                  |          |                   |               | with long nonces               |
+---------+------------------+----------+-------------------+---------------+--------------------------------+

GitHub Container Registry

The same image is hosted on GitHub Container Registry as well.
https://github.com/orgs/aquasecurity/packages/container/package/trivy

$ docker pull ghcr.io/aquasecurity/trivy:latest

Filesystem

Scan a filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem).

Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.

$ trivy fs /path/to/project

Scan your container from inside the container.

$ docker run --rm -it alpine:3.11
/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
/ # trivy fs /

Embed in Dockerfile

Scan your image as part of the build process by embedding Trivy in the Dockerfile. This approach can be used to update Dockerfiles currently using Aqua’s Microscanner.

$ cat Dockerfile
FROM alpine:3.7

RUN apk add curl \
    && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \
    && trivy filesystem --exit-code 1 --no-progress /

$ docker build -t vulnerable-image .

Alternatively you can use Trivy in a multistage build. Thus avoiding the insecure curl | sh. Also the image is not changed.

[...]
# Run vulnerability scan on build image
FROM build AS vulnscan
COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy
RUN trivy filesystem --exit-code 1 --no-progress /
[...]

Git Repository

Scan your remote git repository

$ trivy repo https://github.com/knqyf263/trivy-ci-test

Only public repositories are supported.

Podman

[EXPERIMENTAL] This feature might change without preserving backwards compatibility.

Scan your image in Podman (>=2.0) running locally. The remote Podman is not supported. Before performing Trivy commands, you must enable the podman.sock systemd service on your machine. For more details, see here

$ systemctl --user enable --now podman.socket

Then, you can scan your image in Podman.

$ cat Dockerfile
FROM alpine:3.12
RUN apk add --no-cache bash
$ podman build -t test .
$ podman images
REPOSITORY                TAG     IMAGE ID      CREATED      SIZE
localhost/test            latest  efc372d4e0de  About a minute ago  7.94 MB
$ trivy image test

Examples

Standalone

Scan an image

Simply specify an image name (and a tag).

$ trivy image knqyf263/vuln-image:1.2.3
Result
2019-05-16T12:59:03.150+0900    INFO    Detecting Alpine vulnerabilities...
2019-05-16T12:59:04.941+0900    INFO    Detecting bundler vulnerabilities...
2019-05-16T12:59:05.967+0900    INFO    Detecting cargo vulnerabilities...
2019-05-16T12:59:07.834+0900    INFO    Detecting composer vulnerabilities...
2019-05-16T12:59:10.285+0900    INFO    Detecting npm vulnerabilities...
2019-05-16T12:59:11.487+0900    INFO    Detecting pipenv vulnerabilities...

knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
========================================
Total: 26 (UNKNOWN: 0, LOW: 3, MEDIUM: 16, HIGH: 5, CRITICAL: 2)

+---------+------------------+----------+-------------------+---------------+----------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |              TITLE               |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| curl    | CVE-2018-14618   | CRITICAL | 7.61.0-r0         | 7.61.1-r0     | curl: NTLM password overflow     |
|         |                  |          |                   |               | via integer overflow             |
+         +------------------+----------+                   +---------------+----------------------------------+
|         | CVE-2018-16839   | HIGH     |                   | 7.61.1-r1     | curl: Integer overflow leading   |
|         |                  |          |                   |               | to heap-based buffer overflow in |
|         |                  |          |                   |               | Curl_sasl_create_plain_message() |
+         +------------------+          +                   +---------------+----------------------------------+
|         | CVE-2019-3822    |          |                   | 7.61.1-r2     | curl: NTLMv2 type-3 header       |
|         |                  |          |                   |               | stack buffer overflow            |
+         +------------------+          +                   +---------------+----------------------------------+
|         | CVE-2018-16840   |          |                   | 7.61.1-r1     | curl: Use-after-free when        |
|         |                  |          |                   |               | closing "easy" handle in         |
|         |                  |          |                   |               | Curl_close()                     |
+         +------------------+----------+                   +               +----------------------------------+
|         | CVE-2018-16842   | MEDIUM   |                   |               | curl: Heap-based buffer          |
|         |                  |          |                   |               | over-read in the curl tool       |
|         |                  |          |                   |               | warning formatting               |
+         +------------------+          +                   +---------------+----------------------------------+
|         | CVE-2018-16890   |          |                   | 7.61.1-r2     | curl: NTLM type-2 heap           |
|         |                  |          |                   |               | out-of-bounds buffer read        |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2019-3823    |          |                   |               | curl: SMTP end-of-response       |
|         |                  |          |                   |               | out-of-bounds read               |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| git     | CVE-2018-17456   | HIGH     | 2.15.2-r0         | 2.15.3-r0     | git: arbitrary code execution    |
|         |                  |          |                   |               | via .gitmodules                  |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2018-19486   |          |                   |               | git: Improper handling of        |
|         |                  |          |                   |               | PATH allows for commands to be   |
|         |                  |          |                   |               | executed from...                 |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| libssh2 | CVE-2019-3855    | CRITICAL | 1.8.0-r2          | 1.8.1-r0      | libssh2: Integer overflow in     |
|         |                  |          |                   |               | transport read resulting in      |
|         |                  |          |                   |               | out of bounds write...           |
+         +------------------+----------+                   +               +----------------------------------+
|         | CVE-2019-3859    | MEDIUM   |                   |               | libssh2: Unchecked use of        |
|         |                  |          |                   |               | _libssh2_packet_require and      |
|         |                  |          |                   |               | _libssh2_packet_requirev         |
|         |                  |          |                   |               | resulting in out-of-bounds       |
|         |                  |          |                   |               | read                             |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2019-3858    |          |                   |               | libssh2: Zero-byte allocation    |
|         |                  |          |                   |               | with a specially crafted SFTP    |
|         |                  |          |                   |               | packed leading to an...          |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2019-3863    |          |                   |               | libssh2: Integer overflow        |
|         |                  |          |                   |               | in user authenticate             |
|         |                  |          |                   |               | keyboard interactive allows      |
|         |                  |          |                   |               | out-of-bounds writes             |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2019-3862    |          |                   |               | libssh2: Out-of-bounds memory    |
|         |                  |          |                   |               | comparison with specially        |
|         |                  |          |                   |               | crafted message channel          |
|         |                  |          |                   |               | request                          |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2019-3860    |          |                   |               | libssh2: Out-of-bounds reads     |
|         |                  |          |                   |               | with specially crafted SFTP      |
|         |                  |          |                   |               | packets                          |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2019-3857    |          |                   |               | libssh2: Integer overflow in     |
|         |                  |          |                   |               | SSH packet processing channel    |
|         |                  |          |                   |               | resulting in out of...           |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2019-3861    |          |                   |               | libssh2: Out-of-bounds reads     |
|         |                  |          |                   |               | with specially crafted SSH       |
|         |                  |          |                   |               | packets                          |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2019-3856    |          |                   |               | libssh2: Integer overflow in     |
|         |                  |          |                   |               | keyboard interactive handling    |
|         |                  |          |                   |               | resulting in out of bounds...    |
+---------+------------------+          +-------------------+---------------+----------------------------------+
| libxml2 | CVE-2018-14567   |          | 2.9.7-r0          | 2.9.8-r1      | libxml2: Infinite loop when      |
|         |                  |          |                   |               | --with-lzma is used allows for   |
|         |                  |          |                   |               | denial of service...             |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2018-14404   |          |                   |               | libxml2: NULL pointer            |
|         |                  |          |                   |               | dereference in                   |
|         |                  |          |                   |               | xpath.c:xmlXPathCompOpEval()     |
|         |                  |          |                   |               | can allow attackers to cause     |
|         |                  |          |                   |               | a...                             |
+         +------------------+----------+                   +               +----------------------------------+
|         | CVE-2018-9251    | LOW      |                   |               | libxml2: infinite loop in        |
|         |                  |          |                   |               | xz_decomp function in xzlib.c    |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| openssh | CVE-2019-6109    | MEDIUM   | 7.5_p1-r9         | 7.5_p1-r10    | openssh: Missing character       |
|         |                  |          |                   |               | encoding in progress display     |
|         |                  |          |                   |               | allows for spoofing of scp...    |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2019-6111    |          |                   |               | openssh: Improper validation     |
|         |                  |          |                   |               | of object names allows           |
|         |                  |          |                   |               | malicious server to overwrite    |
|         |                  |          |                   |               | files...                         |
+         +------------------+----------+                   +               +----------------------------------+
|         | CVE-2018-20685   | LOW      |                   |               | openssh: scp client improper     |
|         |                  |          |                   |               | directory name validation        |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| sqlite  | CVE-2018-20346   | MEDIUM   | 3.21.0-r1         | 3.25.3-r0     | sqlite: Multiple flaws in        |
|         |                  |          |                   |               | sqlite which can be triggered    |
|         |                  |          |                   |               | via corrupted internal...        |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| tar     | CVE-2018-20482   | LOW      | 1.29-r1           | 1.31-r0       | tar: Infinite read loop in       |
|         |                  |          |                   |               | sparse_dump_region function in   |
|         |                  |          |                   |               | sparse.c                         |
+---------+------------------+----------+-------------------+---------------+----------------------------------+

ruby-app/Gemfile.lock
=====================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+----------------------+------------------+----------+-------------------+---------------+--------------------------------+
|       LIBRARY        | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+----------------------+------------------+----------+-------------------+---------------+--------------------------------+
| rails-html-sanitizer | CVE-2018-3741    | MEDIUM   | 1.0.3             | >= 1.0.4      | rubygem-rails-html-sanitizer:  |
|                      |                  |          |                   |               | non-whitelisted attributes     |
|                      |                  |          |                   |               | are present in sanitized       |
|                      |                  |          |                   |               | output when input with         |
|                      |                  |          |                   |               | specially-crafted...           |
+----------------------+------------------+----------+-------------------+---------------+--------------------------------+

rust-app/Cargo.lock
===================
Total: 3 (UNKNOWN: 3, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

+---------+-------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID  | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------+-------------------+----------+-------------------+---------------+--------------------------------+
| ammonia | RUSTSEC-2019-0001 | UNKNOWN  | 1.9.0             | >= 2.1.0      | Uncontrolled recursion leads   |
|         |                   |          |                   |               | to abort in HTML serialization |
+---------+-------------------+          +-------------------+---------------+--------------------------------+
| openssl | RUSTSEC-2016-0001 |          | 0.8.3             | >= 0.9.0      | SSL/TLS MitM vulnerability due |
|         |                   |          |                   |               | to insecure defaults           |
+         +-------------------+          +                   +---------------+--------------------------------+
|         | RUSTSEC-2018-0010 |          |                   | >= 0.10.9     | Use after free in CMS Signing  |
+---------+-------------------+----------+-------------------+---------------+--------------------------------+

php-app/composer.lock
=====================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+-------------------+------------------+----------+-------------------+---------------------+--------------------------------+
|      LIBRARY      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |    FIXED VERSION    |             TITLE              |
+-------------------+------------------+----------+-------------------+---------------------+--------------------------------+
| guzzlehttp/guzzle | CVE-2016-5385    | MEDIUM   | 6.2.0             | 6.2.1, 4.2.4, 5.3.1 | PHP: sets environmental        |
|                   |                  |          |                   |                     | variable based on user         |
|                   |                  |          |                   |                     | supplied Proxy request header  |
+-------------------+------------------+----------+-------------------+---------------------+--------------------------------+

node-app/package-lock.json
==========================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 1, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| jquery  | CVE-2019-5428    | MEDIUM   | 3.3.9             | >=3.4.0       | Modification of                |
|         |                  |          |                   |               | Assumed-Immutable Data (MAID)  |
+         +------------------+          +                   +               +--------------------------------+
|         | CVE-2019-11358   |          |                   |               | js-jquery: prototype pollution |
|         |                  |          |                   |               | in object's prototype leading  |
|         |                  |          |                   |               | to denial of service or...     |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| lodash  | CVE-2018-16487   | HIGH     | 4.17.4            | >=4.17.11     | lodash: Prototype pollution in |
|         |                  |          |                   |               | utilities function             |
+         +------------------+----------+                   +---------------+                                +
|         | CVE-2018-3721    | MEDIUM   |                   | >=4.17.5      |                                |
|         |                  |          |                   |               |                                |
+---------+------------------+----------+-------------------+---------------+--------------------------------+

python-app/Pipfile.lock
=======================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |               TITLE                |
+---------+------------------+----------+-------------------+---------------+------------------------------------+
| django  | CVE-2019-6975    | MEDIUM   | 2.0.9             | 2.0.11        | python-django:                     |
|         |                  |          |                   |               | memory exhaustion in               |
|         |                  |          |                   |               | django.utils.numberformat.format() |
+---------+------------------+----------+-------------------+---------------+------------------------------------+

Scan an image file

$ docker save ruby:2.3.0-alpine3.9 -o ruby-2.3.0.tar
$ trivy image --input ruby-2.3.0.tar
Result
2019-05-16T12:45:57.332+0900    INFO    Updating vulnerability database...
2019-05-16T12:45:59.119+0900    INFO    Detecting Debian vulnerabilities...

ruby-2.3.0.tar (debian 8.4)
===========================
Total: 7447 (UNKNOWN: 5, LOW: 326, MEDIUM: 5695, HIGH: 1316, CRITICAL: 105)

+------------------------------+---------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
|           LIBRARY            |  VULNERABILITY ID   | SEVERITY |     INSTALLED VERSION      |          FIXED VERSION           |                        TITLE                        |
+------------------------------+---------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
| apt                          | CVE-2019-3462       | CRITICAL | 1.0.9.8.3                  | 1.0.9.8.5                        | Incorrect sanitation of the                         |
|                              |                     |          |                            |                                  | 302 redirect field in HTTP                          |
|                              |                     |          |                            |                                  | transport method of...                              |
+                              +---------------------+----------+                            +----------------------------------+-----------------------------------------------------+
|                              | CVE-2016-1252       | MEDIUM   |                            | 1.0.9.8.4                        | The apt package in Debian                           |
|                              |                     |          |                            |                                  | jessie before 1.0.9.8.4, in                         |
|                              |                     |          |                            |                                  | Debian unstable before...                           |
+                              +---------------------+----------+                            +----------------------------------+-----------------------------------------------------+
|                              | CVE-2011-3374       | LOW      |                            |                                  |                                                     |
+------------------------------+---------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
| bash                         | CVE-2016-7543       | HIGH     | 4.3-11                     | 4.3-11+deb8u1                    | bash: Specially crafted                             |
|                              |                     |          |                            |                                  | SHELLOPTS+PS4 variables allows                      |
|                              |                     |          |                            |                                  | command substitution                                |
+                              +---------------------+          +                            +----------------------------------+-----------------------------------------------------+
|                              | CVE-2019-9924       |          |                            | 4.3-11+deb8u2                    | bash: BASH_CMD is writable in                       |
|                              |                     |          |                            |                                  | restricted bash shells                              |
+                              +---------------------+----------+                            +----------------------------------+-----------------------------------------------------+
|                              | CVE-2016-0634       | MEDIUM   |                            | 4.3-11+deb8u1                    | bash: Arbitrary code execution                      |
|                              |                     |          |                            |                                  | via malicious hostname                              |
+                              +---------------------+----------+                            +----------------------------------+-----------------------------------------------------+
|                              | CVE-2016-9401       | LOW      |                            | 4.3-11+deb8u2                    | bash: popd controlled free                          |
+                              +---------------------+          +                            +----------------------------------+-----------------------------------------------------+
|                              | TEMP-0841856-B18BAF |          |                            |                                  |                                                     |
+------------------------------+---------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------
...

Scan an OCI image

An image directory compliant with "Open Container Image Layout Specification".

Buildah:

$ buildah push docker.io/library/alpine:3.11 oci:/path/to/alpine
$ trivy image --input /path/to/alpine

Skopeo:

$ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine
$ trivy image --input /path/to/alpine

Scan a container from inside the container

$ docker run --rm -it alpine:3.10.2
/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
/ # trivy fs /
Result
adb3b9abab80 (alpine 3.10.2)
============================
Total: 5 (UNKNOWN: 0, LOW: 1, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1549    | MEDIUM   | 1.1.1c-r0         | 1.1.1d-r0     | openssl: information           |
|         |                  |          |                   |               | disclosure in fork()           |
+         +------------------+          +                   +---------------+--------------------------------+
|         | CVE-2019-1551    |          |                   | 1.1.1d-r2     | openssl: Integer overflow in   |
|         |                  |          |                   |               | RSAZ modular exponentiation on |
|         |                  |          |                   |               | x86_64                         |
+         +------------------+          +                   +---------------+--------------------------------+
|         | CVE-2019-1563    |          |                   | 1.1.1d-r0     | openssl: information           |
|         |                  |          |                   |               | disclosure in PKCS7_dataDecode |
|         |                  |          |                   |               | and CMS_decrypt_set1_pkey      |
+         +------------------+          +                   +---------------+--------------------------------+
|         | CVE-2020-1967    |          |                   | 1.1.1g-r0     | openssl: Segmentation fault in |
|         |                  |          |                   |               | SSL_check_chain causes denial  |
|         |                  |          |                   |               | of service                     |
+         +------------------+----------+                   +---------------+--------------------------------+
|         | CVE-2019-1547    | LOW      |                   | 1.1.1d-r0     | openssl: side-channel weak     |
|         |                  |          |                   |               | encryption vulnerability       |
+---------+------------------+----------+-------------------+---------------+--------------------------------+

Scan a project including a lock file

$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test
Result
2020-06-01T17:06:58.652+0300    WARN    OS is not detected and vulnerabilities in OS packages are not detected.
2020-06-01T17:06:58.652+0300    INFO    Detecting pipenv vulnerabilities...
2020-06-01T17:06:58.691+0300    INFO    Detecting cargo vulnerabilities...

Pipfile.lock
============
Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)

+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
|       LIBRARY       | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |     FIXED VERSION      |               TITLE                |
+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
| django              | CVE-2020-7471    | HIGH     | 2.0.9             | 3.0.3, 2.2.10, 1.11.28 | django: potential                  |
|                     |                  |          |                   |                        | SQL injection via                  |
|                     |                  |          |                   |                        | StringAgg(delimiter)               |
+                     +------------------+----------+                   +------------------------+------------------------------------+
|                     | CVE-2019-19844   | MEDIUM   |                   | 3.0.1, 2.2.9, 1.11.27  | Django: crafted email address      |
|                     |                  |          |                   |                        | allows account takeover            |
+                     +------------------+          +                   +------------------------+------------------------------------+
|                     | CVE-2019-3498    |          |                   | 2.1.5, 2.0.10, 1.11.18 | python-django: Content             |
|                     |                  |          |                   |                        | spoofing via URL path in           |
|                     |                  |          |                   |                        | default 404 page                   |
+                     +------------------+          +                   +------------------------+------------------------------------+
|                     | CVE-2019-6975    |          |                   | 2.1.6, 2.0.11, 1.11.19 | python-django:                     |
|                     |                  |          |                   |                        | memory exhaustion in               |
|                     |                  |          |                   |                        | django.utils.numberformat.format() |
+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
...

Embed in Dockerfile

$ cat Dockerfile
FROM alpine:3.7

RUN apk add curl \
    && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \
    && trivy filesystem --exit-code 1 --no-progress /

$ docker build -t vulnerable-image .
Result
Sending build context to Docker daemon  31.14MB
Step 1/2 : FROM alpine:3.7
 ---> 6d1ef012b567
Step 2/2 : RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin && trivy filesystem --exit-code 1 --no-progress /
 ---> Running in 27b004205da0
2020-06-01T14:10:41.261Z        INFO    Need to update DB
2020-06-01T14:10:41.262Z        INFO    Downloading DB...
2020-06-01T14:10:56.188Z        INFO    Detecting Alpine vulnerabilities...
2020-06-01T14:10:56.188Z        WARN    This OS version is no longer supported by the distribution: alpine 3.7.3
2020-06-01T14:10:56.188Z        WARN    The vulnerability detection may be insufficient because security updates are not provided

27b004205da0 (alpine 3.7.3)
===========================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| musl    | CVE-2019-14697   | HIGH     | 1.1.18-r3         | 1.1.18-r4     | musl libc through 1.1.23       |
|         |                  |          |                   |               | has an x87 floating-point      |
|         |                  |          |                   |               | stack adjustment imbalance,    |
|         |                  |          |                   |               | related...                     |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
The command '/bin/sh -c trivy filesystem --exit-code 1 --no-progress /' returned a non-zero code: 1

Save the results as JSON

$ trivy image -f json -o results.json golang:1.12-alpine
Result
2019-05-16T01:46:31.777+0900    INFO    Updating vulnerability database...
2019-05-16T01:47:03.007+0900    INFO    Detecting Alpine vulnerabilities...
JSON
[
  {
    "Target": "php-app/composer.lock",
    "Vulnerabilities": null
  },
  {
    "Target": "node-app/package-lock.json",
    "Vulnerabilities": [
      {
        "VulnerabilityID": "CVE-2018-16487",
        "PkgName": "lodash",
        "InstalledVersion": "4.17.4",
        "FixedVersion": "\u003e=4.17.11",
        "Title": "lodash: Prototype pollution in utilities function",
        "Description": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.",
        "Severity": "HIGH",
        "References": [
          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487",
        ]
      }
    ]
  },
  {
    "Target": "trivy-ci-test (alpine 3.7.1)",
    "Vulnerabilities": [
      {
        "VulnerabilityID": "CVE-2018-16840",
        "PkgName": "curl",
        "InstalledVersion": "7.61.0-r0",
        "FixedVersion": "7.61.1-r1",
        "Title": "curl: Use-after-free when closing \"easy\" handle in Curl_close()",
        "Description": "A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. ",
        "Severity": "HIGH",
        "References": [
          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16840",
        ]
      },
      {
        "VulnerabilityID": "CVE-2019-3822",
        "PkgName": "curl",
        "InstalledVersion": "7.61.0-r0",
        "FixedVersion": "7.61.1-r2",
        "Title": "curl: NTLMv2 type-3 header stack buffer overflow",
        "Description": "libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. ",
        "Severity": "HIGH",
        "References": [
          "https://curl.haxx.se/docs/CVE-2019-3822.html",
          "https://lists.apache.org/thread.html/[email protected]%3Cdevnull.infra.apache.org%3E"
        ]
      },
      {
        "VulnerabilityID": "CVE-2018-16839",
        "PkgName": "curl",
        "InstalledVersion": "7.61.0-r0",
        "FixedVersion": "7.61.1-r1",
        "Title": "curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message()",
        "Description": "Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.",
        "Severity": "HIGH",
        "References": [
          "https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5",
        ]
      },
      {
        "VulnerabilityID": "CVE-2018-19486",
        "PkgName": "git",
        "InstalledVersion": "2.15.2-r0",
        "FixedVersion": "2.15.3-r0",
        "Title": "git: Improper handling of PATH allows for commands to be executed from the current directory",
        "Description": "Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.",
        "Severity": "HIGH",
        "References": [
          "https://usn.ubuntu.com/3829-1/",
        ]
      },
      {
        "VulnerabilityID": "CVE-2018-17456",
        "PkgName": "git",
        "InstalledVersion": "2.15.2-r0",
        "FixedVersion": "2.15.3-r0",
        "Title": "git: arbitrary code execution via .gitmodules",
        "Description": "Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \"git clone\" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.",
        "Severity": "HIGH",
        "References": [
          "http://www.securitytracker.com/id/1041811",
        ]
      }
    ]
  },
  {
    "Target": "python-app/Pipfile.lock",
    "Vulnerabilities": null
  },
  {
    "Target": "ruby-app/Gemfile.lock",
    "Vulnerabilities": null
  },
  {
    "Target": "rust-app/Cargo.lock",
    "Vulnerabilities": null
  }
]

VulnerabilityID, PkgName, InstalledVersion, and Severity in Vulnerabilities are always filled with values, but other fields might be empty.

Save the results using a template

$ trivy image --format template --template "{{ range . }} {{ .Target }} {{ end }}" golang:1.12-alpine
Result
2020-01-02T18:02:32.856+0100    INFO    Detecting Alpine vulnerabilities...
 golang:1.12-alpine (alpine 3.10.2)

You can compute different figures within the template using sprig functions. As an example you can summarize the different classes of issues:

$ trivy image --format template --template '{{- $critical := 0 }}{{- $high := 0 }}{{- range . }}{{- range .Vulnerabilities }}{{- if  eq .Severity "CRITICAL" }}{{- $critical = add $critical 1 }}{{- end }}{{- if  eq .Severity "HIGH" }}{{- $high = add $high 1 }}{{- end }}{{- end }}{{- end }}Critical: {{ $critical }}, High: {{ $high }}' golang:1.12-alpine
Result
Critical: 0, High: 2

For other features of sprig, see the official sprig documentation.

You can load templates from a file prefixing the template path with an @.

$ trivy image --format template --template "@/path/to/template" golang:1.12-alpine

In the following example using the template junit.tpl XML can be generated.

$ trivy image --format template --template "@contrib/junit.tpl" -o junit-report.xml  golang:1.12-alpine

In the following example using the template sarif.tpl Sarif can be generated.

$ trivy image --format template --template "@contrib/sarif.tpl" -o report.sarif  golang:1.12-alpine

This SARIF format can be uploaded to GitHub code scanning results, and there is a Trivy GitHub Action for automating this process.

Trivy also supports an ASFF template for reporting findings to AWS Security Hub

Filter the vulnerabilities by severities

$ trivy image --severity HIGH,CRITICAL ruby:2.4.0
Result
2019-05-16T01:51:46.255+0900    INFO    Updating vulnerability database...
2019-05-16T01:51:49.213+0900    INFO    Detecting Debian vulnerabilities...

ruby:2.4.0 (debian 8.7)
=======================
Total: 1785 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1680, CRITICAL: 105)

+-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+
|           LIBRARY           | VULNERABILITY ID | SEVERITY |     INSTALLED VERSION     |          FIXED VERSION           |                      TITLE                      |
+-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+
| apt                         | CVE-2019-3462    | CRITICAL | 1.0.9.8.3                 | 1.0.9.8.5                        | Incorrect sanitation of the                     |
|                             |                  |          |                           |                                  | 302 redirect field in HTTP                      |
|                             |                  |          |                           |                                  | transport method of...                          |
+-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+
| bash                        | CVE-2019-9924    | HIGH     | 4.3-11                    | 4.3-11+deb8u2                    | bash: BASH_CMD is writable in                   |
|                             |                  |          |                           |                                  | restricted bash shells                          |
+                             +------------------+          +                           +----------------------------------+-------------------------------------------------+
|                             | CVE-2016-7543    |          |                           | 4.3-11+deb8u1                    | bash: Specially crafted                         |
|                             |                  |          |                           |                                  | SHELLOPTS+PS4 variables allows                  |
|                             |                  |          |                           |                                  | command substitution                            |
+-----------------------------+------------------+          +---------------------------+----------------------------------+-------------------------------------------------+
| binutils                    | CVE-2017-8421    |          | 2.25-5                    |                                  | binutils: Memory exhaustion in                  |
|                             |                  |          |                           |                                  | objdump via a crafted PE file                   |
+                             +------------------+          +                           +----------------------------------+-------------------------------------------------+
|                             | CVE-2017-14930   |          |                           |                                  | binutils: Memory leak in                        |
|                             |                  |          |                           |                                  | decode_line_info                                |
+                             +------------------+          +                           +----------------------------------+-------------------------------------------------+
|                             | CVE-2017-7614    |          |                           |                                  | binutils: NULL                                  |
|                             |                  |          |                           |                                  | pointer dereference in                          |
|                             |                  |          |                           |                                  | bfd_elf_final_link function                     |
+                             +------------------+          +                           +----------------------------------+-------------------------------------------------+
|                             | CVE-2014-9939    |          |                           |                                  | binutils: buffer overflow in                    |
|                             |                  |          |                           |                                  | ihex.c                                          |
+                             +------------------+          +                           +----------------------------------+-------------------------------------------------+
|                             | CVE-2017-13716   |          |                           |                                  | binutils: Memory leak with the                  |
|                             |                  |          |                           |                                  | C++ symbol demangler routine                    |
|                             |                  |          |                           |                                  | in libiberty                                    |
+                             +------------------+          +                           +----------------------------------+-------------------------------------------------+
|                             | CVE-2018-12699   |          |                           |                                  | binutils: heap-based buffer                     |
|                             |                  |          |                           |                                  | overflow in finish_stab in                      |
|                             |                  |          |                           |                                  | stabs.c                                         |
+-----------------------------+------------------+          +---------------------------+----------------------------------+-------------------------------------------------+
| bsdutils                    | CVE-2015-5224    |          | 2.25.2-6                  |                                  | util-linux: File name                           |
|                             |                  |          |                           |                                  | collision due to incorrect                      |
|                             |                  |          |                           |                                  | mkstemp use                                     |
+                             +------------------+          +                           +----------------------------------+-------------------------------------------------+
|                             | CVE-2016-2779    |          |                           |                                  | util-linux: runuser tty hijack                  |
|                             |                  |          |                           |                                  | via TIOCSTI ioctl                               |
+-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+

Filter the vulnerabilities by type

$ trivy image --vuln-type os ruby:2.4.0

Available values:

  • library
  • os
Result
2019-05-22T19:36:50.530+0200    �[34mINFO�[0m    Updating vulnerability database...
2019-05-22T19:36:51.681+0200    �[34mINFO�[0m    Detecting Alpine vulnerabilities...
2019-05-22T19:36:51.685+0200    �[34mINFO�[0m    Updating npm Security DB...
2019-05-22T19:36:52.389+0200    �[34mINFO�[0m    Detecting npm vulnerabilities...
2019-05-22T19:36:52.390+0200    �[34mINFO�[0m    Updating pipenv Security DB...
2019-05-22T19:36:53.406+0200    �[34mINFO�[0m    Detecting pipenv vulnerabilities...

ruby:2.4.0 (debian 8.7)
Total: 4751 (UNKNOWN: 1, LOW: 150, MEDIUM: 3504, HIGH: 1013, CRITICAL: 83)

+---------+------------------+----------+-------------------+---------------+----------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |              TITLE               |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| curl    | CVE-2018-14618   | CRITICAL | 7.61.0-r0         | 7.61.1-r0     | curl: NTLM password overflow     |
|         |                  |          |                   |               | via integer overflow             |
+         +------------------+----------+                   +---------------+----------------------------------+
|         | CVE-2018-16839   | HIGH     |                   | 7.61.1-r1     | curl: Integer overflow leading   |
|         |                  |          |                   |               | to heap-based buffer overflow in |
|         |                  |          |                   |               | Curl_sasl_create_plain_message() |
+         +------------------+          +                   +---------------+----------------------------------+
|         | CVE-2019-3822    |          |                   | 7.61.1-r2     | curl: NTLMv2 type-3 header       |
|         |                  |          |                   |               | stack buffer overflow            |
+         +------------------+          +                   +---------------+----------------------------------+
|         | CVE-2018-16840   |          |                   | 7.61.1-r1     | curl: Use-after-free when        |
|         |                  |          |                   |               | closing "easy" handle in         |
|         |                  |          |                   |               | Curl_close()                     |
+         +------------------+----------+                   +---------------+----------------------------------+
|         | CVE-2019-3823    | MEDIUM   |                   | 7.61.1-r2     | curl: SMTP end-of-response       |
|         |                  |          |                   |               | out-of-bounds read               |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2018-16890   |          |                   |               | curl: NTLM type-2 heap           |
|         |                  |          |                   |               | out-of-bounds buffer read        |
+         +------------------+          +                   +---------------+----------------------------------+
|         | CVE-2018-16842   |          |                   | 7.61.1-r1     | curl: Heap-based buffer          |
|         |                  |          |                   |               | over-read in the curl tool       |
|         |                  |          |                   |               | warning formatting               |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| git     | CVE-2018-17456   | HIGH     | 2.15.2-r0         | 2.15.3-r0     | git: arbitrary code execution    |
|         |                  |          |                   |               | via .gitmodules                  |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2018-19486   |          |                   |               | git: Improper handling of        |
|         |                  |          |                   |               | PATH allows for commands to be   |
|         |                  |          |                   |               | executed from...                 |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| libssh2 | CVE-2019-3855    | CRITICAL | 1.8.0-r2          | 1.8.1-r0      | libssh2: Integer overflow in     |
|         |                  |          |                   |               | transport read resulting in      |
|         |                  |          |                   |               | out of bounds write...           |
+         +------------------+----------+                   +               +----------------------------------+
|         | CVE-2019-3861    | MEDIUM   |                   |               | libssh2: Out-of-bounds reads     |
|         |                  |          |                   |               | with specially crafted SSH       |
|         |                  |          |                   |               | packets                          |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2019-3857    |          |                   |               | libssh2: Integer overflow in     |
|         |                  |          |                   |               | SSH packet processing channel    |
|         |                  |          |                   |               | resulting in out of...           |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2019-3856    |          |                   |               | libssh2: Integer overflow in     |
|         |                  |          |                   |               | keyboard interactive handling    |
|         |                  |          |                   |               | resulting in out of bounds...    |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2019-3863    |          |                   |               | libssh2: Integer overflow        |
|         |                  |          |                   |               | in user authenticate             |
|         |                  |          |                   |               | keyboard interactive allows      |
|         |                  |          |                   |               | out-of-bounds writes             |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2019-3862    |          |                   |               | libssh2: Out-of-bounds memory    |
|         |                  |          |                   |               | comparison with specially        |
|         |                  |          |                   |               | crafted message channel          |
|         |                  |          |                   |               | request                          |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2019-3860    |          |                   |               | libssh2: Out-of-bounds reads     |
|         |                  |          |                   |               | with specially crafted SFTP      |
|         |                  |          |                   |               | packets                          |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2019-3858    |          |                   |               | libssh2: Zero-byte allocation    |
|         |                  |          |                   |               | with a specially crafted SFTP    |
|         |                  |          |                   |               | packed leading to an...          |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2019-3859    |          |                   |               | libssh2: Unchecked use of        |
|         |                  |          |                   |               | _libssh2_packet_require and      |
|         |                  |          |                   |               | _libssh2_packet_requirev         |
|         |                  |          |                   |               | resulting in out-of-bounds       |
|         |                  |          |                   |               | read                             |
+---------+------------------+          +-------------------+---------------+----------------------------------+
| libxml2 | CVE-2018-14404   |          | 2.9.7-r0          | 2.9.8-r1      | libxml2: NULL pointer            |
|         |                  |          |                   |               | dereference in                   |
|         |                  |          |                   |               | xpath.c:xmlXPathCompOpEval()     |
|         |                  |          |                   |               | can allow attackers to cause     |
|         |                  |          |                   |               | a...                             |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2018-14567   |          |                   |               | libxml2: Infinite loop when      |
|         |                  |          |                   |               | --with-lzma is used allows for   |
|         |                  |          |                   |               | denial of service...             |
+         +------------------+----------+                   +               +----------------------------------+
|         | CVE-2018-9251    | LOW      |                   |               | libxml2: infinite loop in        |
|         |                  |          |                   |               | xz_decomp function in xzlib.c    |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| openssh | CVE-2019-6109    | MEDIUM   | 7.5_p1-r9         | 7.5_p1-r10    | openssh: Missing character       |
|         |                  |          |                   |               | encoding in progress display     |
|         |                  |          |                   |               | allows for spoofing of scp...    |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2019-6111    |          |                   |               | openssh: Improper validation     |
|         |                  |          |                   |               | of object names allows           |
|         |                  |          |                   |               | malicious server to overwrite    |
|         |                  |          |                   |               | files...                         |
+         +------------------+----------+                   +               +----------------------------------+
|         | CVE-2018-20685   | LOW      |                   |               | openssh: scp client improper     |
|         |                  |          |                   |               | directory name validation        |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| sqlite  | CVE-2018-20346   | MEDIUM   | 3.21.0-r1         | 3.25.3-r0     | CVE-2018-20505 CVE-2018-20506    |
|         |                  |          |                   |               | sqlite: Multiple flaws in        |
|         |                  |          |                   |               | sqlite which can be triggered    |
|         |                  |          |                   |               | via...                           |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| tar     | CVE-2018-20482   | LOW      | 1.29-r1           | 1.31-r0       | tar: Infinite read loop in       |
|         |                  |          |                   |               | sparse_dump_region function in   |
|         |                  |          |                   |               | sparse.c                         |
+---------+------------------+----------+-------------------+---------------+----------------------------------+

Filter the vulnerabilities by Open Policy Agent policy

[EXPERIMENTAL] This feature might change without preserving backwards compatibility.

Trivy supports Open Policy Agent (OPA) to filter vulnerabilities. You can specify a Rego file with --ignore-policy option.

The Rego package name must be trivy and it must include a rule called ignore which determines if each individual vulnerability should be excluded (ignore=true) or not (ignore=false). In the policy, each vulnerability will be available for inspection as the input variable. The structure of each vulnerability input is the same as for the Trivy JSON output.
There is a built-in Rego library with helper functions that you can import into your policy using: import data.lib.trivy. For more info about the helper functions, look at the library here

To get started, see the example policy.

$ trivy image --ignore-policy contrib/example_filter/basic.rego centos:7
Result
centos:7 (centos 7.8.2003)
==========================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| glib2   | CVE-2016-3191    | HIGH     | 2.56.1-5.el7      |               | pcre: workspace overflow       |
|         |                  |          |                   |               | for (*ACCEPT) with deeply      |
|         |                  |          |                   |               | nested parentheses (8.39/13,   |
|         |                  |          |                   |               | 10.22/12)                      |
+---------+------------------+----------+-------------------+---------------+--------------------------------+

Skip traversal of the specific files

Trivy traversals directories and looks for all lock files by default. If your image contains lock files which are not maintained by you, you can skip the file.

$ trivy image --skip-files "/Gemfile.lock,/app/Pipfile.lock" quay.io/fluentd_elasticsearch/fluentd:v2.9.0

Skip traversal in the specific directory

Trivy traversals directories and look for all lock files by default. If your image contains lock files which are not maintained by you, you can skip traversal in the specific directory.

$ trivy image --skip-dirs "/usr/lib/ruby/gems,/etc" fluent/fluentd:edge

Skip update of vulnerability DB

Trivy downloads its vulnerability database every 12 hours when it starts operating. This is usually fast, as the size of the DB is only 10~30MB. But if you want to skip even that, use the --skip-update option.

$ trivy image --skip-update python:3.4-alpine3.9
Result
2019-05-16T12:48:08.703+0900    INFO    Detecting Alpine vulnerabilities...

python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543    | MEDIUM   | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305     |
|         |                  |          |                   |               | with long nonces               |
+---------+------------------+----------+-------------------+---------------+--------------------------------+

Only download vulnerability database

You can also ask Trivy to simply retrieve the vulnerability database. This is useful to initialize workers in Continuous Integration systems.

$ trivy image --download-db-only

Ignore unfixed vulnerabilities

By default, Trivy also detects unpatched/unfixed vulnerabilities. This means you can't fix these vulnerabilities even if you update all packages. If you would like to ignore them, use the --ignore-unfixed option.

$ trivy image --ignore-unfixed ruby:2.4.0
Result
2019-05-16T12:49:52.656+0900    INFO    Updating vulnerability database...
2019-05-16T12:50:14.786+0900    INFO    Detecting Debian vulnerabilities...

ruby:2.4.0 (debian 8.7)
=======================
Total: 4730 (UNKNOWN: 1, LOW: 145, MEDIUM: 3487, HIGH: 1014, CRITICAL: 83)

+------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
|           LIBRARY            | VULNERABILITY ID | SEVERITY |     INSTALLED VERSION      |          FIXED VERSION           |                        TITLE                        |
+------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
| apt                          | CVE-2019-3462    | CRITICAL | 1.0.9.8.3                  | 1.0.9.8.5                        | Incorrect sanitation of the                         |
|                              |                  |          |                            |                                  | 302 redirect field in HTTP                          |
|                              |                  |          |                            |                                  | transport method of...                              |
+                              +------------------+----------+                            +----------------------------------+-----------------------------------------------------+
|                              | CVE-2016-1252    | MEDIUM   |                            | 1.0.9.8.4                        | The apt package in Debian                           |
|                              |                  |          |                            |                                  | jessie before 1.0.9.8.4, in                         |
|                              |                  |          |                            |                                  | Debian unstable before...                           |
+------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
| bash                         | CVE-2019-9924    | HIGH     | 4.3-11                     | 4.3-11+deb8u2                    | bash: BASH_CMD is writable in                       |
|                              |                  |          |                            |                                  | restricted bash shells                              |
+                              +------------------+          +                            +----------------------------------+-----------------------------------------------------+
|                              | CVE-2016-7543    |          |                            | 4.3-11+deb8u1                    | bash: Specially crafted                             |
|                              |                  |          |                            |                                  | SHELLOPTS+PS4 variables allows                      |
|                              |                  |          |                            |                                  | command substitution                                |
+                              +------------------+----------+                            +                                  +-----------------------------------------------------+
|                              | CVE-2016-0634    | MEDIUM   |                            |                                  | bash: Arbitrary code execution                      |
|                              |                  |          |                            |                                  | via malicious hostname                              |
+                              +------------------+----------+                            +----------------------------------+-----------------------------------------------------+
|                              | CVE-2016-9401    | LOW      |                            | 4.3-11+deb8u2                    | bash: popd controlled free                          |
+------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
...

Specify exit code

By default, Trivy exits with code 0 even when vulnerabilities are detected. Use the --exit-code option if you want to exit with a non-zero exit code.

$ trivy image --exit-code 1 python:3.4-alpine3.9
Result
2019-05-16T12:51:43.500+0900    INFO    Updating vulnerability database...
2019-05-16T12:52:00.387+0900    INFO    Detecting Alpine vulnerabilities...

python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543    | MEDIUM   | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305     |
|         |                  |          |                   |               | with long nonces               |
+---------+------------------+----------+-------------------+---------------+--------------------------------+

This option is useful for CI/CD. In the following example, the test will fail only when a critical vulnerability is found.

$ trivy image --exit-code 0 --severity MEDIUM,HIGH ruby:2.4.0
$ trivy image --exit-code 1 --severity CRITICAL ruby:2.4.0

Ignore the specified vulnerabilities

Use .trivyignore.

$ cat .trivyignore
# Accept the risk
CVE-2018-14618

# No impact in our settings
CVE-2019-1543

$ trivy image python:3.4-alpine3.9
Result
2019-05-16T12:53:10.076+0900    INFO    Updating vulnerability database...
2019-05-16T12:53:28.134+0900    INFO    Detecting Alpine vulnerabilities...

python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Specify cache directory

$ trivy --cache-dir /tmp/trivy/ image python:3.4-alpine3.9

Specify cache backend

[EXPERIMENTAL] This feature might change without preserving backwards compatibility.

Trivy supports local filesystem and Redis as the cache backend. This option is useful especially for client/server mode.

Two options:

  • fs
    • the cache path can be specified by --cache-dir
  • redis://
    • redis://[HOST]:[PORT]
$ trivy server --cache-backend redis://localhost:6379

Clear caches

The --clear-cache option removes caches.

The scan is not performed.

$ trivy image --clear-cache
Result
2019-11-15T15:13:26.209+0200    INFO    Reopening vulnerability DB
2019-11-15T15:13:26.209+0200    INFO    Removing image caches...

Reset

The --reset option removes all caches and database. After this, it takes a long time as the vulnerability database needs to be rebuilt locally.

$ trivy image --reset
Result
2019-05-16T13:05:31.935+0900    INFO    Resetting...

Use lightweight DB

The lightweight DB doesn't contain vulnerability detail such as descriptions and references. Because of that, the size of the DB is smaller and the download is faster.

This option is useful when you don't need vulnerability details and is suitable for CI/CD. To find the additional information, you can search vulnerability details on the NVD website. https://nvd.nist.gov/vuln/search

$ trivy image --light alpine:3.10

--light option doesn't display titles like the following example.

Result
2019-11-14T10:21:01.553+0200    INFO    Reopening vulnerability DB
2019-11-14T10:21:02.574+0200    INFO    Detecting Alpine vulnerabilities...

alpine:3.10 (alpine 3.10.2)
===========================
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
+---------+------------------+----------+-------------------+---------------+
| openssl | CVE-2019-1549    | MEDIUM   | 1.1.1c-r0         | 1.1.1d-r0     |
+         +------------------+          +                   +               +
|         | CVE-2019-1563    |          |                   |               |
+         +------------------+----------+                   +               +
|         | CVE-2019-1547    | LOW      |                   |               |
+---------+------------------+----------+-------------------+---------------+

Client / Server

Trivy has client/server mode. Trivy server has vulnerability database and Trivy client doesn't have to download vulnerability database. It is useful if you want to scan images at multiple locations and do not want to download the database at every location.

Server

At first, you need to launch Trivy server. It downloads vulnerability database automatically and continue to fetch the latest DB in the background.

$ trivy server --listen localhost:8080
2019-12-12T15:17:06.551+0200    INFO    Need to update DB
2019-12-12T15:17:56.706+0200    INFO    Reopening DB...
2019-12-12T15:17:56.707+0200    INFO    Listening localhost:8080...

If you want to accept a connection from outside, you have to specify 0.0.0.0 or your ip address, not localhost.

$ trivy server --listen 0.0.0.0:8080

Client

Then, specify the remote address.

$ trivy client --remote http://localhost:8080 alpine:3.10
Result
alpine:3.10 (alpine 3.10.2)
===========================
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
+---------+------------------+----------+-------------------+---------------+
| openssl | CVE-2019-1549    | MEDIUM   | 1.1.1c-r0         | 1.1.1d-r0     |
+         +------------------+          +                   +               +
|         | CVE-2019-1563    |          |                   |               |
+         +------------------+----------+                   +               +
|         | CVE-2019-1547    | LOW      |                   |               |
+---------+------------------+----------+-------------------+---------------+

Authentication

$ trivy server --listen localhost:8080 --token dummy
$ trivy client --remote http://localhost:8080 --token dummy alpine:3.10

Deprecated options

--only-update, --refresh and --auto-refresh are deprecated since they are unnecessary now. These options will be removed at the next version

Continuous Integration (CI)

Scan your image automatically as part of your CI workflow, failing the workflow if a vulnerability is found. When you don't want to fail the test, specify --exit-code 0.

Since in automated scenarios such as CI/CD you are only interested in the end result, and not the full report, use the --light flag to optimize for this scenario and get fast results.

GitHub Actions

  • Here is the Trivy Github Action
  • The Microsoft Azure team have written a container-scan action that uses Trivy and Dockle
  • For full control over the options specified to Trivy, this blog post describes adding Trivy into your own GitHub action workflows

Travis CI

$ cat .travis.yml
services:
  - docker

env:
  global:
    - COMMIT=${TRAVIS_COMMIT::8}

before_install:
  - docker build -t trivy-ci-test:${COMMIT} .
  - export VERSION=$(curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
  - wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz
  - tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz
script:
  - ./trivy --exit-code 0 --severity HIGH --no-progress trivy-ci-test:${COMMIT}
  - ./trivy --exit-code 1 --severity CRITICAL --no-progress trivy-ci-test:${COMMIT}
cache:
  directories:
    - $HOME/.cache/trivy

Example: https://travis-ci.org/aquasecurity/trivy-ci-test

Repository: https://github.com/aquasecurity/trivy-ci-test

CircleCI

$ cat .circleci/config.yml
jobs:
  build:
    docker:
      - image: docker:stable-git
    steps:
      - checkout
      - setup_remote_docker
      - run:
          name: Build image
          command: docker build -t trivy-ci-test:${CIRCLE_SHA1} .
      - run:
          name: Install trivy
          command: |
            apk add --update-cache --upgrade curl
            VERSION=$(
                curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | \
                grep '"tag_name":' | \
                sed -E 's/.*"v([^"]+)".*/\1/'
            )

            wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz
            tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz
            mv trivy /usr/local/bin
      - run:
          name: Scan the local image with trivy
          command: trivy --exit-code 0 --no-progress trivy-ci-test:${CIRCLE_SHA1}
workflows:
  version: 2
  release:
    jobs:
      - build

Example: https://circleci.com/gh/aquasecurity/trivy-ci-test

Repository: https://github.com/aquasecurity/trivy-ci-test

GitLab CI

$ cat .gitlab-ci.yml
stages:
  - test

trivy:
  stage: test
  image: docker:stable
  services:
    - name: docker:dind
      entrypoint: ["env", "-u", "DOCKER_HOST"]
      command: ["dockerd-entrypoint.sh"]
  variables:
    DOCKER_HOST: tcp://docker:2375/
    DOCKER_DRIVER: overlay2
    # See https://github.com/docker-library/docker/pull/166
    DOCKER_TLS_CERTDIR: ""
    IMAGE: trivy-ci-test:$CI_COMMIT_SHA
  before_script:
    - export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
    - echo $TRIVY_VERSION
    - wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -
  allow_failure: true
  script:
    # Build image
    - docker build -t $IMAGE .
    # Build report
    - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
    # Print report
    - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --severity HIGH $IMAGE
    # Fail on severe vulnerabilities
    - ./trivy --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress $IMAGE
  cache:
    paths:
      - .trivycache/
  # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json

Example: https://gitlab.com/aquasecurity/trivy-ci-test/pipelines

Repository: https://github.com/aquasecurity/trivy-ci-test

GitLab CI using Trivy container

To scan a previously built image that has already been pushed into the GitLab container registry the following CI job manifest can be used. Note that entrypoint needs to be unset for the script section to work. In case of a non-public GitLab project Trivy additionally needs to authenticate to the registry to be able to pull your application image. Finally, it is not necessary to clone the project repo as we only work with the container image.

container_scanning:
  image:
    name: docker.io/aquasec/trivy:latest
    entrypoint: [""]
  variables:
    # No need to clone the repo, we exclusively work on artifacts.  See
    # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
    GIT_STRATEGY: none
    TRIVY_USERNAME: "$CI_REGISTRY_USER"
    TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
    TRIVY_AUTH_URL: "$CI_REGISTRY"
    FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
  script:
    - trivy --version
    # cache cleanup is needed when scanning images with the same tags, it does not remove the database
    - time trivy image --clear-cache
    # update vulnerabilities db
    - time trivy --download-db-only --no-progress --cache-dir .trivycache/
    # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
    - time trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/contrib/gitlab.tpl"
        --output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME"
    # Prints full report
    - time trivy --exit-code 0 --cache-dir .trivycache/ --no-progress "$FULL_IMAGE_NAME"
    # Fails on high and critical vulnerabilities
    - time trivy --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress "$FULL_IMAGE_NAME"
  cache:
    paths:
      - .trivycache/
  # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
  artifacts:
    when:                          always
    reports:
      container_scanning:          gl-container-scanning-report.json
  tags:
    - docker-runner

AWS CodePipeline

See this blog post for an example of using Trivy within AWS CodePipeline.

AWS Security Hub

See here

Authorization for Private Docker Registry

Trivy can download images from a private registry, without installing Docker or any other 3rd party tools. That's because it's easy to run in a CI process.

All you have to do is install Trivy and set ENV vars. But, I can't recommend using ENV vars in your local machine to you.

Docker Hub

Docker Hub needs TRIVY_USERNAME and TRIVY_PASSWORD. You don't need to set ENV vars when download from public repository.

export TRIVY_USERNAME={DOCKERHUB_USERNAME}
export TRIVY_PASSWORD={DOCKERHUB_PASSWORD}

Amazon ECR (Elastic Container Registry)

Trivy uses AWS SDK. You don't need to install aws CLI tool. You can use AWS CLI's ENV Vars.

GCR (Google Container Registry)

Trivy uses Google Cloud SDK. You don't need to install gcloud command.

If you want to use target project's repository, you can settle via GOOGLE_APPLICATION_CREDENTIAL.

# must set TRIVY_USERNAME empty char
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json

Self Hosted Registry (BasicAuth)

BasicAuth server needs TRIVY_USERNAME and TRIVY_PASSWORD.

export TRIVY_USERNAME={USERNAME}
export TRIVY_PASSWORD={PASSWORD}

# if you want to use 80 port, use NonSSL
export TRIVY_NON_SSL=true

Vulnerability Detection

OS Packages

The unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution. Trivy doesn't support self-compiled packages/binaries, but official packages provided by vendors such as Red Hat and Debian.

OS Supported Versions Target Packages Detection of unfixed vulnerabilities
Alpine Linux 2.2 - 2.7, 3.0 - 3.13 Installed by apk NO
Red Hat Universal Base Image 7, 8 Installed by yum/rpm YES
Red Hat Enterprise Linux 6, 7, 8 Installed by yum/rpm YES
CentOS 6, 7 Installed by yum/rpm YES
Oracle Linux 5, 6, 7, 8 Installed by yum/rpm NO
Amazon Linux 1, 2 Installed by yum/rpm NO
openSUSE Leap 42, 15 Installed by zypper/rpm NO
SUSE Enterprise Linux 11, 12, 15 Installed by zypper/rpm NO
Photon OS 1.0, 2.0, 3.0 Installed by tdnf/yum/rpm NO
Debian GNU/Linux wheezy, jessie, stretch, buster Installed by apt/apt-get/dpkg YES
Ubuntu Supported versions by Canonical *1 Installed by apt/apt-get/dpkg YES
Distroless Any Installed by apt/apt-get/dpkg YES

Distroless: https://github.com/GoogleContainerTools/distroless

*1 Trivy no longer detects vulnerabilities in versions that have reached End of Life.

Application Dependencies

Trivy automatically detects the following files in the container and scans vulnerabilities in the application dependencies.

  • Ruby
    • Gemfile.lock
  • Python
    • Pipfile.lock
    • poetry.lock
  • PHP
    • composer.lock
  • Node.js
    • package-lock.json
    • yarn.lock
  • Rust
    • Cargo.lock
  • .NET
    • packages.lock.json
  • Java
    • JAR/WAR/EAR files (*.jar, *.war, and *.ear)

The path of these files does not matter.

Example: https://github.com/aquasecurity/trivy-ci-test/blob/main/Dockerfile

Image Tar format

Trivy scans a tar image with the following format.

Data sources

Usage

Trivy has several sub commands, image, fs, repo, client and server.

NAME:
   trivy - A simple and comprehensive vulnerability scanner for containers

USAGE:
   trivy [global options] command [command options] target

VERSION:
   v0.15.0

COMMANDS:
   image, i          scan an image
   filesystem, fs    scan local filesystem
   repository, repo  scan remote repository
   client, c         client mode
   server, s         server mode
   help, h           Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --quiet, -q        suppress progress bar and log output (default: false) [$TRIVY_QUIET]
   --debug, -d        debug mode (default: false) [$TRIVY_DEBUG]
   --cache-dir value  cache directory (default: "/Users/teppei/Library/Caches/trivy") [$TRIVY_CACHE_DIR]
   --help, -h         show help (default: false)
   --version, -v      print the version (default: false)

Image

fs and repo have the same options as image.

NAME:
   trivy image - scan an image

USAGE:
   trivy image [command options] image_name

OPTIONS:
   --template value, -t value  output template [$TRIVY_TEMPLATE]
   --format value, -f value    format (table, json, template) (default: "table") [$TRIVY_FORMAT]
   --input value, -i value     input file path instead of image name [$TRIVY_INPUT]
   --severity value, -s value  severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
   --output value, -o value    output file name [$TRIVY_OUTPUT]
   --exit-code value           Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
   --skip-update               skip db update (default: false) [$TRIVY_SKIP_UPDATE]
   --download-db-only          download/update vulnerability database but don't run a scan (default: false) [$TRIVY_DOWNLOAD_DB_ONLY]
   --reset                     remove all caches and database (default: false) [$TRIVY_RESET]
   --clear-cache, -c           clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
   --no-progress               suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
   --ignore-unfixed            display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
   --removed-pkgs              detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
   --vuln-type value           comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
   --ignorefile value          specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
   --timeout value             docker timeout (default: 5m0s) [$TRIVY_TIMEOUT]
   --light                     light mode: it's faster, but vulnerability descriptions and references are not displayed (default: false) [$TRIVY_LIGHT]
   --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
   --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
   --skip-files value          specify the file path to skip traversal [$TRIVY_SKIP_FILES]
   --skip-dirs value           specify the directory where the traversal is skipped [$TRIVY_SKIP_DIRS]
   --cache-backend value       cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
   --help, -h                  show help (default: false)

Client

NAME:
   trivy client - client mode

USAGE:
   trivy client [command options] image_name

OPTIONS:
   --template value, -t value  output template [$TRIVY_TEMPLATE]
   --format value, -f value    format (table, json, template) (default: "table") [$TRIVY_FORMAT]
   --input value, -i value     input file path instead of image name [$TRIVY_INPUT]
   --severity value, -s value  severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
   --output value, -o value    output file name [$TRIVY_OUTPUT]
   --exit-code value           Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
   --clear-cache, -c           clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
   --ignore-unfixed            display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
   --removed-pkgs              detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
   --vuln-type value           comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
   --ignorefile value          specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
   --timeout value             docker timeout (default: 5m0s) [$TRIVY_TIMEOUT]
   --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
   --token value               for authentication [$TRIVY_TOKEN]
   --token-header value        specify a header name for token (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
   --remote value              server address (default: "http://localhost:4954") [$TRIVY_REMOTE]
   --custom-headers value      custom headers [$TRIVY_CUSTOM_HEADERS]
   --help, -h                  show help (default: false)

Server

NAME:
   trivy server - server mode

USAGE:
   trivy server [command options] [arguments...]

OPTIONS:
   --skip-update          skip db update (default: false) [$TRIVY_SKIP_UPDATE]
   --download-db-only     download/update vulnerability database but don't run a scan (default: false) [$TRIVY_DOWNLOAD_DB_ONLY]
   --reset                remove all caches and database (default: false) [$TRIVY_RESET]
   --cache-backend value  cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
   --token value          for authentication [$TRIVY_TOKEN]
   --token-header value   specify a header name for token (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
   --listen value         listen address (default: "localhost:4954") [$TRIVY_LISTEN]
   --help, -h             show help (default: false)

Air-gapped environment

See here

Comparison with other scanners

Overview

Scanner OS
Packages
Application
Dependencies
Easy to use Accuracy Suitable
for CI
Trivy
(7 languages)
Clair ×
Anchore Engine
(4 languages)
Quay × ×
Docker Hub × ×
GCR × ×

Blogs

vs Clair

Clair uses alpine-secdb. However, the purpose of this database is to make it possible to know what packages has backported fixes. As README says, it is not a complete database of all security issues in Alpine.

Trivy collects vulnerability information in Alpine Linux from Alpine Linux aports repository. Then, those vulnerabilities will be saved on vuln-list.

alpine-secdb has 6959 vulnerabilities (as of 2019/05/12). vuln-list has 11101 vulnerabilities related to Alpine Linux (as of 2019/05/12). There is a difference in detection accuracy because the number of vulnerabilities is nearly doubled.

In addition, Trivy analyzes the middle layers as well to find out which version of the library was used for static linking.

Clair can not handle the following cases because it analyzes the image after applying all layers.

RUN apk add --no-cache sqlite-dev \
 && wget https://xxx/yyy.tar.gz \
 && tar zxvf yyy.tar.gz && cd yyy \
 && make && make install \
 && apk del sqlite-dev

And as many people know, it is difficult to select a Clair client because many clients are deprecated.

Trivy is a stand-alone tool and can scan very fast. This means it's very easy to use in CI/CD.

Finally, Trivy can also detect vulnerabilities in application dependent libraries such as Bundler, Composer, Pipenv, etc.

vs Anchore Engine

Similar to Clair, there is a difference in detection accuracy on Alpine Linux. Then, as noted above, Anchore Engine does not detect unfixable vulnerabilities on RHEL/CentOS, whereas Trivy does.

Also, Anchore Engine needs some steps to start scanning. Trivy is much easier to use.

vs Quay, Docker Hub, GCR

As Quay uses Clair internally, it has the same accuracy as Clair. Docker Hub can scan only official images. GCR hardly detects vulnerabilities on Alpine Linux. Also, it is locked to a specific registry.

Trivy can be used regardless of the registry, and it is easily integrated with CI/CD services.

Migration

On 19 August 2019, Trivy's repositories moved from knqyf263/trivy to aquasecurity/trivy. If you previously installed Trivy you should update any scripts or package manager records as described in this section.

Overview

If you have a script that installs Trivy (for example into your CI pipelines) you should update it to obtain it from the new location by replacing knqyf263/trivy with aquasecurity/trivy.

For example:

# Before
$ wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz

# After
$ wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz

CentOS/RedHat

Use https://aquasecurity.github.io instead of https://knqyf263.github.io.

$ yum remove trivy
$ sed -i s/knqyf263/aquasecurity/g /etc/yum.repos.d/trivy.repo
$ yum update
$ yum install trivy

Debian/Ubuntu

Use https://aquasecurity.github.io instead of https://knqyf263.github.io.

$ apt-get remove --purge trivy
$ sed -i s/knqyf263/aquasecurity/g /etc/apt/sources.list.d/trivy.list
$ apt-get update
$ apt-get install trivy

Homebrew

Tap aquasecurity/trivy

$ brew uninstall --force trivy
$ brew untap knqyf263/trivy
$ brew install aquasecurity/trivy/trivy

Binary

No need to fix.

Q&A

Homebrew

Error: Your macOS keychain GitHub credentials do not have sufficient scope!

$ brew tap aquasecurity/trivy
Error: Your macOS keychain GitHub credentials do not have sufficient scope!
Scopes they need: none
Scopes they have:
Create a personal access token:
https://github.com/settings/tokens/new?scopes=gist,public_repo&description=Homebrew
echo 'export HOMEBREW_GITHUB_API_TOKEN=your_token_here' >> ~/.zshrc

Try:

$ printf "protocol=https\nhost=github.com\n" | git credential-osxkeychain erase

Error: aquasecurity/trivy/trivy 64 already installed

$ brew upgrade
...
Error: aquasecurity/trivy/trivy 64 already installed

Try:

$ brew unlink trivy && brew uninstall trivy
($ rm -rf /usr/local/Cellar/trivy/64)
$ brew install aquasecurity/trivy/trivy

Error: x509: certificate signed by unknown authority

TRIVY_INSECURE can be used to allow insecure connections to a container registry when using SSL.

$ TRIVY_INSECURE=true trivy image [YOUR_IMAGE]

Running in parallel takes same time as series run

When running trivy on multiple images simultaneously, it will take same time as running trivy in series.
This is because of a limitation of boltdb.

Bolt obtains a file lock on the data file so multiple processes cannot open the same database at the same time. Opening an already open Bolt database will cause it to hang until the other process closes it. Reference : boltdb: Opening a database.

Others

GitHub Rate limiting

Specify GITHUB_TOKEN for authentication https://developer.github.com/v3/#rate-limiting

$ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10

Unknown error

Try again with --reset option:

$ trivy image --reset

Credits

Author

Teppei Fukuda (knqyf263)

Issues
  • Trivy in docker not able to scan local image since verison v0.10.0

    Trivy in docker not able to scan local image since verison v0.10.0

    Description

    We use Trivy in our CI builds to scan local images. Since v0.10.0, trivy is not able to find the local images and expecting the image to exist in docker hub.

    What did you expect to happen? Expected trivy to scan local images.

    What happened instead? Trivy failed with the following error: Command ran: docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $PWD:/tmp/.cache/ aquasec/trivy myimage:local Where myimage:local was generated locally before running trivy. Trivy failed with this error

     FATAL   unable to initialize a scanner: unable to initialize a docker scanner: 2 errors occurred:
            * unable to inspect the image (index.docker.io/library/myimage:local): Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/index.docker.io/library/myimage:local/json: dial unix /var/run/docker.sock: connect: permission denied
            * GET https://index.docker.io/v2/library/myimage/manifests/local: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/myimage Type:repository]]
    

    Output of run with -debug:

    docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $PWD:/tmp/.cache/ aquasec/trivy --debug myimage:local2020-07-30T14:40:12.246Z        DEBUG   Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
    2020-07-30T14:40:12.257Z        DEBUG   cache dir:  /home/appuser/.cache/trivy
    2020-07-30T14:40:12.257Z        DEBUG   There is no valid metadata file: unable to open a file: open /home/appuser/.cache/trivy/db/metadata.json: no such file or directory
    2020-07-30T14:40:12.257Z        INFO    Need to update DB
    2020-07-30T14:40:12.257Z        INFO    Downloading DB...
    2020-07-30T14:40:12.257Z        DEBUG   no metadata file
    2020-07-30T14:40:12.788Z        DEBUG   release name: v1-2020073012
    2020-07-30T14:40:12.788Z        DEBUG   asset name: trivy-light-offline.db.tgz
    2020-07-30T14:40:12.788Z        DEBUG   file name doesn't match
    2020-07-30T14:40:12.788Z        DEBUG   asset name: trivy-light.db.gz
    2020-07-30T14:40:12.788Z        DEBUG   file name doesn't match
    2020-07-30T14:40:12.788Z        DEBUG   asset name: trivy-offline.db.tgz
    2020-07-30T14:40:12.788Z        DEBUG   file name doesn't match
    2020-07-30T14:40:12.788Z        DEBUG   asset name: trivy.db.gz
    2020-07-30T14:40:12.889Z        DEBUG   asset URL: https://github-production-release-asset-2e65be.s3.amazonaws.com/216830441/41262880-d25e-11ea-9f0d-69c6ece1083c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200730%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200730T143846Z&X-Amz-Expires=300&X-Amz-Signature=8962d7139933af30f139c0238307e1cefb4f262c886ef8dd8fbcb5f0301a5b97&X-Amz-SignedHeaders=host&actor_id=0&repo_id=216830441&response-content-disposition=attachment%3B%20filename%3Dtrivy.db.gz&response-content-type=application%2Foctet-stream
    92.58 KiB / 17.57 MiB [>_____________________________________________________________] 0.51% ? p/s ?390.58 KiB / 17.57 MiB [->___________________________________________________________] 2.17% ? p/s ?713.58 KiB / 17.57 MiB [-->__________________________________________________________] 3.97% ? p/s ?917.58 KiB / 17.57 MiB [-->_____________________________________________] 5.10% 1.34 MiB p/s ETA 12s1.63 MiB / 17.57 MiB [---->_____________________________________________] 9.26% 1.34 MiB p/s ETA 11s2.06 MiB / 17.57 MiB [----->___________________________________________] 11.71% 1.34 MiB p/s ETA 11s2.46 MiB / 17.57 MiB [------>__________________________________________] 13.98% 1.42 MiB p/s ETA 10s2.85 MiB / 17.57 MiB [------->_________________________________________] 16.22% 1.42 MiB p/s ETA 10s3.24 MiB / 17.57 MiB [--------->_______________________________________] 18.42% 1.42 MiB p/s ETA 10s3.64 MiB / 17.57 MiB [---------->_______________________________________] 20.69% 1.46 MiB p/s ETA 9s4.02 MiB / 17.57 MiB [----------->______________________________________] 22.86% 1.46 MiB p/s ETA 9s4.42 MiB / 17.57 MiB [------------>_____________________________________] 25.13% 1.46 MiB p/s ETA 9s4.81 MiB / 17.57 MiB [------------->____________________________________] 27.40% 1.49 MiB p/s ETA 8s5.21 MiB / 17.57 MiB [-------------->___________________________________] 29.67% 1.49 MiB p/s ETA 8s5.61 MiB / 17.57 MiB [--------------->__________________________________] 31.93% 1.49 MiB p/s ETA 8s6.03 MiB / 17.57 MiB [----------------->________________________________] 34.30% 1.53 MiB p/s ETA 7s6.42 MiB / 17.57 MiB [------------------>_______________________________] 36.56% 1.53 MiB p/s ETA 7s6.87 MiB / 17.57 MiB [------------------->______________________________] 39.11% 1.53 MiB p/s ETA 7s7.29 MiB / 17.57 MiB [-------------------->_____________________________] 41.48% 1.56 MiB p/s ETA 6s7.72 MiB / 17.57 MiB [--------------------->____________________________] 43.93% 1.56 MiB p/s ETA 6s8.13 MiB / 17.57 MiB [----------------------->__________________________] 46.30% 1.56 MiB p/s ETA 6s8.55 MiB / 17.57 MiB [------------------------>_________________________] 48.66% 1.60 MiB p/s ETA 5s8.96 MiB / 17.57 MiB [------------------------->________________________] 51.01% 1.60 MiB p/s ETA 5s9.40 MiB / 17.57 MiB [-------------------------->_______________________] 53.48% 1.60 MiB p/s ETA 5s9.81 MiB / 17.57 MiB [--------------------------->______________________] 55.83% 1.63 MiB p/s ETA 4s10.24 MiB / 17.57 MiB [---------------------------->____________________] 58.30% 1.63 MiB p/s ETA 4s10.71 MiB / 17.57 MiB [----------------------------->___________________] 60.94% 1.63 MiB p/s ETA 4s11.12 MiB / 17.57 MiB [------------------------------->_________________] 63.30% 1.67 MiB p/s ETA 3s11.56 MiB / 17.57 MiB [-------------------------------->________________] 65.81% 1.67 MiB p/s ETA 3s12.00 MiB / 17.57 MiB [--------------------------------->_______________] 68.31% 1.67 MiB p/s ETA 3s12.45 MiB / 17.57 MiB [---------------------------------->______________] 70.86% 1.70 MiB p/s ETA 3s12.87 MiB / 17.57 MiB [----------------------------------->_____________] 73.23% 1.70 MiB p/s ETA 2s13.28 MiB / 17.57 MiB [------------------------------------->___________] 75.59% 1.70 MiB p/s ETA 2s13.71 MiB / 17.57 MiB [-------------------------------------->__________] 78.04% 1.73 MiB p/s ETA 2s14.16 MiB / 17.57 MiB [--------------------------------------->_________] 80.60% 1.73 MiB p/s ETA 1s14.64 MiB / 17.57 MiB [---------------------------------------->________] 83.33% 1.73 MiB p/s ETA 1s15.09 MiB / 17.57 MiB [------------------------------------------>______] 85.89% 1.76 MiB p/s ETA 1s15.55 MiB / 17.57 MiB [------------------------------------------->_____] 88.48% 1.76 MiB p/s ETA 1s16.00 MiB / 17.57 MiB [-------------------------------------------->____] 91.08% 1.76 MiB p/s ETA 0s16.47 MiB / 17.57 MiB [--------------------------------------------->___] 93.73% 1.80 MiB p/s ETA 0s16.92 MiB / 17.57 MiB [----------------------------------------------->_] 96.28% 1.80 MiB p/s ETA 0s17.38 MiB / 17.57 MiB [------------------------------------------------>] 98.93% 1.80 MiB p/s ETA 0s17.57 MiB / 17.57 MiB [----------------------------------------------------] 100.00% 2.12 MiB p/s 9s2020-07-30T14:40:22.179Z    DEBUG   Updating database metadata...
    2020-07-30T14:40:22.179Z        DEBUG   DB Schema: 1, Type: 1, UpdatedAt: 2020-07-30 12:13:03.860403389 +0000 UTC, NextUpdate: 2020-07-31 00:13:03.860403189 +0000 UTC
    2020-07-30T14:40:24.452Z        FATAL   unable to initialize a scanner:
        github.com/aquasecurity/trivy/internal/artifact.run
            /home/circleci/project/internal/artifact/run.go:72
      - unable to initialize a docker scanner:
        github.com/aquasecurity/trivy/internal/artifact.dockerScanner
            /home/circleci/project/internal/artifact/image.go:28
      - 2 errors occurred:
            * unable to inspect the image (index.docker.io/library/myimage:local): Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/index.docker.io/library/myimage:local/json: dial unix /var/run/docker.sock: connect: permission denied
            * GET https://index.docker.io/v2/library/myimage/manifests/local: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/myimage Type:repository]]
    

    Output of trivy -v:

    Version: 0.10.0
    

    Additional details (base image name, container registry info...): If we revert to trivy v0.9.0, the scan works successfully so something is broken in v0.10.0

    Has there been any change that either affects detecting local images over the docker socket?

    I would really appreciate if this has been paid attention as our builds are currently broken and as a workaround we have reverted to v0.9.0

    Regards,

    Nas

    kind/bug 
    opened by NasAmin 28
  • Use a stable SARIF identifier

    Use a stable SARIF identifier

    :wave: Hello - I am from the GitHub code scanning team! :bow:

    We have noticed that your tool is currently generating unstable sarif identifiers. 🕵️ This is against the SARIF specification 😱.

    Unstable identifiers result in suboptimal experience for users of GitHub Code Scanning:

    • Users are not able to easily group similar results (for example results for the same CVE in different images)
    • Users find results that have been dismissed reappear if the image name or tag changes
    • We have a hard limit of 500k identifiers per tool, beyond this point it is not possible to enumerate them all

    I've proposed a possible fix that would make your sarif identifier stable. Once you have found something that works for you I can migrate your existing rules. :+1:

    opened by simon-engledew 26
  • FATAL	error in image scan: failed to analyze image: failed to extract files: missing signature key

    FATAL error in image scan: failed to analyze image: failed to extract files: missing signature key


    BUG REPORT INFORMATION

    I am running trivy installed from debian package (currently 0.1.1) instide a Gitlab CI worker. The worker is a docker container which can build images (docker socket is mounted).

    Description In my pipeline I would like to scan the images before pushing the to the repository. But trivy fails with the error above although the image is currently built.

    $ docker build --pull -t ${IMAGE}:${VERSION} -t ${IMAGE}:latest .
    Sending build context to Docker daemon  84.48kB
    Step 1/2 : FROM postgres:11-alpine
    11-alpine: Pulling from library/postgres
    e7c96db7181b: Already exists
    ddab92d60ba9: Pulling fs layer
    ... snipped ...
    79d684a466de: Pull complete
    1929cdd74131: Pull complete
    Digest: sha256:7507521549968d1506ba9748a1f86d4ac015544b07738da8d25cf670eb2a7279
    Status: Downloaded newer image for postgres:11-alpine
     ---> 0223e4d872f4
    Step 2/2 : LABEL MAINTAINER Oz123 <[email protected]>
     ---> Running in 86c97c84674b
    Removing intermediate container 86c97c84674b
     ---> a4b10056be0e
    Successfully built a4b10056be0e
    Successfully tagged gitlab.xxx.net:5050/tech/postgresql/docker-image:0.0.1
    Successfully tagged gitlab.xxx.net:5050/tech/postgresql/docker-image:latest
    $ trivy -q --auto-refresh ${IMAGE}:${VERSION}
    2019-05-27T15:06:46.237Z	INFO	Updating vulnerability database...
    2019-05-27T15:07:34.298Z	INFO	Updating NVD data...
    2019-05-27T15:08:04.259Z	INFO	Updating Alpine data...
    2019-05-27T15:08:05.058Z	INFO	Updating RedHat data...
    2019-05-27T15:08:08.466Z	INFO	Updating Debian data...
    2019-05-27T15:08:10.155Z	INFO	Updating Debian OVAL data...
    2019-05-27T15:08:15.279Z	INFO	Updating Ubuntu data...
    2019-05-27T15:08:20.303Z	FATAL	error in image scan: failed to analyze image: failed to extract files: missing signature key
    ERROR: Job failed: exit code 1
    

    Output of trivy -v: 0.1.1

    I suspect the docker image should also mount the directory where the image built files are stored, but I can't confirm this.

    opened by oz123 26
  • Trivy 0.2.0, run under docker-dind - gitlabCI - scan always ends with 'null' result

    Trivy 0.2.0, run under docker-dind - gitlabCI - scan always ends with 'null' result

    Trivy 0.2.0, run under docker-dind - gitlabCI - scan always ends with 'null' result

    What did you expect to happen? Conduct a scan

    What happened instead? Trivy does something, reports success and exits after 1 second

    Output of run with -debug:

    2019-11-14T18:51:04.070Z	DEBUG	cache dir:  /root/.cache/trivy
    2019-11-14T18:51:04.074Z	DEBUG	This is the first run
    [                    ] Downloading Lightweight DB file... 
    [=>                  ] Downloading Lightweight DB file... 
    [===>                ] Downloading Lightweight DB file... 2019-11-14T18:51:04.362Z	DEBUG	release name: v1-2019111418
    2019-11-14T18:51:04.362Z	DEBUG	asset name: trivy-light.db.gz
    [=====>              ] Downloading Lightweight DB file... 
    [======>             ] Downloading Lightweight DB file... 2019-11-14T18:51:04.534Z	DEBUG	asset URL: https://github-production-release-asset-2e65be.s3.amazonaws.com/216830441/fa14f900-0709-11ea-9b7f-1f882f72ad9e?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20191114%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20191114T185104Z&X-Amz-Expires=300&X-Amz-Signature=4ae948a4ce0501f0edb9eb5585d397ef276d725f95f8ea2af8ade4659264494d&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dtrivy-light.db.gz&response-content-type=application%2Foctet-stream
    [========>           ] 
    Downloading Lightweight DB file... 
    [==========>         ]
    Downloading Lightweight DB file... [============>       ] 
    Downloading Lightweight DB file... [==============>     ] 
    Downloading Lightweight DB file... [================>   ] 
    Downloading Lightweight DB file... ==================> ] 
    Downloading Lightweight DB file... [===================>] 
    Downloading Lightweight DB file... [                    ] 
    Downloading Lightweight DB file... [=>                  ] 
    Downloading Lightweight DB file... [===>                ]
     Downloading Lightweight DB file... [=====>              ] 
    Downloading Lightweight DB file... [======>             ]
     Downloading Lightweight DB file... [========>           ] 
    Downloading Lightweight DB file... 019-11-14T18:51:05.858Z	INFO	Reopening vulnerability DB
    2019-11-14T18:51:05.858Z	DEBUG	Vulnerability type:  [os library]
    2019-11-14T18:51:08.814Z	DEBUG	OS family: alpine, OS version: 3.8.4
    2019-11-14T18:51:08.814Z	DEBUG	the number of packages: 36
    2019-11-14T18:51:09.612Z	DEBUG	the number of packages from commands: 26
    2019-11-14T18:51:09.612Z	DEBUG	the number of packages: 36
    2019-11-14T18:51:09.612Z	INFO	Detecting Alpine vulnerabilities...
    2019-11-14T18:51:09.612Z	DEBUG	alpine: os version: 3.8
    2019-11-14T18:51:09.612Z	DEBUG	alpine: the number of packages: 36
    

    Output of trivy -v:

    trivy version 0.2.0
    

    Additional details (base image name, container registry info...): checked image trivy --light alpine:3.8.4 -debug dind image - docker:19.03-dind

    result:

    [
      {
        "Target": "myimage(alpine 3.8.4)",
        "Vulnerabilities": null
      }
    ]
    

    scan outside gitlabci

    alpine:3.8.4 (alpine 3.8.4)
    ===========================
    Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
    
    +---------+------------------+----------+-------------------+---------------+
    | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
    +---------+------------------+----------+-------------------+---------------+
    | musl    | CVE-2019-14697   | HIGH     | 1.1.19-r10        | 1.1.19-r11    |
    +---------+------------------+----------+-------------------+---------------+
    
    kind/bug 
    opened by marcinbojko 24
  • GitHub Action - analysis fails after sarif upload

    GitHub Action - analysis fails after sarif upload

    Description

    I'm scanning a docker image and want to upload the result via the github/codeql-action/[email protected] action.

    name: Trivy Analysis
    
    on:
      push:
    
    jobs:
      trivy_analysis:
        name: Trivy Analysis
        runs-on: "ubuntu-18.04"
        steps:
          - name: Run Trivy on python:3.6-slim-buster
            uses: aquasecurity/[email protected]
            with:
              image-ref: 'python:3.6-slim-buster'
              format: 'template'
              template: '@/contrib/sarif.tpl'
              output: 'trivy-slim-buster.sarif'
              severity: 'CRITICAL,HIGH'
    
          # Upload works fine, but analysis fails
          - name: Upload Trivy slim-buster scan results to GitHub Security tab
            uses: github/codeql-action/[email protected]
            with:
              sarif_file: 'trivy-slim-buster.sarif'
    

    What did you expect to happen?

    sarif file gets analyzed correctly.

    What happened instead?

    The error 'Analysis failed for trivy-workflow' is shown on the Code scanning alerts tab.

    Trivy Analysis Fails

    Output of run with -debug:

    not available
    

    Output of trivy -v:

    Run aquasecurity/[email protected]
      with:
        image-ref: python:3.6-slim-buster
        format: template
        template: @/contrib/sarif.tpl
        output: trivy-slim-buster.sarif
        severity: CRITICAL,HIGH
        scan-type: image
        scan-ref: .
        exit-code: 0
        ignore-unfixed: false
        vuln-type: os,library
    /usr/bin/docker run --name a33c1b243f0bb5ad54f939442448bb6a70f7e_e14d32 --label 8a33c1 --workdir /github/workspace --rm -e INPUT_IMAGE-REF -e INPUT_FORMAT -e INPUT_TEMPLATE -e INPUT_OUTPUT -e INPUT_SEVERITY -e INPUT_SCAN-TYPE -e INPUT_INPUT -e INPUT_SCAN-REF -e INPUT_EXIT-CODE -e INPUT_IGNORE-UNFIXED -e INPUT_VULN-TYPE -e INPUT_SKIP-DIRS -e INPUT_CACHE-DIR -e INPUT_TIMEOUT -e INPUT_IGNORE-POLICY -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RETENTION_DAYS -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/indy-node-container/indy-node-container":"/github/workspace" 8a33c1:b243f0bb5ad54f939442448bb6a70f7e  "-a image" "-b template" "-c @/contrib/sarif.tpl" "-d 0" "-e false" "-f os,library" "-g CRITICAL,HIGH" "-h trivy-slim-buster.sarif" "-i python:3.6-slim-buster" "-j ." "-k " "-l " "-m " "-n " "-o "
    Running trivy with options:  --no-progress  --format  template --template  @/contrib/sarif.tpl --exit-code  0 --vuln-type  os,library --severity  CRITICAL,HIGH --output  trivy-slim-buster.sarif  python:3.6-slim-buster
    Global options:  
    2021-06-02T06:51:17.428Z	INFO	Need to update DB
    2021-06-02T06:51:17.429Z	INFO	Downloading DB...
    2021-06-02T06:51:20.595Z	INFO	Detecting Debian vulnerabilities...
    2021-06-02T06:51:20.605Z	INFO	Trivy skips scanning programming language libraries because no supported file was detected
    

    Additional details (base image name, container registry info...):

    Uploading the result file to the Microsoft SARIF validator shows these problems:

    • GH1003: runs[0].results[0].locations[0].physicalLocation: The 'region' property is absent. GitHub Advanced Security code scanning can display the correct location only for results that provide a 'region' object with line and optional column information. At minimum, 'region.startLine' is required. 'region' can also provide 'startColumn', 'endLine', and 'endColumn', although all of those have reasonable defaults.
    • GH1005: runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri: 'python:3.6-slim-buster' is not a file path. GitHub Advanced Security code scanning only displays results whose locations are specified by file paths, either as relative URIs or as absolute URIs that use the 'file' scheme.
    • SARIF1004: runs[0].results[0].locations[0].physicalLocation.artifactLocation: This 'artifactLocation' object has a 'uriBaseId' property 'ROOTPATH', but its 'uri' property 'python:3.6-slim-buster' is an absolute URI. Since the purpose of 'uriBaseId' is to resolve a relative reference to an absolute URI, it is not allowed when the 'uri' property is already an absolute URI.
    • SARIF2012: runs[0].tool.driver.rules[0].name: 'OS Package Vulnerability (Debian)' is not a Pascal-case identifier. For uniformity of experience across all tools that produce SARIF, the friendly name should be a single Pascal-case identifier, for example, 'ProvideRuleFriendlyName'.

    I don't know whether these problems are the cause of the error, but maybe they can be fixed by adjusting this block

    https://github.com/aquasecurity/trivy/blob/fb19abd09acc39c06a132fab8d0b9181f1556dcb/contrib/sarif.tpl#L76-L80

    if a Docker image is scanned.

    kind/bug lifecycle/stale 
    opened by mgmgwi 24
  • Add linter check support

    Add linter check support

    opened by rahul2393 21
  • Offline DB

    Offline DB

    Is there a way to download the DB beforehand into a file and pass it as argument when running?

    triage/support kind/feature lifecycle/stale 
    opened by bendanye 20
  • How to scan locally downloaded docker image?

    How to scan locally downloaded docker image?

    I've some enterprise docker images downloaded locally in my mac and I want to scan them using trivy. I tried without setting any config and I get this

    trivy docker.artifactory.aws.*****com/****-base-centos7:0.0.7
    2020-04-29T00:34:09.890+0530	FATAL	error in image scan: failed to analyze image: failed to extract files: failed to extract files: failed to extract the archive: unexpected EOF
    

    please suggest.

    triage/support lifecycle/stale triage/needs-information 
    opened by bsushant-athena 20
  • Major Dockerfile redesign with UPX and other best practices

    Major Dockerfile redesign with UPX and other best practices

    This PR is a continuation of https://github.com/knqyf263/trivy/issues/94

    I hope this will help Trivy to have a great Docker traction among the community.

    Cheers!

    opened by pascalandy 19
  • Trivy not working on common images like Centos

    Trivy not working on common images like Centos

    Description

    What did you expect to happen? I expected to get the CVE output similar to when I successfully ran the trivy ubuntu scan

    What happened instead? $ trivy centos 2019-09-04T06:00:41.100-0400 INFO Updating vulnerability database... 2019-09-04T06:00:42.256-0400 WARN You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed 2019-09-04T06:00:58.146-0400 FATAL error in image scan: failed to scan image: failed to analyze OS packages: exec: "rpm": executable file not found in $PATH

    Output of run with -debug:

    trivy --clear-cache -debug centos:latest
    2019-09-04T06:06:21.354-0400	DEBUG	cache dir:  /Users/mrvegas/Library/Caches/trivy
    2019-09-04T06:06:21.354-0400	INFO	Removing image caches...
    2019-09-04T06:06:21.478-0400	DEBUG	db path: /Users/mrvegas/Library/Caches/trivy/db/trivy.db
    2019-09-04T06:06:21.482-0400	INFO	Updating vulnerability database...
    2019-09-04T06:06:21.482-0400	DEBUG	git pull
    2019-09-04T06:06:21.897-0400	DEBUG	total updated files: 1
    2019-09-04T06:06:21.907-0400	DEBUG	Vulnerability type:  [os library]
    2019-09-04T06:06:27.952-0400	DEBUG	OS family: centos, OS version: 7.6.1810
    2019-09-04T06:06:27.972-0400	FATAL	error in image scan:
        github.com/aquasecurity/trivy/pkg.Run
            /root/project/pkg/run.go:164
      - failed to scan image:
        github.com/aquasecurity/trivy/pkg/scanner.ScanImage
            /root/project/pkg/scanner/scan.go:54
      - failed to analyze OS packages:
        github.com/aquasecurity/trivy/pkg/scanner/ospkg.Scan
            /root/project/pkg/scanner/ospkg/scan.go:52
      - exec: "rpm": executable file not found in $PATH
    

    Output of trivy -v:

    trivy version 0.1.6
    

    Additional details (base image name, container registry info...): centos (from Dockerhub)

    kind/bug 
    opened by rossayoung 19
  • scan failed: failed to detect vulnerabilities via RPC - unsupported type node-pkg / python-pkg

    scan failed: failed to detect vulnerabilities via RPC - unsupported type node-pkg / python-pkg

    We are using trivy client-server mode, server is running on a Centos server. We upgraded from 0.19.1 to 0.21.0 successfully, but scans began to fail due to below errors:

    2021-11-25T12:47:37.421Z FATAL error in image scan: scan failed: failed to detect vulnerabilities via RPC: twirp error internal: failed scan, some-image:latest: failed to detect vulnerabilities: failed to scan application libraries: failed vulnerability detection of libraries: failed to new driver: unsupported type node-pkg
    
    2021-11-25T13:04:31.359Z FATAL error in image scan: scan failed: failed to detect vulnerabilities via RPC: twirp error internal: failed scan, some-image2:latest: failed to detect vulnerabilities: failed to scan application libraries: failed vulnerability detection of libraries: failed to new driver: unsupported type python-pkg
    

    Conversely, when the same images were scanned using a standalone mode (trivy image ..), it worked perfectly.

    Note that this behavior only occurred when a complex custom image was scanned. Scanning of simple base images from docker hub worked fine (e.g. Ruby) in client-server mode.

    Version: 0.21.0
    Vulnerability DB:
      Type: Full
      Version: 1
      UpdatedAt: 2021-11-29 00:49:32.289418692 +0000 UTC
      NextUpdate: 2021-11-29 06:49:32.289418492 +0000 UTC
      DownloadedAt: 2021-11-29 08:52:22.022664988 +0000 UTC
    
    kind/bug 
    opened by zestam 0
  • fix(sarif): restore missing fields in the sarif template.

    fix(sarif): restore missing fields in the sarif template.

    There were restored two blocks:

    • a detailed description of the vulnerability,
    • a package name tag.

    Fixes #1419

    opened by afdesk 3
  • Unsure of how to fix Trivy errors in GitLab CI

    Unsure of how to fix Trivy errors in GitLab CI

    My GitLab CI/CD pipeline is comprised entirely of containers that run on the Docker executor on my Runner. As such, I presume I'm meant to use Trivy's second block of code here, where the Trivy image is fetched like all the other jobs in my pipeline do. However, when I do this, I get the following error:

    $ time trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/contrib/gitlab.tpl" --output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME"
    2021-11-18T22:24:38.464Z	FATAL	scan error: unable to initialize a scanner: unable to initialize a docker scanner: 3 errors occurred:
    * unable to inspect the image (registry.gitlab.com/my-repo:main): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
    * unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
    * GET https://registry.gitlab.com/v2/my-repo/manifests/main: MANIFEST_UNKNOWN: manifest unknown; map[Tag:main]
    Command exited with non-zero status 1
    

    I've tried Googling these errors and I'm not finding much. I'm nowhere near a DevOps SME, so if there's something wrong with my GitLab environment, I don't know what it could be... all the other jobs in my pipeline (Terraform, Ansible, SonarQube) work fine. The Docker executor is working fine on the Runner so I'm not sure why it can't connect to Docker. I have no idea what Podman even is or how it applies here. I'm not seeing much on Trivy's site either that would explain other prerequisites that I might have missed. I'm using the example code with no changes, so I'm confused as to why it's not working. Any help is appreciated.

    triage/support 
    opened by joshedgarva 0
  • CloudFormation scan error while running trivy filesystem in v0.21.0

    CloudFormation scan error while running trivy filesystem in v0.21.0

    Description

    Got cloudformation scan error while running trivy filesystem --ignore-unfixed --vuln-type os.

    What did you expect to happen?

    No CloudFormation scan errors, the flag trivy config was not used.

    What happened instead?

    Got cloudformation scan error while running trivy filesystem.

    Output of run with -debug:

    2021-11-22T21:51:52.756Z	***35mDEBUG***0m	Severities: CRITICAL
    2021-11-22T21:51:52.762Z	***35mDEBUG***0m	cache dir:  /root/.cache/trivy
    2021-11-22T21:51:52.762Z	***35mDEBUG***0m	There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
    2021-11-22T21:51:52.762Z	***34mINFO***0m	Need to update DB
    2021-11-22T21:51:52.762Z	***34mINFO***0m	Downloading DB...
    2021-11-22T21:51:52.762Z	***35mDEBUG***0m	no metadata file
    2021-11-22T21:51:52.844Z	***35mDEBUG***0m	release name: v1-2021112218
    2021-11-22T21:51:52.844Z	***35mDEBUG***0m	asset name: trivy-light-offline.db.tgz
    2021-11-22T21:51:52.844Z	***35mDEBUG***0m	file name doesn't match
    2021-11-22T21:51:52.844Z	***35mDEBUG***0m	asset name: trivy-light.db.gz
    2021-11-22T21:51:52.844Z	***35mDEBUG***0m	file name doesn't match
    2021-11-22T21:51:52.844Z	***35mDEBUG***0m	asset name: trivy-offline.db.tgz
    2021-11-22T21:51:52.844Z	***35mDEBUG***0m	file name doesn't match
    2021-11-22T21:51:52.844Z	***35mDEBUG***0m	asset name: trivy.db.gz
    2021-11-22T21:51:52.849Z	***35mDEBUG***0m	asset URL: https://github-releases.githubusercontent.com/216830441/6a303dc3-ab9f-416c-b207-efc38988cee1?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211122%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211122T215020Z&X-Amz-Expires=300&X-Amz-Signature=be739e49f8be110e088035501d20ecbc47c205be8ca956c8e1e3b8db3c06bd06&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=216830441&response-content-disposition=attachment%3B%20filename%3Dtrivy.db.gz&response-content-type=application%2Foctet-stream
    2021-11-22T21:51:53.946Z	***35mDEBUG***0m	Updating database metadata...
    2021-11-22T21:51:53.946Z	***35mDEBUG***0m	DB Schema: 1, Type: 1, UpdatedAt: 2021-11-22 18:42:13.000396096 +0000 UTC, NextUpdate: 2021-11-23 00:42:13.000395396 +0000 UTC, DownloadedAt: 2021-11-22 21:51:53.946411779 +0000 UTC
    2021-11-22T21:51:53.946Z	***35mDEBUG***0m	Vulnerability type:  ***os***
    ***91m2021-11-22T21:51:57.402Z	***31mFATAL***0m	scan error:
        github.com/aquasecurity/trivy/pkg/commands/artifact.runWithTimeout
            /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:71
      - image scan failed:
        github.com/aquasecurity/trivy/pkg/commands/artifact.scan
            /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:216
      - failed analysis:
        github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
            /home/runner/work/trivy/trivy/pkg/scanner/scan.go:98
      - config scan error:
        github.com/aquasecurity/fanal/artifact/local.Artifact.Inspect
            /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/artifact/local/fs.go:96
      - scan cloudformation error:
        github.com/aquasecurity/fanal/config/scanner.Scanner.ScanConfigs
            /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/config/scanner/scanner.go:84
      - cloudformation scan error:
        github.com/aquasecurity/fanal/config/scanner.Scanner.scanCloudFormationByCFSec
            /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/config/scanner/scanner.go:127
      - source '/base-root/usr/local/lib/python3.6/site-packages/cfnlint/data/ExtendedSpecs/all/03_value_types.json' contains invalid JSON: invalid target type
    ***0mRemoving intermediate container c6d0b7d8bd79
    

    Output of trivy -v:

    (paste your output here)
    

    Additional details (base image name, container registry info...):

    • Dockerfile used for scan with BASE_IMAGE as alpine:3.14, from an AWS ECR Registry:
    ARG REGISTRY
    ARG TRIVY_IMAGE
    ARG BASE_IMAGE
    ARG TARGET_IMAGE
    
    FROM $REGISTRY/$TRIVY_IMAGE as trivy
    FROM $REGISTRY/$BASE_IMAGE as base
    FROM $REGISTRY/$TARGET_IMAGE as target
    
    FROM base as base-stage
    COPY --from=target / ../base-root
    
    FROM base-stage as trivy-stage
    ARG TRIVY_SEVERITY
    ARG TRIVY_IGNORE_URL
    WORKDIR /scans
    RUN curl $TRIVY_IGNORE_URL --output .trivyignore
    COPY --from=trivy /usr/local/bin/trivy /usr/local/bin/trivy
    RUN trivy filesystem --ignore-unfixed --vuln-type os --severity $TRIVY_SEVERITY --exit-code 0 --no-progress /base-root | tee image-vulnerabilities-trivy.txt
    
    FROM base as final-stage
    WORKDIR /scans
    COPY --from=trivy-stage /scans/image-vulnerabilities-trivy.txt ./image-vulnerabilities-trivy.txt
    
    • Happens in https://github.com/aquasecurity/trivy/releases/tag/v0.21.0
    • Do not happens in https://github.com/aquasecurity/trivy/releases/tag/v0.20.2
    • TARGET_IMAGE from a python:3.6-stretch image with some python private application inside.

    Thank you very much for this project.

    kind/bug 
    opened by julianoborba 1
  • Sarif results version in 0.21.1

    Sarif results version in 0.21.1

    Description

    Using the latest sarif template of trivy 0.21.1. I see some differences between the older version. It's missing some fields in the new version of sarif

    Older sarif template

    Screen Shot 2021-11-26 at 17 13 25

    New sarif template

    Screen Shot 2021-11-26 at 17 15 40

    kind/bug 
    opened by krol3 1
  • Include vulnerability filepath with `trivy image` output

    Include vulnerability filepath with `trivy image` output

    When running trivy image, the locations of the offending vulnerabilities are not included:

    $ trivy image --severity CRITICAL --ignore-unfixed node:12.22.7
    ...
    node:12.22.7 (debian 9.13)
    ==========================
    Total: 0 (CRITICAL: 0)
    
    
    Node.js (node-pkg)
    ==================
    Total: 1 (CRITICAL: 1)
    
    +-------------+------------------+----------+-------------------+---------------+--------------------------------------+
    |   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
    +-------------+------------------+----------+-------------------+---------------+--------------------------------------+
    | json-schema | CVE-2021-3918    | CRITICAL | 0.2.3             | 0.4.0         | nodejs-json-schema: prototype        |
    |             |                  |          |                   |               | pollution vulnerability              |
    |             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3918 |
    +-------------+------------------+----------+-------------------+---------------+--------------------------------------+
    

    It is unclear to me where the vulnerability is included in the image, and therefore, what my options are for remediation. In order to find the vulnerability, I manually search the image:

    $ find / -type d -name json-schema
    /usr/local/lib/node_modules/npm/node_modules/json-schema
    
    $ cat /usr/local/lib/node_modules/npm/node_modules/json-schema/package.json | grep \"version\":
      "version": "0.2.3"
    

    Here I find out that the offender was actually a dependency of the preinstalled npm on the image. If the path was included in the output of trivy image, like the output of trivy fs, I would have known the steps to take immediately.

    kind/feature 
    opened by rliebz 0
  • Getting error while scanning image: error in image scan: scan failed: failed to detect vulnerabilities via RPC: twirp error internal

    Getting error while scanning image: error in image scan: scan failed: failed to detect vulnerabilities via RPC: twirp error internal

    We are using trivy client server mode .We have installed trivy in kubernetes using helm chart present in the git repo.It got installed successfully.But when iam testing it iam getting below error

    error in image scan: scan failed: failed to detect vulnerabilities via RPC: twirp error internal: failed scan, : failed to apply layers: layer cache missing: sha256:04cca8fe186d808482a04aa0801d04d6c3a29c3788c4488175def47091a301fc

    trivy version: Version: 0.21.0 Vulnerability DB: Type: Full Version: 1 UpdatedAt: 2021-11-23 00:49:24.143965458 +0000 UTC NextUpdate: 2021-11-23 06:49:24.143965058 +0000 UTC DownloadedAt: 2021-11-23 05:47:05.714387405 +0000 UTC

    kind/bug 
    opened by saivenkateshedem 13
  • Scanning Oracle Linux Image

    Scanning Oracle Linux Image

    Discussed in https://github.com/aquasecurity/trivy/discussions/1403

    Originally posted by alexanderkiel November 19, 2021 I question whether Trivy scans Oracle Linux 8.5 correctly. If I do it, I get zero vulnerabilities:

    % trivy image oraclelinux:8.5 | head
    2021-11-19T17:28:16.843+0100	INFO	Detected OS: oracle
    2021-11-19T17:28:16.843+0100	INFO	Detecting Oracle Linux vulnerabilities...
    2021-11-19T17:28:16.849+0100	INFO	Number of language-specific files: 0
    
    oraclelinux:8.5 (oracle 8.5)
    ============================
    Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
    

    However the previous version 8.4 had the following vulnerabilities:

    % trivy image oraclelinux:8.4 | head
    2021-11-19T17:25:23.360+0100	INFO	Detected OS: oracle
    2021-11-19T17:25:23.360+0100	INFO	Detecting Oracle Linux vulnerabilities...
    2021-11-19T17:25:23.371+0100	INFO	Number of language-specific files: 0
    
    oraclelinux:8.4 (oracle 8.4)
    ============================
    Total: 76 (UNKNOWN: 0, LOW: 10, MEDIUM: 33, HIGH: 22, CRITICAL: 11)
    

    Is it possible that Oracle fixed every single vulnerability or does Trivy have issues with the newest version?

    triage/support 
    opened by knqyf263 11
  • False Positive on all cryptography:* versions (Python module)

    False Positive on all cryptography:* versions (Python module)

    Description

    False positive found on python module: cryptography:* . CVE-2020-25659 has been reported for cryptography* module versions listed below: cryptography:1.5 cryptography:1.5.2 cryptography:2.1.4 cryptography:2.1.3 cryptography:2.8

    But as per CVE description , CVE-2020-25659 is valid only for python-cryptography 3.2

    What did you expect to happen?

    CVE-2020-25659 should not be reported for cryptography:* modules.

    What happened instead?

    CVE-2020-25659 is reported for all cryptography:* modules which could be false positives.

    kind/bug 
    opened by Anshu2405 1
  • False Positive on all pip:* versions (Python module)

    False Positive on all pip:* versions (Python module)

    Description

    False positive found on python module: pip:* . CVE-2021-28363 has been reported for pip* module versions listed below: pip:19.2.3 pip:19.0.3 pip:10.0.1 pip:8.1.2 pip:9.0.3 pip:9.0.1 pip:20.2.4 pip:20.2.3 pip:20.0.2

    But as per CVE description , CVE-2021-28363 is valid for urllib3 library 1.26.x before 1.26.4

    What did you expect to happen?

    CVE-2021-28363 should not be reported for pip:* modules. Instead another CVE-2018-20225 is found in all pip versions in NVD.

    What happened instead?

    CVE-2021-28363 is reported for pip:* modules which could be false positives.

    kind/bug 
    opened by Anshu2405 0
Releases(v0.21.1)
Owner
Aqua Security
Full lifecycle security for containers and cloud-native applications
Aqua Security
🔭 Kubernetes out-cluster vulnerability scanner

Kubnerable Kubnerable is an out-cluster vulnerability scanner tool for Kubernetes resources. It comes with a predefined vulnerability database (vulner

Javi López-Nieto 16 Oct 27, 2021
Boxygen is a container as code framework that allows you to build container images from code

Boxygen is a container as code framework that allows you to build container images from code, allowing integration of container image builds into other tooling such as servers or CLI tooling.

nitric 2 Nov 25, 2021
Hassle-free minimal CI/CD for git repositories with docker or docker-compose projects.

GIT-PIPE Hassle-free minimal CI/CD for git repos for docker-based projects. Features: zero configuration for repos by default automatic encrypted back

Aleksandr Baryshnikov 51 Oct 8, 2021
Kubei is a flexible Kubernetes runtime scanner, scanning images of worker and Kubernetes nodes providing accurate vulnerabilities assessment, for more information checkout:

Kubei is a vulnerabilities scanning and CIS Docker benchmark tool that allows users to get an accurate and immediate risk assessment of their kubernet

Portshift 462 Nov 29, 2021
Vilicus is an open source tool that orchestrates security scans of container images(docker/oci) and centralizes all results into a database for further analysis and metrics.

Vilicus Table of Contents Overview How does it work? Architecture Development Run deployment manually Usage Example of analysis Overview Vilicus is an

Ederson Brilhante 74 Dec 1, 2021
Sign Container Images with cosign and Verify signature by using Open Policy Agent (OPA)

Sign Container Images with cosign and Verify signature by using Open Policy Agent (OPA) In the beginning, I believe it is worth saying that this proje

Batuhan Apaydın 51 Nov 27, 2021
Image clone controller is a kubernetes controller to safe guard against the risk of container images disappearing

Image clone controller image clone controller is a kubernetes controller to safe guard against the risk of container images disappearing from public r

Jayadeep KM 0 Oct 10, 2021
Git with a cup of tea, painless self-hosted git service

Gitea - Git with a cup of tea View the chinese version of this document Purpose The goal of this project is to make the easiest, fastest, and most pai

Gitea 27.1k Dec 1, 2021
Moby Project - a collaborative project for the container ecosystem to assemble container-based systems

The Moby Project Moby is an open-source project created by Docker to enable and accelerate software containerization. It provides a "Lego set" of tool

Moby 61.7k Nov 30, 2021
Vulnerability Static Analysis for Containers

Clair Note: The main branch may be in an unstable or even broken state during development. Please use releases instead of the main branch in order to

QUAY 8.3k Dec 4, 2021
pr-bullet is a tool for copying pull request to multiple repositories.

pr-bullet pr-bullet is a tool for copying pull request to multiple repositories. Usage First, create original pull request ( ex. https://github.com/k1

Ken’ichiro Oyama 4 Jun 8, 2021
ghfs implements the io/fs interfaces for GitHub remote repositories.

ghfs implements the io/fs interfaces for GitHub remote repositories.

Ken’ichiro Oyama 0 Nov 14, 2021
Go module for interacting with public ECR repositories

go-publicecr go-publicecr is a module for listing ECR image tags on a public ECR repository. Why go-publicecr The official Go SDK does not support int

Matthew Bamber 0 Nov 24, 2021
Open Source runtime scanner for OpenShift cluster and perform security audit checks based on CIS RedHat OpenShift Benchmark specification

OpenShift-Ordeal Scan your Openshift cluster !! OpenShift-Ordeal is an open source audit scanner who perform audit check on OpenShift Cluster and outp

chenk 3 Nov 15, 2021
Simple example using Git actions + Argo CD + K8S + Docker and GO lang

CICD-simple_example Simple example using Git actions + Argo CD + K8S + Docker and GO lang Intro Pre reqs Have an ArgoCD account and Installed. Docker

Diogo Miyake 1 Oct 28, 2021
Open Source runtime scanner for Linux containers (LXD), It performs security audit checks based on CIS Linux containers Benchmark specification

lxd-probe Scan your Linux container runtime !! Lxd-Probe is an open source audit scanner who perform audit check on a linux container manager and outp

Chen Keinan 9 Nov 19, 2021
Network scanner for Raspberry Pi

╔═╗╦═╗╔═╗╦ ╠═╣╠╦╝╠═╝║ ╩ ╩╩╚═╩ ╩ Basic network scanner for Raspberry Pi Install Note: Prebuilt binaries (32-bit) doesn't require Go. Prereq

PierreKieffer 36 Nov 18, 2021
Simple implementation of Web Container

Labor Implementation of Web Container Run $ cd demo $ yarn build $ yarn dev Detail code => js runtime => rust/go wasm API 举个例子 const res = await readF

伊撒尔 135 Dec 5, 2021