README
¶
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues
Abstract
Trivy (tri pronounced like trigger, vy pronounced like envy) is a simple and comprehensive scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues.
Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and language-specific packages (Bundler, Composer, npm, yarn, etc.).
In addition, Trivy scans Infrastructure as Code (IaC) files such as Terraform, Dockerfile and Kubernetes, to detect potential configuration issues that expose your deployments to the risk of attack.
Trivy also scans hardcoded secrets like passwords, API keys and tokens.
Trivy is easy to use. Just install the binary and you're ready to scan.
Demo: Vulnerability Detection (Container Image)
Demo: Misconfiguration Detection (IaC Files)
Demo: Secret Detection
Quick Start
Scan Image for Vulnerabilities and Secrets
Simply specify an image name (and a tag).
$ trivy image [YOUR_IMAGE_NAME]
For example:
$ trivy image python:3.4-alpine
Result
2019-05-16T01:20:43.180+0900 INFO Updating vulnerability database...
2019-05-16T01:20:53.029+0900 INFO Detecting Alpine vulnerabilities...
python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |
| | | | | | with long nonces |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
Scan Filesystem for Vulnerabilities, Secrets and Misconfigurations
Simply specify a directory to scan.
$ trivy fs --security-checks vuln,secret,config [YOUR_PROJECT_DIR]
For example:
$ trivy fs --security-checks vuln,secret,config myproject/
Result
2021-07-09T12:03:27.564+0300 INFO Number of language-specific files: 1
2021-07-09T12:03:27.564+0300 INFO Detecting pipenv vulnerabilities...
2021-07-09T12:03:27.566+0300 INFO Detected config files: 1
Pipfile.lock (pipenv)
=====================
Total: 1 (HIGH: 1, CRITICAL: 0)
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| httplib2 | CVE-2021-21240 | HIGH | 0.12.1 | 0.19.0 | python-httplib2: Regular |
| | | | | | expression denial of |
| | | | | | service via malicious header |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-21240 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
+---------------------------+------------+----------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+----------------------+----------+------------------------------------------+
| Dockerfile Security Check | DS002 | Image user is 'root' | HIGH | Last USER command in |
| | | | | Dockerfile should not be 'root' |
| | | | | -->avd.aquasec.com/appshield/ds002 |
+---------------------------+------------+----------------------+----------+------------------------------------------+
Scan Directory for Misconfigurations
Simply specify a directory containing IaC files such as Terraform and Dockerfile.
$ trivy config [YOUR_IAC_DIR]
For example:
$ ls build/
Dockerfile
$ trivy config ./build
Result
2021-07-09T10:06:29.188+0300 INFO Need to update the built-in policies
2021-07-09T10:06:29.188+0300 INFO Downloading the built-in policies...
2021-07-09T10:06:30.520+0300 INFO Detected config files: 1
Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+---------------------------+------------+----------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+----------------------+----------+------------------------------------------+
| Dockerfile Security Check | DS002 | Image user is 'root' | HIGH | Last USER command in |
| | | | | Dockerfile should not be 'root' |
| | | | | -->avd.aquasec.com/appshield/ds002 |
+---------------------------+------------+----------------------+----------+------------------------------------------+
Features
- Comprehensive vulnerability detection
- OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- Language-specific packages (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
- Misconfiguration detection (IaC scanning)
- A wide variety of built-in policies are provided out of the box
- Kubernetes, Docker, Terraform, and more coming soon
- Support custom policies
- A wide variety of built-in policies are provided out of the box
- Secret detection
- A wide variety of built-in rules are provided out of the box
- Support custom rules
- Scan container images at high speed
- Simple
- Specify only an image name, a path to config files, or an artifact name
- Fast
- The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
- Easy installation
apt-get install,yum installandbrew installare possible.- No pre-requisites such as installation of DB, libraries, etc.
- High accuracy
- Especially Alpine Linux and RHEL/CentOS
- Other OSes are also high
- DevSecOps
- Suitable for CI such as GitHub Actions, Jenkins, GitLab CI, etc.
- Support multiple targets
- container image, local filesystem and remote git repository
- Supply chain security (SBOM support)
- Support CycloneDX
Integrations
Documentation
The official documentation, which provides detailed installation, configuration, and quick start guides, is available at https://aquasecurity.github.io/trivy/.
Trivy is an Aqua Security open source project.
Learn about our open source work and portfolio here.
Contact us about any matter by opening a GitHub Discussion here
Directories
Click to show internal directories.
Click to hide internal directories.