diff --git a/docs/docs/advanced/container/containerd.md b/docs/docs/advanced/container/containerd.md deleted file mode 100644 index 8d408f0750..0000000000 --- a/docs/docs/advanced/container/containerd.md +++ /dev/null @@ -1,29 +0,0 @@ -# containerd - -!!! warning "EXPERIMENTAL" - This feature might change without preserving backwards compatibility. - -Scan your image in [containerd][containerd] running locally. - -```bash -$ nerdctl images -REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE -aquasec/nginx latest 2bcabc23b454 3 hours ago linux/amd64 149.1 MiB 54.1 MiB -$ trivy image aquasec/nginx -``` - -If your containerd socket is not the default path (`//run/containerd/containerd.sock`), you can override it via `CONTAINERD_ADDRESS`. - -```bash -$ export CONTAINERD_ADDRESS=/run/k3s/containerd/containerd.sock -$ trivy image aquasec/nginx -``` - -If your scan targets are images in a namespace other than containerd's default namespace (`default`), you can override it via `CONTAINERD_NAMESPACE`. - -```bash -$ export CONTAINERD_NAMESPACE=k8s.io -$ trivy image aquasec/nginx -``` - -[containerd]: https://containerd.io/ diff --git a/docs/docs/advanced/container/oci.md b/docs/docs/advanced/container/oci.md deleted file mode 100644 index f5499c7da1..0000000000 --- a/docs/docs/advanced/container/oci.md +++ /dev/null @@ -1,17 +0,0 @@ -# OCI Image Layout - -An image directory compliant with [Open Container Image Layout Specification](https://github.com/opencontainers/image-spec/blob/master/spec.md). - -Buildah: - -``` -$ buildah push docker.io/library/alpine:3.11 oci:/path/to/alpine -$ trivy image --input /path/to/alpine -``` - -Skopeo: - -``` -$ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine -$ trivy image --input /path/to/alpine -``` diff --git a/docs/docs/advanced/container/podman.md b/docs/docs/advanced/container/podman.md deleted file mode 100644 index ce4980ccd6..0000000000 --- a/docs/docs/advanced/container/podman.md +++ /dev/null @@ -1,28 +0,0 @@ -# Podman - -!!! warning "EXPERIMENTAL" - This feature might change without preserving backwards compatibility. - -Scan your image in Podman (>=2.0) running locally. The remote Podman is not supported. -Before performing Trivy commands, you must enable the podman.sock systemd service on your machine. -For more details, see [here][sock]. - - -```bash -$ systemctl --user enable --now podman.socket -``` - -Then, you can scan your image in Podman. - -```bash -$ cat Dockerfile -FROM alpine:3.12 -RUN apk add --no-cache bash -$ podman build -t test . -$ podman images -REPOSITORY TAG IMAGE ID CREATED SIZE -localhost/test latest efc372d4e0de About a minute ago 7.94 MB -$ trivy image test -``` - -[sock]: https://github.com/containers/podman/blob/master/docs/tutorials/remote_client.md#enable-the-podman-service-on-the-server-machine diff --git a/docs/docs/cloud/aws/compliance.md b/docs/docs/cloud/aws/compliance.md deleted file mode 100644 index bb1c9e6d8c..0000000000 --- a/docs/docs/cloud/aws/compliance.md +++ /dev/null @@ -1,39 +0,0 @@ -# AWS Compliance - -!!! warning "EXPERIMENTAL" - This feature might change without preserving backwards compatibility. - -This page describes AWS specific compliance reports. For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../../compliance/compliance.md). - -## Built in reports - -the following reports are available out of the box: - -| Compliance | Name for command | More info ---- | --- | --- -AWS CIS Foundations Benchmark v1.2 | `aws-cis-1.2` | [link](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf) -AWS CIS Foundations Benchmark v1.4 | `aws-cis-1.4` | [link](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls-1.4.0.html) - -## Examples - -Scan a cloud account and generate a compliance summary report: - -``` -$ trivy aws --compliance= --report=summary -``` - -***Note*** : The `Issues` column represent the total number of failed checks for this control. - - -Get all of the detailed output for checks: - -``` -$ trivy aws --compliance= --report all -``` - -Report result in JSON format: - -``` -$ trivy aws --compliance= --report all --format json -``` - diff --git a/docs/docs/cloud/aws/scanning.md b/docs/docs/cloud/aws/scanning.md deleted file mode 100644 index ae48eb19c6..0000000000 --- a/docs/docs/cloud/aws/scanning.md +++ /dev/null @@ -1,66 +0,0 @@ -# Amazon Web Services - -!!! warning "EXPERIMENTAL" - This feature might change without preserving backwards compatibility. - -The Trivy AWS CLI allows you to scan your AWS account for misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. - -Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too. - -The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks. - -Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform. - -You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` policy attached. - -Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - infrastructure information is cached locally per AWS account/region. - -## CLI Commands - -Scan a full AWS account (all supported services): - -```shell -trivy aws --region us-east-1 -``` - -You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these. - -![AWS Summary Report](../../../imgs/trivy-aws.png) - -The summary view is the default when scanning multiple services. - -Scan a specific service: - -```shell -trivy aws --service s3 -``` - -Scan multiple services: - -```shell -# --service s3,ec2 works too -trivy aws --service s3 --service ec2 -``` - -Show results for a specific AWS resource: - -```shell -trivy aws --service s3 --arn arn:aws:s3:::example-bucket -``` - -All ARNs with detected issues will be displayed when showing results for their associated service. - -## Compliance Spec -Trivy can also run specific checks by spec by specifying the compliance flag: -```shell -trivy aws --compliance=awscis1.2 -``` -Will only target the checks defined under the AWS CIS 1.2 spec. Currently, we support AWS CIS 1.2 and 1.4 specs. More details [here](compliance.md). - -## Cached Results - -By default, Trivy will cache a representation of each AWS service for 24 hours. This means you can filter and view results for a service without having to wait for the entire scan to run again. If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`. Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.). Regardless of whether the cache is used or not, rules will be evaluated again with each run of `trivy aws`. - -## Custom Policies - -You can write custom policies for Trivy to evaluate against your AWS account. These policies are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the same language used by [Open Policy Agent](https://www.openpolicyagent.org/). See the [Custom Policies](../../misconfiguration/custom/index.md) page for more information. \ No newline at end of file diff --git a/docs/docs/compliance/compliance.md b/docs/docs/compliance/compliance.md index 8baccdd05e..1d54af24a6 100644 --- a/docs/docs/compliance/compliance.md +++ b/docs/docs/compliance/compliance.md @@ -20,12 +20,12 @@ For example: `trivy k8s cluster --compliance k8s-nsa` (see below for built-in an The following flags are compatible with `--compliance` flag and allows customizing it's output: -flag | effect ---- | --- -`--report summary` | shows a summary of the results. for every control shows the number of failed checks. -`--report all` | shows fully detailed results. for every control shows where it failed and why. -`--format table` | shows results in textual table format (good for human readability). -`--format json` | shows results in json format (good for machine readability). +| flag | effect | +|--------------------|--------------------------------------------------------------------------------------| +| `--report summary` | shows a summary of the results. for every control shows the number of failed checks. | +| `--report all` | shows fully detailed results. for every control shows where it failed and why. | +| `--format table` | shows results in textual table format (good for human readability). | +| `--format json` | shows results in json format (good for machine readability). | ## Built-in compliance @@ -34,8 +34,9 @@ to specify a built-in compliance report, select it by ID like `trivy --complianc For the list of built-in compliance reports, please see the relevant section: -- [Kubernetes compliance](../kubernetes/cli/compliance.md) -- [AWS compliance](../cloud/aws/compliance.md) +- [Docker compliance](../target/container_image.md#compliance) +- [Kubernetes compliance](../target/kubernetes.md#compliance) +- [AWS compliance](../target/aws.md#compliance) ## Custom compliance diff --git a/docs/docs/kubernetes/cli/compliance.md b/docs/docs/kubernetes/cli/compliance.md deleted file mode 100644 index ec46fa4a0c..0000000000 --- a/docs/docs/kubernetes/cli/compliance.md +++ /dev/null @@ -1,42 +0,0 @@ -# Kubernetes Compliance - -!!! warning "EXPERIMENTAL" - This feature might change without preserving backwards compatibility. - -This page describes Kubernetes specific compliance reports. For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../../compliance/compliance.md). - -## Built in reports - -The following reports are available out of the box: - -| Compliance | Name for command | More info ---- | --- | --- -NSA, CISA Kubernetes Hardening Guidance v1.2 | `k8s-nsa` | [Link](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF) -CIS Benchmark for Kubernetes v1.23 | `k8s-cis` | [Link](https://www.cisecurity.org/benchmark/kubernetes) - -## Examples - -Scan a full cluster and generate a compliance summary report: - -``` -$ trivy k8s cluster --compliance= --report summary -``` - -***Note*** : The `Issues` column represent the total number of failed checks for this control. - - -Get all of the detailed output for checks: - -``` -trivy k8s cluster --compliance= --report all -``` - -Report result in JSON format: - -``` -trivy k8s cluster --compliance= --report summary --format json -``` - -``` -trivy k8s cluster --compliance= --report all --format json -``` diff --git a/docs/docs/kubernetes/operator/index.md b/docs/docs/kubernetes/operator/index.md deleted file mode 100644 index 60d2e0c64e..0000000000 --- a/docs/docs/kubernetes/operator/index.md +++ /dev/null @@ -1,14 +0,0 @@ -# Trivy Operator - -Trivy has a native [Kubernetes Operator][operator] which continuously scans your Kubernetes cluster for security issues, and generates security reports as Kubernetes [Custom Resources][crd]. It does it by watching Kubernetes for state changes and automatically triggering scans in response to changes, for example initiating a vulnerability scan when a new Pod is created. - - -> Kubernetes-native security toolkit. ([Documentation][trivy-operator]). - -
-
Workload reconcilers discover K8s controllers, manage scan jobs, and create VulnerabilityReport and ConfigAuditReport objects.
-
- -[operator]: https://kubernetes.io/docs/concepts/extend-kubernetes/operator/ -[crd]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/ -[trivy-operator]: https://aquasecurity.github.io/trivy-operator/latest diff --git a/docs/docs/sbom/cyclonedx.md b/docs/docs/sbom/cyclonedx.md index 43d66ddcae..ecff761dad 100644 --- a/docs/docs/sbom/cyclonedx.md +++ b/docs/docs/sbom/cyclonedx.md @@ -1,6 +1,4 @@ -# CycloneDX - -## Generating +# CycloneDX generation Trivy can generate SBOM in the [CycloneDX][cyclonedx] format. Note that XML format is not supported at the moment. @@ -245,34 +243,6 @@ If you want to include vulnerabilities, you can enable vulnerability scanning vi $ trivy image --scanners vuln --format cyclonedx --output result.json alpine:3.15 ``` -## Scanning -Trivy can take CycloneDX as an input and scan for vulnerabilities. -To scan SBOM, you can use the `sbom` subcommand and pass the path to your CycloneDX report. - -```bash -$ trivy sbom /path/to/cyclonedx.json - -cyclonedx.json (alpine 3.7.1) -========================= -Total: 3 (CRITICAL: 3) - -┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ -│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ -├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ curl │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r0 │ curl: NTLM password overflow via integer overflow │ -│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-14618 │ -├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ libbz2 │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │ -│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │ -├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ sqlite-libs │ CVE-2019-8457 │ CRITICAL │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │ -│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │ -└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘ -``` - -!!! note - If you want to generate a CycloneDX report from a CycloneDX input, please be aware that the output stores references to your original CycloneDX report and contains only detected vulnerabilities, not components. - The report is called [BOV][bov]. [cyclonedx]: https://cyclonedx.org/ [sbom]: https://cyclonedx.org/capabilities/sbom/ diff --git a/docs/docs/sbom/index.md b/docs/docs/sbom/index.md index 564d7de2cd..ff268c78c3 100644 --- a/docs/docs/sbom/index.md +++ b/docs/docs/sbom/index.md @@ -1,12 +1,12 @@ -# SBOM +# SBOM generation -## Generating Trivy can generate the following SBOM formats. - [CycloneDX][cyclonedx] - [SPDX][spdx] -To generate SBOM, you can use the `--format` option for each subcommand such as `image` and `fs`. +## CLI commands +To generate SBOM, you can use the `--format` option for each subcommand such as `image`, `fs` and `vm`. ``` $ trivy image --format spdx-json --output result.json alpine:3.15 @@ -177,56 +177,27 @@ $ trivy fs --format cyclonedx --output result.json /app/myproject -## Scanning -Trivy also can take the following SBOM formats as an input and scan for vulnerabilities. +## Supported packages +Trivy supports the following packages. -- CycloneDX -- SPDX -- SPDX JSON -- CycloneDX-type attestation +- [OS packages][os_packages] +- [Language-specific packages][language_packages] -To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM. - -```bash -$ trivy sbom /path/to/cyclonedx.json -``` - -See [here][cyclonedx] for the detail. +In addition to the above packages, Trivy also supports the following packages for generating SBOM. !!! note - CycloneDX XML is not supported at the moment. + These packages are not supported for vulnerability scanning. -```bash -$ trivy sbom /path/to/spdx.json -``` +| Language | File | Dependency location[^1] | +|----------|-------------------|:-----------------------:| +| Python | conda package[^2] | - | +| Swift | Podfile.lock | - | -See [here][spdx] for the detail. - - -You can also scan an SBOM attestation. -In the following example, [Cosign][Cosign] can get an attestation and trivy scan it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [SBOM attestation page][sbom_attestation]. -```bash -$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx > sbom.cdx.intoto.jsonl -$ trivy sbom ./sbom.cdx.intoto.jsonl - -sbom.cdx.intoto.jsonl (alpine 3.7.3) -========================= -Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2) - -┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐ -│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ -├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤ -│ musl │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │ -│ │ │ │ │ │ adjustment im ...... │ -│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │ -├────────────┤ │ │ │ │ │ -│ musl-utils │ │ │ │ │ │ -│ │ │ │ │ │ │ -│ │ │ │ │ │ │ -└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘ -``` +[^1]: Use `startline == 1 and endline == 1` for unsupported file types +[^2]: `envs/*/conda-meta/*.json` [cyclonedx]: cyclonedx.md [spdx]: spdx.md -[Cosign]: https://github.com/sigstore/cosign -[sbom_attestation]: ../attestation/sbom.md#sign-with-a-local-key-pair \ No newline at end of file + +[os_packages]: ../vulnerability/detection/os.md +[language_packages]: ../vulnerability/detection/language.md diff --git a/docs/docs/sbom/spdx.md b/docs/docs/sbom/spdx.md index 3616c76278..786bc91af8 100644 --- a/docs/docs/sbom/spdx.md +++ b/docs/docs/sbom/spdx.md @@ -1,6 +1,5 @@ -# SPDX +# SPDX generation -## Generating Trivy can generate SBOM in the [SPDX][spdx] format. You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `spdx` with the `--format` option. @@ -295,50 +294,5 @@ $ cat result.spdx.json | jq . -## Scanning -Trivy can take the SPDX SBOM as an input and scan for vulnerabilities. -To scan SBOM, you can use the `sbom` subcommand and pass the path to your SPDX report. -The input format is automatically detected. - -The following formats are supported: - -- Tag-value (`--format spdx`) -- JSON (`--format spdx-json`) - -```bash -$ trivy image --format spdx-json --output spdx.json alpine:3.16.0 -$ trivy sbom spdx.json -2022-09-15T21:32:27.168+0300 INFO Vulnerability scanning is enabled -2022-09-15T21:32:27.169+0300 INFO Detected SBOM format: spdx-json -2022-09-15T21:32:27.210+0300 INFO Detected OS: alpine -2022-09-15T21:32:27.210+0300 INFO Detecting Alpine vulnerabilities... -2022-09-15T21:32:27.211+0300 INFO Number of language-specific files: 0 - -spdx.json (alpine 3.16.0) -========================= -Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 1) - -┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐ -│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ -├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤ -│ busybox │ CVE-2022-30065 │ HIGH │ 1.35.0-r13 │ 1.35.0-r15 │ busybox: A use-after-free in Busybox's awk applet leads to │ -│ │ │ │ │ │ denial of service... │ -│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30065 │ -├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤ -│ libcrypto1.1 │ CVE-2022-2097 │ MEDIUM │ 1.1.1o-r0 │ 1.1.1q-r0 │ openssl: AES OCB fails to encrypt some bytes │ -│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2097 │ -├──────────────┤ │ │ │ │ │ -│ libssl1.1 │ │ │ │ │ │ -│ │ │ │ │ │ │ -├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤ -│ ssl_client │ CVE-2022-30065 │ HIGH │ 1.35.0-r13 │ 1.35.0-r15 │ busybox: A use-after-free in Busybox's awk applet leads to │ -│ │ │ │ │ │ denial of service... │ -│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30065 │ -├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤ -│ zlib │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1 │ 1.2.12-r2 │ zlib: a heap-based buffer over-read or buffer overflow in │ -│ │ │ │ │ │ inflate in inflate.c... │ -│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-37434 │ -└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘ -``` [spdx]: https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf diff --git a/docs/docs/sbom/supported.md b/docs/docs/sbom/supported.md deleted file mode 100644 index 6907e3b605..0000000000 --- a/docs/docs/sbom/supported.md +++ /dev/null @@ -1,16 +0,0 @@ -## Packages that support vulnerability scanning -- [OS packages][os_packages] -- [Language-specific packages][language_packages] - -## Other language-specific packages - -| Language | File | Dependency location[^1] | -|----------|-------------------|:-----------------------:| -| Python | conda package[^2] | - | -| Swift | Podfile.lock | - | - -[^1]: Use `startline == 1 and endline == 1` for unsupported file types -[^2]: `envs/*/conda-meta/*.json` - -[os_packages]: ../vulnerability/detection/os.md -[language_packages]: ../vulnerability/detection/language.md diff --git a/docs/docs/target/aws.md b/docs/docs/target/aws.md new file mode 100644 index 0000000000..350b51bf93 --- /dev/null +++ b/docs/docs/target/aws.md @@ -0,0 +1,107 @@ +# Amazon Web Services + +!!! warning "EXPERIMENTAL" + This feature might change without preserving backwards compatibility. + +The Trivy AWS CLI allows you to scan your AWS account for misconfigurations. +You can either run the CLI locally or integrate it into your CI/CD pipeline. + +Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too. + +The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks. + +Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform. + +You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` policy attached. + +Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - infrastructure information is cached locally per AWS account/region. + +Trivy currently supports the following scanning for AWS accounts. + +- Misconfigurations + +## CLI Commands + +Scan a full AWS account (all supported services): + +```shell +trivy aws --region us-east-1 +``` + +You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these. + +![AWS Summary Report](../../imgs/trivy-aws.png) + +The summary view is the default when scanning multiple services. + +Scan a specific service: + +```shell +trivy aws --service s3 +``` + +Scan multiple services: + +```shell +# --service s3,ec2 works too +trivy aws --service s3 --service ec2 +``` + +Show results for a specific AWS resource: + +```shell +trivy aws --service s3 --arn arn:aws:s3:::example-bucket +``` + +All ARNs with detected issues will be displayed when showing results for their associated service. + +## Compliance +This section describes AWS specific compliance reports. +For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../compliance/compliance.md). + +### Built in reports + +the following reports are available out of the box: + +| Compliance | Name for command | More info | +|------------------------------------|------------------|------------------------------------------------------------------------------------------------------| +| AWS CIS Foundations Benchmark v1.2 | `aws-cis-1.2` | [link](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf) | +| AWS CIS Foundations Benchmark v1.4 | `aws-cis-1.4` | [link](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls-1.4.0.html) | + +### Examples + +Scan a cloud account and generate a compliance summary report: + +``` +$ trivy aws --compliance= --report=summary +``` + +***Note*** : The `Issues` column represent the total number of failed checks for this control. + + +Get all of the detailed output for checks: + +``` +$ trivy aws --compliance= --report all +``` + +Report result in JSON format: + +``` +$ trivy aws --compliance= --report all --format json +``` + +## Cached Results + +By default, Trivy will cache a representation of each AWS service for 24 hours. +This means you can filter and view results for a service without having to wait for the entire scan to run again. +If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`. +Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.). +Regardless of whether the cache is used or not, rules will be evaluated again with each run of `trivy aws`. + +## Custom Policies + +You can write custom policies for Trivy to evaluate against your AWS account. +These policies are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the same language used by [Open Policy Agent](https://www.openpolicyagent.org/). +See the [Custom Policies](../misconfiguration/custom/index.md) page for more information. + diff --git a/docs/docs/target/container_image.md b/docs/docs/target/container_image.md new file mode 100644 index 0000000000..764c8d4a5a --- /dev/null +++ b/docs/docs/target/container_image.md @@ -0,0 +1,450 @@ +# Container Image + +Trivy supports two targets for container images. + +- Files inside container images +- Container image metadata + +## Files inside container images +Container images consist of files. +For instance, new files will be installed if you install a package. + +Trivy scans the files inside container images for + +- Vulnerabilities +- Misconfigurations +- Secrets +- Licenses + +By default, vulnerability and secret scanning are enabled, and you can configure that with `--scanners`. + +### Vulnerabilities +It is enabled by default. +You can simply specify your image name (and a tag). +It detects known vulnerabilities in your container image. +See [here](../vulnerability/scanning.md) for the detail. + +``` +$ trivy image [YOUR_IMAGE_NAME] +``` + +For example: + +``` +$ trivy image python:3.4-alpine +``` + +
+Result + +``` +2019-05-16T01:20:43.180+0900 INFO Updating vulnerability database... +2019-05-16T01:20:53.029+0900 INFO Detecting Alpine vulnerabilities... + +python:3.4-alpine3.9 (alpine 3.9.2) +=================================== +Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0) + ++---------+------------------+----------+-------------------+---------------+--------------------------------+ +| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | ++---------+------------------+----------+-------------------+---------------+--------------------------------+ +| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 | +| | | | | | with long nonces | ++---------+------------------+----------+-------------------+---------------+--------------------------------+ +``` + +
+ +To enable only vulnerability scanning, you can specify `--scanners vuln`. + +```shell +$ trivy image --scanners vuln [YOUR_IMAGE_NAME] +``` + +### Misconfigurations +It is supported, but it is not useful in most cases. +As mentioned [here](../misconfiguration/scanning.md), Trivy mainly supports Infrastructure as Code (IaC) files for misconfigurations. +If your container image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with `--scanners config`. + +``` +$ trivy image --scanners config [YOUR_IMAGE_NAME] +``` + +### Secrets +It is enabled by default. +See [here](../secret/scanning.md) for the detail. + +```shell +$ trivy image [YOUR_IMAGE_NAME] +``` + +### Licenses +It is disabled by default. +See [here](../licenses/scanning.md) for the detail. + +```shell +$ trivy image --scanners license [YOUR_IMAGE_NAME] +``` + +## Container image metadata +Container images have [configuration](https://github.com/opencontainers/image-spec/blob/2fb996805b3734779bf9a3a84dc9a9691ad7efdd/config.md). +`docker inspect` and `docker history` show the information according to the configuration. + +Trivy scans the configuration of container images for + +- Misconfigurations +- Secrets + +They are disabled by default. +You can enable them with `--image-config-scanners`. + +!!! tips + The configuration can be exported as the JSON file by `docker save`. + +### Misconfigurations +Trivy detects misconfigurations on the configuration of container images. +The image config is converted into Dockerfile and Trivy handles it as Dockerfile. +See [here](../misconfiguration/scanning.md) for the detail of Dockerfile scanning. + +It is disabled by default. +You can enable it with `--image-config-scanners config`. + +``` +$ trivy image --image-config-scanners config [YOUR_IMAGE_NAME] +``` + +If you just want to scan the image config, you can disable scanners with `--scanners none`. +For example: + +``` +$ trivy image --scanners none --image-config-scanners config alpine:3.17.0 +``` + +
+Result + +``` +alpine:3.17 (dockerfile) +======================== +Tests: 24 (SUCCESSES: 21, FAILURES: 3, EXCEPTIONS: 0) +Failures: 3 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 1, CRITICAL: 0) + +HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument +════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ +Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. + +See https://avd.aquasec.com/misconfig/ds002 +──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + + +LOW: Consider using 'COPY file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /' command instead of 'ADD file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /' +════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ +You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files. + +See https://avd.aquasec.com/misconfig/ds005 +──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + alpine:3.17:1 +──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + 1 [ ADD file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in / +──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + + +LOW: Add HEALTHCHECK instruction in your Dockerfile +════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ +You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers. + +See https://avd.aquasec.com/misconfig/ds026 +──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +``` +
+ +!!! tip + You can see how each layer is created with `docker history`. + +### Secrets +Trivy detects secrets on the configuration of container images. +The image config is converted into JSON and Trivy scans the file for secrets. +It is especially useful for environment variables that are likely to have credentials by accident. +See [here](../secret/scanning.md) for the detail. + +```shell +$ trivy image --image-config-scanners secret [YOUR_IMAGE_NAME] +``` + +If you just want to scan the image config, you can disable scanners with `--scanners none`. +For example: + +```shell +$ trivy image --scanners none --image-config-scanners secret vuln-image +``` + +
+Result + +``` +vuln-image (alpine 3.17.1) +========================== +Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) + + +vuln-image (secrets) +==================== +Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2) + +CRITICAL: GitHub (github-pat) +════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ +GitHub Personal Access Token +──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + test:16 +──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + 14 { + 15 "created": "2023-01-09T17:05:20Z", + 16 [ "created_by": "ENV secret=****************************************", + 17 "comment": "buildkit.dockerfile.v0", +──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + + +CRITICAL: GitHub (github-pat) +════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ +GitHub Personal Access Token +──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + test:34 +──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + 32 "Env": [ + 33 "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + 34 [ "secret=****************************************" + 35 ] +──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + +``` + +
+ +!!! tip + You can see environment variables with `docker inspect`. + +## Supported +### Docker Engine +Trivy tries to looks for the specified image in your local Docker Engine. +It will be skipped if Docker Engine is not running locally. + +If your docker socket is not the default path, you can override it via `DOCKER_HOST`. + +### containerd + +!!! warning "EXPERIMENTAL" + This feature might change without preserving backwards compatibility. + +Trivy tries to looks for the specified image in your local [containerd](https://containerd.io/). +It will be skipped if containerd is not running locally. + +Specify your image name in containerd running locally. + +```bash +$ nerdctl images +REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE +aquasec/nginx latest 2bcabc23b454 3 hours ago linux/amd64 149.1 MiB 54.1 MiB +$ trivy image aquasec/nginx +``` + +If your containerd socket is not the default path (`//run/containerd/containerd.sock`), you can override it via `CONTAINERD_ADDRESS`. + +```bash +$ export CONTAINERD_ADDRESS=/run/k3s/containerd/containerd.sock +$ trivy image aquasec/nginx +``` + +If your scan targets are images in a namespace other than containerd's default namespace (`default`), you can override it via `CONTAINERD_NAMESPACE`. + +```bash +$ export CONTAINERD_NAMESPACE=k8s.io +$ trivy image aquasec/nginx +``` + +### Podman + +!!! warning "EXPERIMENTAL" + This feature might change without preserving backwards compatibility. + +Scan your image in Podman (>=2.0) running locally. The remote Podman is not supported. +Before performing Trivy commands, you must enable the podman.sock systemd service on your machine. +For more details, see [here](https://github.com/containers/podman/blob/master/docs/tutorials/remote_client.md#enable-the-podman-service-on-the-server-machine). + + +```bash +$ systemctl --user enable --now podman.socket +``` + +Then, you can scan your image in Podman. + +```bash +$ cat Dockerfile +FROM alpine:3.12 +RUN apk add --no-cache bash +$ podman build -t test . +$ podman images +REPOSITORY TAG IMAGE ID CREATED SIZE +localhost/test latest efc372d4e0de About a minute ago 7.94 MB +$ trivy image test +``` + +### Container Registry +Trivy supports registries that comply with the following specifications. + +- [Docker Registry HTTP API V2](https://docs.docker.com/registry/spec/api/) +- [OCI Distribution Specification](https://github.com/opencontainers/distribution-spec) + +You can configure credentials with `docker login`. +See [here](../advanced/private-registries/index.md) for the detail. + +### Tar Files +Trivy supports image tar files generated by the following tools. + +- [Docker Image Specification](https://github.com/moby/moby/tree/master/image/spec) + - [Moby Project](https://github.com/moby/moby/) + - [Buildah](https://github.com/containers/buildah) + - [Podman](https://github.com/containers/podman) + - [img](https://github.com/genuinetools/img) +- [Kaniko](https://github.com/GoogleContainerTools/kaniko) + +``` +$ docker pull ruby:3.1-alpine3.15 +$ docker save ruby:3.1-alpine3.15 -o ruby-3.1.tar +$ trivy image --input ruby-3.1.tar +``` + +
+Result + +``` +2022-02-03T10:08:19.127Z INFO Detected OS: alpine +2022-02-03T10:08:19.127Z WARN This OS version is not on the EOL list: alpine 3.15 +2022-02-03T10:08:19.127Z INFO Detecting Alpine vulnerabilities... +2022-02-03T10:08:19.127Z INFO Number of language-specific files: 2 +2022-02-03T10:08:19.127Z INFO Detecting gemspec vulnerabilities... +2022-02-03T10:08:19.128Z INFO Detecting node-pkg vulnerabilities... +2022-02-03T10:08:19.128Z WARN This OS version is no longer supported by the distribution: alpine 3.15.0 +2022-02-03T10:08:19.128Z WARN The vulnerability detection may be insufficient because security updates are not provided + +ruby-3.1.tar (alpine 3.15.0) +============================ +Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0) + ++----------+------------------+----------+-------------------+---------------+---------------------------------------+ +| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | ++----------+------------------+----------+-------------------+---------------+---------------------------------------+ +| gmp | CVE-2021-43618 | HIGH | 6.2.1-r0 | 6.2.1-r1 | gmp: Integer overflow and resultant | +| | | | | | buffer overflow via crafted input | +| | | | | | -->avd.aquasec.com/nvd/cve-2021-43618 | ++----------+ + + + + + +| gmp-dev | | | | | | +| | | | | | | +| | | | | | | ++----------+ + + + + + +| libgmpxx | | | | | | +| | | | | | | +| | | | | | | ++----------+------------------+----------+-------------------+---------------+---------------------------------------+ + +Node.js (node-pkg) +================== +Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) + + +Ruby (gemspec) +============== +Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) +``` + +
+ +### OCI Layout +Trivy supports image directories compliant with [Open Container Image Layout Specification](https://github.com/opencontainers/image-spec/blob/master/spec.md). + +Buildah: + +``` +$ buildah push docker.io/library/alpine:3.11 oci:/path/to/alpine +$ trivy image --input /path/to/alpine +``` + +Skopeo: + +``` +$ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine +$ trivy image --input /path/to/alpine +``` + +## SBOM generation +Trivy can generate SBOM for container images. +See [here](../sbom/index.md) for the detail. + +## Compliance + +!!! warning "EXPERIMENTAL" + This feature might change without preserving backwards compatibility. + +This section describes container image specific compliance reports. +For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../compliance/compliance.md). + +### Built in reports + +The following reports are available out of the box: + +| Compliance | Version | Name for command | More info | +|----------------------------------------|---------|------------------|---------------------------------------------------------------------------------------------| +| CIS Docker Community Edition Benchmark | 1.1.0 | `docker-cis` | [Link](https://www.aquasec.com/cloud-native-academy/docker-container/docker-cis-benchmark/) | + +### Examples + +Scan a container image configuration and generate a compliance summary report: + +``` +$ trivy image --compliance docker-cis [YOUR_IMAGE_NAME] +``` + +!!! note + The `Issues` column represent the total number of failed checks for this control. + +## Options +### Scan Image on a specific Architecture and OS +By default, Trivy loads an image on a "linux/amd64" machine. +To customise this, pass a `--platform` argument in the format OS/Architecture for the image: + +``` +$ trivy image --platform=os/architecture [YOUR_IMAGE_NAME] +``` + +For example: + +``` +$ trivy image --platform=linux/arm alpine:3.16.1 +``` + +
+Result + +``` +2022-10-25T21:00:50.972+0300 INFO Vulnerability scanning is enabled +2022-10-25T21:00:50.972+0300 INFO Secret scanning is enabled +2022-10-25T21:00:50.972+0300 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning +2022-10-25T21:00:50.972+0300 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection +2022-10-25T21:00:56.190+0300 INFO Detected OS: alpine +2022-10-25T21:00:56.190+0300 INFO Detecting Alpine vulnerabilities... +2022-10-25T21:00:56.191+0300 INFO Number of language-specific files: 0 + +alpine:3.16.1 (alpine 3.16.1) +============================= +Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1) + +┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ +│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ +├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ +│ zlib │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1 │ 1.2.12-r2 │ zlib: heap-based buffer over-read and overflow in inflate() │ +│ │ │ │ │ │ in inflate.c via a... │ +│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-37434 │ +└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘ +``` + +
+ diff --git a/docs/docs/target/filesystem.md b/docs/docs/target/filesystem.md new file mode 100644 index 0000000000..7b5b208e8c --- /dev/null +++ b/docs/docs/target/filesystem.md @@ -0,0 +1,93 @@ +# Filesystem + +Scan your local projects for + +- Vulnerabilities +- Misconfigurations +- Secrets +- Licenses + +By default, vulnerability and secret scanning are enabled, and you can configure that with `--scanners`. + +```bash +$ trivy fs /path/to/project +``` + +It's also possible to scan a single file. + +``` +$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test/Pipfile.lock +``` + +## Scanners +### Vulnerabilities +It is enabled by default. +Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json. +See [here](../vulnerability/scanning.md) for the detail. + +``` +$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test +``` + +
+Result + +``` +2020-06-01T17:06:58.652+0300 WARN OS is not detected and vulnerabilities in OS packages are not detected. +2020-06-01T17:06:58.652+0300 INFO Detecting pipenv vulnerabilities... +2020-06-01T17:06:58.691+0300 INFO Detecting cargo vulnerabilities... + +Pipfile.lock +============ +Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0) + ++---------------------+------------------+----------+-------------------+------------------------+------------------------------------+ +| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | ++---------------------+------------------+----------+-------------------+------------------------+------------------------------------+ +| django | CVE-2020-7471 | HIGH | 2.0.9 | 3.0.3, 2.2.10, 1.11.28 | django: potential | +| | | | | | SQL injection via | +| | | | | | StringAgg(delimiter) | ++ +------------------+----------+ +------------------------+------------------------------------+ +| | CVE-2019-19844 | MEDIUM | | 3.0.1, 2.2.9, 1.11.27 | Django: crafted email address | +| | | | | | allows account takeover | ++ +------------------+ + +------------------------+------------------------------------+ +| | CVE-2019-3498 | | | 2.1.5, 2.0.10, 1.11.18 | python-django: Content | +| | | | | | spoofing via URL path in | +| | | | | | default 404 page | ++ +------------------+ + +------------------------+------------------------------------+ +| | CVE-2019-6975 | | | 2.1.6, 2.0.11, 1.11.19 | python-django: | +| | | | | | memory exhaustion in | +| | | | | | django.utils.numberformat.format() | ++---------------------+------------------+----------+-------------------+------------------------+------------------------------------+ +... +``` + +
+ +### Misconfigurations +It is disabled by default and can be enabled with `--scanners config`. +See [here](../misconfiguration/scanning.md) for the detail. + +```shell +$ trivy fs --scanners config /path/to/project +``` + +### Secrets +It is enabled by default. +See [here](../secret/scanning.md) for the detail. + +```shell +$ trivy fs /path/to/project +``` + +### Licenses +It is disabled by default. +See [here](../licenses/scanning.md) for the detail. + +```shell +$ trivy fs --scanners license /path/to/project +``` + +## SBOM generation +Trivy can generate SBOM for local projects. +See [here](../sbom/index.md) for the detail. diff --git a/docs/docs/vulnerability/scanning/git-repository.md b/docs/docs/target/git-repository.md similarity index 67% rename from docs/docs/vulnerability/scanning/git-repository.md rename to docs/docs/target/git-repository.md index 6c815363f4..4cccfb2b15 100644 --- a/docs/docs/vulnerability/scanning/git-repository.md +++ b/docs/docs/target/git-repository.md @@ -1,6 +1,23 @@ # Git Repository -Scan your remote git repository +Scan your remote git repositories for + +- Vulnerabilities +- Misconfigurations +- Secrets +- Licenses + +By default, vulnerability and secret scanning are enabled, and you can configure that with `--scanners`. + +```bash +$ trivy repo [YOUR_REPO_URL] +``` + +## Scanners +### Vulnerabilities +It is enabled by default. +Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json. +See [here](../vulnerability/scanning.md) for the detail. ``` $ trivy repo https://github.com/knqyf263/trivy-ci-test @@ -147,7 +164,36 @@ Total: 20 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 5, CRITICAL: 5) -## Scanning a Branch +### Misconfigurations +It is disabled by default and can be enabled with `--scanners config`. +See [here](../misconfiguration/scanning.md) for the detail. + +```shell +$ trivy repo --scanners config [YOUR_REPO_URL] +``` + +### Secrets +It is enabled by default. +See [here](../secret/scanning.md) for the detail. + +```shell +$ trivy repo [YOUR_REPO_URL] +``` + +### Licenses +It is disabled by default. +See [here](../licenses/scanning.md) for the detail. + +```shell +$ trivy repo --scanners license [YOUR_REPO_URL] +``` + +## SBOM generation +Trivy can generate SBOM for git repositories. +See [here](../sbom/index.md) for the detail. + +## References +### Scanning a Branch Pass a `--branch` argument with a valid branch name on the remote repository provided: @@ -155,7 +201,7 @@ Pass a `--branch` argument with a valid branch name on the remote repository pro $ trivy repo --branch ``` -## Scanning upto a Commit +### Scanning upto a Commit Pass a `--commit` argument with a valid commit hash on the remote repository provided: @@ -163,7 +209,7 @@ Pass a `--commit` argument with a valid commit hash on the remote repository pro $ trivy repo --commit ``` -## Scanning a Tag +### Scanning a Tag Pass a `--tag` argument with a valid tag on the remote repository provided: @@ -171,8 +217,7 @@ Pass a `--tag` argument with a valid tag on the remote repository provided: $ trivy repo --tag ``` -## Scanning Private Repositories - +### Scanning Private Repositories In order to scan private GitHub or GitLab repositories, the environment variable `GITHUB_TOKEN` or `GITLAB_TOKEN` must be set, respectively, with a valid token that has access to the private repository being scanned. The `GITHUB_TOKEN` environment variable will take precedence over `GITLAB_TOKEN`, so if a private GitLab repository will be scanned, then `GITHUB_TOKEN` must be unset. @@ -187,65 +232,3 @@ $ # or $ export GITLAB_TOKEN="your_private_gitlab_token" $ trivy repo ``` - -## Client/Server mode -You must launch Trivy server in advance. - -```sh -$ trivy server -``` - -Then, Trivy works as a client if you specify the `--server` option. - -```sh -$ trivy repo https://github.com/knqyf263/trivy-ci-test --server http://localhost:4954 -``` - -
-Result - -``` -Cargo.lock (cargo) -================== -Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 1) - -┌───────────┬─────────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ -│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ -├───────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ -│ openssl │ CVE-2018-20997 │ CRITICAL │ 0.8.3 │ 0.10.9 │ Use after free in openssl │ -│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-20997 │ -│ ├─────────────────────┼──────────┤ ├───────────────┼─────────────────────────────────────────────────────────────┤ -│ │ CVE-2016-10931 │ HIGH │ │ 0.9.0 │ Improper Certificate Validation in openssl │ -│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-10931 │ -└───────────┴─────────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘ - -Pipfile.lock (pipenv) -===================== -Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 2) - -┌─────────────────────┬────────────────┬──────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐ -│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ -├─────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤ -│ py │ CVE-2020-29651 │ HIGH │ 1.8.0 │ 1.10.0 │ python-py: ReDoS in the py.path.svnwc component via │ -│ │ │ │ │ │ mailicious input to blame functionality... │ -│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-29651 │ -│ ├────────────────┤ │ ├────────────────────────┼──────────────────────────────────────────────────────────────┤ -│ │ CVE-2022-42969 │ │ │ │ The py library through 1.11.0 for Python allows remote │ -│ │ │ │ │ │ attackers to co... │ -│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-42969 │ -├─────────────────────┼────────────────┤ ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤ -│ pyjwt │ CVE-2022-29217 │ │ 1.7.1 │ 2.4.0 │ python-jwt: Key confusion through non-blocklisted public key │ -│ │ │ │ │ │ formats │ -│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29217 │ -├─────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤ -│ pyyaml │ CVE-2019-20477 │ CRITICAL │ 5.1 │ 5.2b1 │ PyYAML: command execution through python/object/apply │ -│ │ │ │ │ │ constructor in FullLoader │ -│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-20477 │ -│ ├────────────────┤ │ ├────────────────────────┼──────────────────────────────────────────────────────────────┤ -│ │ CVE-2020-1747 │ │ │ 5.3.1 │ PyYAML: arbitrary command execution through │ -│ │ │ │ │ │ python/object/new when FullLoader is used │ -│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-1747 │ -└─────────────────────┴────────────────┴──────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘ - -``` -
\ No newline at end of file diff --git a/docs/docs/kubernetes/cli/scanning.md b/docs/docs/target/kubernetes.md similarity index 80% rename from docs/docs/kubernetes/cli/scanning.md rename to docs/docs/target/kubernetes.md index 421b2eba67..875de7d74c 100644 --- a/docs/docs/kubernetes/cli/scanning.md +++ b/docs/docs/target/kubernetes.md @@ -3,13 +3,21 @@ !!! warning "EXPERIMENTAL" This feature might change without preserving backwards compatibility. -The Trivy K8s CLI allows you to scan your Kubernetes cluster for Vulnerabilities, Secrets and Misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. The difference to the Trivy CLI is that the Trivy K8s CLI allows you to scan running workloads directly within your cluster. +## CLI +The Trivy K8s CLI allows you to scan your Kubernetes cluster for -If you are looking for continuous cluster audit scanning, have a look at the [Trivy K8s operator.](../operator/index.md) +- Vulnerabilities +- Misconfigurations +- Secrets + +You can either run the CLI locally or integrate it into your CI/CD pipeline. +The difference to the Trivy CLI is that the Trivy K8s CLI allows you to scan running workloads directly within your cluster. + +If you are looking for continuous cluster audit scanning, have a look at the Trivy K8s operator below. Trivy uses your local kubectl configuration to access the API server to list artifacts. -## CLI Commands +### Commands Scan a full cluster and generate a simple summary report: @@ -17,7 +25,7 @@ Scan a full cluster and generate a simple summary report: $ trivy k8s --report=summary cluster ``` -![k8s Summary Report](../../../imgs/trivy-k8s.png) +![k8s Summary Report](../../imgs/trivy-k8s.png) The summary report is the default. To get all of the detail the output contains, use `--report all`. @@ -233,7 +241,7 @@ $ trivy k8s --format json -o results.json cluster -## Infra checks +### Infra checks Trivy by default scans kubernetes infra components (apiserver, controller-manager, scheduler and etcd) if they exist under the `kube-system` namespace. For example, if you run a full cluster scan, or scan all @@ -275,5 +283,55 @@ Or, to filter for all other checks besides the infra checks, you can: $ trivy k8s cluster --report summary --components=workload --scanners=config # scan all components besides infra ``` - +### Compliance +This section describes Kubernetes specific compliance reports. +For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../compliance/compliance.md). +#### Built in reports + +The following reports are available out of the box: + +| Compliance | Name for command | More info +--- | --- | --- +NSA, CISA Kubernetes Hardening Guidance v1.2 | `k8s-nsa` | [Link](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF) +CIS Benchmark for Kubernetes v1.23 | `k8s-cis` | [Link](https://www.cisecurity.org/benchmark/kubernetes) + +#### Examples + +Scan a full cluster and generate a compliance summary report: + +``` +$ trivy k8s cluster --compliance= --report summary +``` + +***Note*** : The `Issues` column represent the total number of failed checks for this control. + + +Get all of the detailed output for checks: + +``` +trivy k8s cluster --compliance= --report all +``` + +Report result in JSON format: + +``` +trivy k8s cluster --compliance= --report summary --format json +``` + +``` +trivy k8s cluster --compliance= --report all --format json +``` + +## Operator +Trivy has a native [Kubernetes Operator][operator] which continuously scans your Kubernetes cluster for security issues, and generates security reports as Kubernetes [Custom Resources][crd]. It does it by watching Kubernetes for state changes and automatically triggering scans in response to changes, for example initiating a vulnerability scan when a new Pod is created. + +> Kubernetes-native security toolkit. ([Documentation][trivy-operator]). + +
+
Workload reconcilers discover K8s controllers, manage scan jobs, and create VulnerabilityReport and ConfigAuditReport objects.
+
+ +[operator]: https://kubernetes.io/docs/concepts/extend-kubernetes/operator/ +[crd]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/ +[trivy-operator]: https://aquasecurity.github.io/trivy-operator/latest diff --git a/docs/docs/target/rootfs.md b/docs/docs/target/rootfs.md new file mode 100644 index 0000000000..a18e35341e --- /dev/null +++ b/docs/docs/target/rootfs.md @@ -0,0 +1,15 @@ +# Rootfs +Rootfs scanning is for special use cases such as + +- Host machine +- [Root filesystem](../advanced/container/embed-in-dockerfile.md) +- [Unpacked filesystem](../advanced/container/unpacked-filesystem.md) + +```bash +$ trivy rootfs /path/to/rootfs +``` + +!!! note + Rootfs scanning works differently from the Filesystem scanning. + You should use `trivy fs` to scan your local projects in CI/CD. + See [here](../vulnerability/detection/language.md) for the differences. diff --git a/docs/docs/target/sbom.md b/docs/docs/target/sbom.md new file mode 100644 index 0000000000..74d4f4b0cf --- /dev/null +++ b/docs/docs/target/sbom.md @@ -0,0 +1,113 @@ +# SBOM scanning +Trivy can take the following SBOM formats as an input and scan for vulnerabilities. + +- CycloneDX +- SPDX +- SPDX JSON +- CycloneDX-type attestation + +To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM. +The input format is automatically detected. + +```bash +$ trivy sbom /path/to/sbom_file +``` + +!!! note + Passing SBOMs generated by tool other than Trivy may result in inaccurate detection + because Trivy relies on custom properties in SBOM for accurate scanning. + +## CycloneDX +Trivy supports CycloneDX as an input. + +!!! note + CycloneDX XML is not supported at the moment. + + +```bash +$ trivy sbom /path/to/cyclonedx.json +``` + +!!! note + If you want to generate a CycloneDX report from a CycloneDX input, please be aware that the output stores references to your original CycloneDX report and contains only detected vulnerabilities, not components. + The report is called [BOV](https://cyclonedx.org/capabilities/sbom/). + +## SPDX +Trivy supports the SPDX SBOM as an input. + +The following SPDX formats are supported: + +- Tag-value (`--format spdx`) +- JSON (`--format spdx-json`) + +```bash +$ trivy image --format spdx-json --output spdx.json alpine:3.16.0 +$ trivy sbom spdx.json +``` + +
+Result + +``` +2022-09-15T21:32:27.168+0300 INFO Vulnerability scanning is enabled +2022-09-15T21:32:27.169+0300 INFO Detected SBOM format: spdx-json +2022-09-15T21:32:27.210+0300 INFO Detected OS: alpine +2022-09-15T21:32:27.210+0300 INFO Detecting Alpine vulnerabilities... +2022-09-15T21:32:27.211+0300 INFO Number of language-specific files: 0 + +spdx.json (alpine 3.16.0) +========================= +Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 1) + +┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐ +│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ +├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤ +│ busybox │ CVE-2022-30065 │ HIGH │ 1.35.0-r13 │ 1.35.0-r15 │ busybox: A use-after-free in Busybox's awk applet leads to │ +│ │ │ │ │ │ denial of service... │ +│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30065 │ +├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤ +│ libcrypto1.1 │ CVE-2022-2097 │ MEDIUM │ 1.1.1o-r0 │ 1.1.1q-r0 │ openssl: AES OCB fails to encrypt some bytes │ +│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2097 │ +├──────────────┤ │ │ │ │ │ +│ libssl1.1 │ │ │ │ │ │ +│ │ │ │ │ │ │ +├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤ +│ ssl_client │ CVE-2022-30065 │ HIGH │ 1.35.0-r13 │ 1.35.0-r15 │ busybox: A use-after-free in Busybox's awk applet leads to │ +│ │ │ │ │ │ denial of service... │ +│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30065 │ +├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤ +│ zlib │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1 │ 1.2.12-r2 │ zlib: a heap-based buffer over-read or buffer overflow in │ +│ │ │ │ │ │ inflate in inflate.c... │ +│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-37434 │ +└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘ +``` + +
+ +## SBOM attestation + +You can also scan an SBOM attestation. +In the following example, [Cosign](https://github.com/sigstore/cosign) gets an attestation and Trivy scans it. +You must create CycloneDX-type attestation before trying the example. +To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [SBOM attestation page](../attestation/sbom.md#sign-with-a-local-key-pair). + +```bash +$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx > sbom.cdx.intoto.jsonl +$ trivy sbom ./sbom.cdx.intoto.jsonl + +sbom.cdx.intoto.jsonl (alpine 3.7.3) +========================= +Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2) + +┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐ +│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ +├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤ +│ musl │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │ +│ │ │ │ │ │ adjustment im ...... │ +│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │ +├────────────┤ │ │ │ │ │ +│ musl-utils │ │ │ │ │ │ +│ │ │ │ │ │ │ +│ │ │ │ │ │ │ +└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘ +``` diff --git a/docs/docs/vm/index.md b/docs/docs/target/vm.md similarity index 74% rename from docs/docs/vm/index.md rename to docs/docs/target/vm.md index 8152f2d870..8be08d74ca 100644 --- a/docs/docs/vm/index.md +++ b/docs/docs/target/vm.md @@ -3,15 +3,16 @@ !!! warning "EXPERIMENTAL" This feature might change without preserving backwards compatibility. -## Scanning -Trivy supports VM image scanning for vulnerabilities, secrets, etc. +To scan virtual machine (VM) images, you can use the `vm` subcommand. + +## Targets The following targets are currently supported: - Local file -- [AWS EC2][aws] - -To scan VM images, you can use the `vm` subcommand. - +- AWS EC2 + - Amazon Machine Image (AMI) + - Amazon Elastic Block Store (EBS) Snapshot + ### Local file Pass the path to your local VM image file. @@ -62,11 +63,126 @@ Total: 802 (UNKNOWN: 0, LOW: 17, MEDIUM: 554, HIGH: 221, CRITICAL: 10) -### AWS EC2 +### Amazon Machine Image (AMI) +You can specify your AMI ID with the `ami:` prefix. -See [here][aws] for the detail. +```shell +$ trivy vm ami:${your_ami_id} +``` -## Supported architectures +!!! note + AMIs in the marketplace are not supported because the EBS direct APIs don't support that. + See [the AWS documentation][ebsapi-elements] for the detail. + +#### Example + +```shell +$ trivy vm --scanners vuln ami:ami-0123456789abcdefg +``` + +If you want to scan a AMI of non-default setting region, you can set any region via `--aws-region` option. + +```shell +$ trivy vm --aws-region ap-northeast-1 ami:ami-0123456789abcdefg +``` + + +#### Required Actions +Some actions on EBS are also necessary since Trivy scans an EBS snapshot tied to the specified AMI under the hood. + +- ec2:DescribeImages +- ebs:ListSnapshotBlocks +- ebs:GetSnapshotBlock + +### Amazon Elastic Block Store (EBS) Snapshot +You can specify your EBS snapshot ID with the `ebs:` prefix. + +```shell +$ trivy vm ebs:${your_ebs_snapshot_id} +``` + +!!! note + Public snapshots are not supported because the EBS direct APIs don't support that. + See [the AWS documentation][ebsapi-elements] for the detail. + +#### Example + +```shell +$ trivy vm --scanners vuln ebs:snap-0123456789abcdefg +``` + + +If you want to scan an EBS Snapshot of non-default setting region, you can set any region via `--aws-region` option. + +```shell +$ trivy vm --aws-region ap-northeast-1 ebs:ebs-0123456789abcdefg +``` + +The above command takes a while as it calls EBS API and fetches the EBS blocks. +If you want to scan the same snapshot several times, you can download the snapshot locally by using [coldsnap][coldsnap] maintained by AWS. +Then, Trivy can scan the local VM image file. + +```shell +$ coldsnap download snap-0123456789abcdefg disk.img +$ trivy vm ./disk.img +``` + +#### Required Actions + +- ebs:ListSnapshotBlocks +- ebs:GetSnapshotBlock + +## Scanners +Trivy supports VM image scanning for + +- Vulnerabilities +- Misconfigurations +- Secrets +- Licenses + +### Vulnerabilities +It is enabled by default. +You can simply specify your VM image location. +It detects known vulnerabilities in your VM image. +See [here](../vulnerability/scanning.md) for the detail. + +``` +$ trivy vm [YOUR_VM_IMAGE] +``` + +### Misconfigurations +It is supported, but it is not useful in most cases. +As mentioned [here](../misconfiguration/scanning.md), Trivy mainly supports Infrastructure as Code (IaC) files for misconfigurations. +If your VM image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with `--scanners config`. + +``` +$ trivy vm --scanners config [YOUR_VM_IMAGE] +``` + +### Secrets +It is enabled by default. +See [here](../secret/scanning.md) for the detail. + +```shell +$ trivy vm [YOUR_VM_IMAGE] +``` + +!!! tip + The scanning could be faster if you enable only vulnerability scanning (`--scanners vuln`) because Trivy tries to download only necessary blocks for vulnerability detection. + +### Licenses +It is disabled by default. +See [here](../licenses/scanning.md) for the detail. + +```shell +$ trivy vm --scanners license [YOUR_VM_IMAGE] +``` + +## SBOM generation +Trivy can generate SBOM for VM images. +See [here](../sbom/index.md) for the detail. + +## Supported Architectures ### Virtual machine images @@ -117,5 +233,9 @@ Reference: [VMware Virtual Disk Format 1.1.pdf][vmdk] | EXT2/3 | | | ZFS | | -[aws]: ./aws.md -[vmdk]: https://www.vmware.com/app/vmdk/?src=vmdk \ No newline at end of file + +[aws]: ../vm/aws.md +[vmdk]: https://www.vmware.com/app/vmdk/?src=vmdk +[ebsapi-elements]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-accessing-snapshot.html#ebsapi-elements +[coldsnap]: https://github.com/awslabs/coldsnap + diff --git a/docs/docs/vm/aws.md b/docs/docs/vm/aws.md deleted file mode 100644 index 1c0c43e40c..0000000000 --- a/docs/docs/vm/aws.md +++ /dev/null @@ -1,83 +0,0 @@ -# AWS EC2 - -Trivy can scan the following targets in AWS EC2. - -- Amazon Machine Image (AMI) -- Elastic Block Store (EBS) Snapshot - -## Amazon Machine Image (AMI) -You can specify your AMI ID with the `ami:` prefix. - -```shell -$ trivy vm ami:${your_ami_id} -``` - -!!! note - AMIs in the marketplace are not supported because the EBS direct APIs don't support that. - See [the AWS documentation][ebsapi-elements] for the detail. - -### Example - -```shell -$ trivy vm --scanners vuln ami:ami-0123456789abcdefg -``` - -!!! tip - The scanning could be faster if you enable only vulnerability scanning (`--scanners vuln`) because Trivy tries to download only necessary blocks for vulnerability detection. - -If you want to scan a AMI of non-default setting region, you can set any region via `--aws-region` option. - -```shell -$ trivy vm --aws-region ap-northeast-1 ami:ami-0123456789abcdefg -``` - - -### Required Actions -Some actions on EBS are also necessary since Trivy scans an EBS snapshot tied to the specified AMI under the hood. - -- ec2:DescribeImages -- ebs:ListSnapshotBlocks -- ebs:GetSnapshotBlock - -## Elastic Block Store (EBS) Snapshot -You can specify your EBS snapshot ID with the `ebs:` prefix. - -```shell -$ trivy vm ebs:${your_ebs_snapshot_id} -``` - -!!! note - Public snapshots are not supported because the EBS direct APIs don't support that. - See [the AWS documentation][ebsapi-elements] for the detail. - -### Example -```shell -$ trivy vm --scanners vuln ebs:snap-0123456789abcdefg -``` - -!!! tip -The scanning could be faster if you enable only vulnerability scanning (`--scanners vuln`) because Trivy tries to download only necessary blocks for vulnerability detection. - -If you want to scan an EBS Snapshot of non-default setting region, you can set any region via `--aws-region` option. - -```shell -$ trivy vm --aws-region ap-northeast-1 ebs:ebs-0123456789abcdefg -``` - - -The above command takes a while as it calls EBS API and fetches the EBS blocks. -If you want to scan the same snapshot several times, you can download the snapshot locally by using [coldsnap][coldsnap] maintained by AWS. -Then, Trivy can scan the local VM image file. - -```shell -$ coldsnap download snap-0123456789abcdefg disk.img -$ trivy vm ./disk.img -``` - -### Required Actions - -- ebs:ListSnapshotBlocks -- ebs:GetSnapshotBlock - -[ebsapi-elements]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-accessing-snapshot.html#ebsapi-elements -[coldsnap]: https://github.com/awslabs/coldsnap \ No newline at end of file diff --git a/docs/docs/vulnerability/detection/os.md b/docs/docs/vulnerability/detection/os.md index 6d6ad1756b..474001a6ef 100644 --- a/docs/docs/vulnerability/detection/os.md +++ b/docs/docs/vulnerability/detection/os.md @@ -21,5 +21,60 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi | Ubuntu | All versions supported by Canonical | Installed by apt/apt-get/dpkg | YES | | Distroless[^2] | Any | Installed by apt/apt-get/dpkg | YES | +## Distributions +### CBL-Mariner +Trivy scans [CBL-Mariner][mariner]. + +#### Support +The following table provides an outline of the features Trivy offers. + +| Version | Container image | Virtual machine | Distroless | Multi-arch | Unfixed support | +|---------|:---------------:|:---------------:|:----------:|:------------:|:---------------:| +| 1.0 | ✔ | ✔ | ✔ | amd64, arm64 | ✔ | +| 2.0 | ✔ | ✔ | ✔ | amd64, arm64 | ✔ | + +### Examples + +=== "image" + ``` + ➜ trivy image mcr.microsoft.com/cbl-mariner/base/core:2.0 + 2022-07-27T14:48:20.355+0600 INFO Detected OS: cbl-mariner + 2022-07-27T14:48:20.355+0600 INFO Detecting CBL-Mariner vulnerabilities... + 2022-07-27T14:48:20.356+0600 INFO Number of language-specific files: 0 + + mcr.microsoft.com/cbl-mariner/base/core:2.0 (cbl-mariner 2.0.20220527) + + Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5) + ``` + +=== "rootfs" + ``` + ➜ docker run -it --rm --entrypoint bin/bash mcr.microsoft.com/cbl-mariner/base/core:2.0 + root [ / ]# tdnf -y install ca-certificates + root [ / ]# # Install the latest Trivy + root [ / ]# trivy rootfs / + 2022-07-27T09:30:06.815Z INFO Need to update DB + 2022-07-27T09:30:06.815Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db + 2022-07-27T09:30:06.815Z INFO Downloading DB... + 33.25 MiB / 33.25 MiB [------------------------------] 100.00% 4.20 MiB p/s 8.1s + 2022-07-27T09:30:21.756Z INFO Vulnerability scanning is enabled + 2022-07-27T09:30:21.756Z INFO Secret scanning is enabled + 2022-07-27T09:30:21.756Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning + 2022-07-27T09:30:21.756Z INFO Please see also https://aquasecurity.github.io/trivy/v0.30.4/docs/secret/scanning/#recommendation for faster secret detection + 2022-07-27T09:30:22.205Z INFO Detected OS: cbl-mariner + 2022-07-27T09:30:22.205Z INFO Detecting CBL-Mariner vulnerabilities... + 2022-07-27T09:30:22.205Z INFO Number of language-specific files: 0 + + 40ba9a55397c (cbl-mariner 2.0.20220527) + ======================================= + Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5) + ``` + [^1]: https://developers.redhat.com/products/rhel/ubi [^2]: https://github.com/GoogleContainerTools/distroless + +### Data source +See [here][source]. + +[mariner]: https://github.com/microsoft/CBL-Mariner +[source]: data-source.md diff --git a/docs/docs/vulnerability/detection/supported.md b/docs/docs/vulnerability/detection/supported.md deleted file mode 100644 index 316434319a..0000000000 --- a/docs/docs/vulnerability/detection/supported.md +++ /dev/null @@ -1,23 +0,0 @@ -# Supported - -## Container Runtime -- [Docker Engine](https://docs.docker.com/engine/) -- [Podman](../../advanced/container/podman.md) -- [containerd](../../advanced/container/containerd.md) - -## Container Registry -- [Docker Registry HTTP API V2](https://docs.docker.com/registry/spec/api/) -- [OCI Distribution Specification](https://github.com/opencontainers/distribution-spec) - -## Image Tar Formats -Trivy scans a tar image with the following format. - -- [Docker Image Specification](https://github.com/moby/moby/tree/master/image/spec) - - [Moby Project](https://github.com/moby/moby/) - - [Buildah](https://github.com/containers/buildah) - - [Podman](https://github.com/containers/podman) - - [img](https://github.com/genuinetools/img) -- [Kaniko](https://github.com/GoogleContainerTools/kaniko) - -## Image Layout -- [OCI Image Format Specification](https://github.com/opencontainers/image-spec) \ No newline at end of file diff --git a/docs/docs/vulnerability/distributions.md b/docs/docs/vulnerability/distributions.md deleted file mode 100644 index f1b2ddf292..0000000000 --- a/docs/docs/vulnerability/distributions.md +++ /dev/null @@ -1,58 +0,0 @@ -## CBL-Mariner -Trivy scans [CBL-Mariner][mariner]. - -### Support -The following table provides an outline of the features Trivy offers. - -| Version | Container image | Virtual machine | Distroless | Multi-arch | Unfixed support | -|---------|:---------------:|:---------------:|:----------:|:------------:|:---------------:| -| 1.0 | ✔ | ✔ | ✔ | amd64, arm64 | ✔ | -| 2.0 | ✔ | ✔ | ✔ | amd64, arm64 | ✔ | - -### Examples - -=== "image" - ``` - ➜ trivy image mcr.microsoft.com/cbl-mariner/base/core:2.0 - 2022-07-27T14:48:20.355+0600 INFO Detected OS: cbl-mariner - 2022-07-27T14:48:20.355+0600 INFO Detecting CBL-Mariner vulnerabilities... - 2022-07-27T14:48:20.356+0600 INFO Number of language-specific files: 0 - - mcr.microsoft.com/cbl-mariner/base/core:2.0 (cbl-mariner 2.0.20220527) - - Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5) - ``` - -=== "fs" - ``` - ➜ docker run -it --rm --entrypoint bin/bash mcr.microsoft.com/cbl-mariner/base/core:2.0 - - root [ / ]# tdnf -y install ca-certificates - ... - - root [ / ]# rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.30.4/trivy_0.30.4_Linux-64bit.rpm - ... - - root [ / ]# trivy fs / - 2022-07-27T09:30:06.815Z INFO Need to update DB - 2022-07-27T09:30:06.815Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db - 2022-07-27T09:30:06.815Z INFO Downloading DB... - 33.25 MiB / 33.25 MiB [------------------------------] 100.00% 4.20 MiB p/s 8.1s - 2022-07-27T09:30:21.756Z INFO Vulnerability scanning is enabled - 2022-07-27T09:30:21.756Z INFO Secret scanning is enabled - 2022-07-27T09:30:21.756Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning - 2022-07-27T09:30:21.756Z INFO Please see also https://aquasecurity.github.io/trivy/v0.30.4/docs/secret/scanning/#recommendation for faster secret detection - 2022-07-27T09:30:22.205Z INFO Detected OS: cbl-mariner - 2022-07-27T09:30:22.205Z INFO Detecting CBL-Mariner vulnerabilities... - 2022-07-27T09:30:22.205Z INFO Number of language-specific files: 0 - - 40ba9a55397c (cbl-mariner 2.0.20220527) - - Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5) - ``` - -### Data source -See [here][source]. - -[mariner]: https://github.com/microsoft/CBL-Mariner -[source]: detection/data-source.md diff --git a/docs/docs/vulnerability/examples/others.md b/docs/docs/vulnerability/examples/others.md index 9a465696bd..d63bced8b0 100644 --- a/docs/docs/vulnerability/examples/others.md +++ b/docs/docs/vulnerability/examples/others.md @@ -16,48 +16,6 @@ If your image contains lock files which are not maintained by you, you can skip $ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0 ``` -## Scan Image on a specific Architecture and OS - -By default, Trivy loads an image on a "linux/amd64" machine. -To customise this, pass a `--platform` argument in the format OS/Architecture for the image: - -``` -$ trivy image --platform=os/architecture [YOUR_IMAGE_NAME] -``` - -For example: - -``` -$ trivy image --platform=linux/arm alpine:3.16.1 -``` - -
-Result - -``` -2022-10-25T21:00:50.972+0300 INFO Vulnerability scanning is enabled -2022-10-25T21:00:50.972+0300 INFO Secret scanning is enabled -2022-10-25T21:00:50.972+0300 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning -2022-10-25T21:00:50.972+0300 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection -2022-10-25T21:00:56.190+0300 INFO Detected OS: alpine -2022-10-25T21:00:56.190+0300 INFO Detecting Alpine vulnerabilities... -2022-10-25T21:00:56.191+0300 INFO Number of language-specific files: 0 - -alpine:3.16.1 (alpine 3.16.1) -============================= -Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1) - -┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ -│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ -├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ -│ zlib │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1 │ 1.2.12-r2 │ zlib: heap-based buffer over-read and overflow in inflate() │ -│ │ │ │ │ │ in inflate.c via a... │ -│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-37434 │ -└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘ -``` - -
- ## File patterns When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns. The default file patterns are [here](../../misconfiguration/custom/index.md). diff --git a/docs/docs/vulnerability/scanning.md b/docs/docs/vulnerability/scanning.md new file mode 100644 index 0000000000..f03c3ace77 --- /dev/null +++ b/docs/docs/vulnerability/scanning.md @@ -0,0 +1,12 @@ +# Vulnerability Scanning + +This section describes the details of vulnerability scanning. +Trivy detects known vulnerabilities according to the versions of installed packages. + +The following packages are supported. + +- [OS packages](detection/os.md) +- [Language-specific packages](detection/language.md) + +Trivy downloads [the vulnerabillity database](https://github.com/aquasecurity/trivy-db) every 6 hours. +The data source is listed [here](detection/data-source.md). \ No newline at end of file diff --git a/docs/docs/vulnerability/scanning/filesystem.md b/docs/docs/vulnerability/scanning/filesystem.md deleted file mode 100644 index ee63d96e4a..0000000000 --- a/docs/docs/vulnerability/scanning/filesystem.md +++ /dev/null @@ -1,103 +0,0 @@ -# Filesystem - -Scan a local project including language-specific files. - -```bash -$ trivy fs /path/to/project -``` - -## Standalone mode -### Local Project -Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json. - -``` -$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test -``` - -
-Result - -``` -2020-06-01T17:06:58.652+0300 WARN OS is not detected and vulnerabilities in OS packages are not detected. -2020-06-01T17:06:58.652+0300 INFO Detecting pipenv vulnerabilities... -2020-06-01T17:06:58.691+0300 INFO Detecting cargo vulnerabilities... - -Pipfile.lock -============ -Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0) - -+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+ -| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | -+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+ -| django | CVE-2020-7471 | HIGH | 2.0.9 | 3.0.3, 2.2.10, 1.11.28 | django: potential | -| | | | | | SQL injection via | -| | | | | | StringAgg(delimiter) | -+ +------------------+----------+ +------------------------+------------------------------------+ -| | CVE-2019-19844 | MEDIUM | | 3.0.1, 2.2.9, 1.11.27 | Django: crafted email address | -| | | | | | allows account takeover | -+ +------------------+ + +------------------------+------------------------------------+ -| | CVE-2019-3498 | | | 2.1.5, 2.0.10, 1.11.18 | python-django: Content | -| | | | | | spoofing via URL path in | -| | | | | | default 404 page | -+ +------------------+ + +------------------------+------------------------------------+ -| | CVE-2019-6975 | | | 2.1.6, 2.0.11, 1.11.19 | python-django: | -| | | | | | memory exhaustion in | -| | | | | | django.utils.numberformat.format() | -+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+ -... -``` - -
- -### Single file -It's also possible to scan a single file. - -``` -$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test/Pipfile.lock -``` - -## Client/Server mode -You must launch Trivy server in advance. - -```sh -$ trivy server -``` - -Then, Trivy works as a client if you specify the `--server` option. - -```sh -$ trivy fs --server http://localhost:4954 --severity CRITICAL ./integration/testdata/fixtures/fs/pom/ -``` - -
-Result - -``` -pom.xml (pom) -============= -Total: 4 (CRITICAL: 4) - -+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ -| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | -+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ -| com.fasterxml.jackson.core:jackson-databind | CVE-2017-17485 | CRITICAL | 2.9.1 | 2.8.11, 2.9.4 | jackson-databind: Unsafe | -| | | | | | deserialization due to | -| | | | | | incomplete black list (incomplete | -| | | | | | fix for CVE-2017-15095)... | -| | | | | | -->avd.aquasec.com/nvd/cve-2017-17485 | -+ +------------------+ + +--------------------------------+---------------------------------------+ -| | CVE-2020-9546 | | | 2.7.9.7, 2.8.11.6, 2.9.10.4 | jackson-databind: Serialization | -| | | | | | gadgets in shaded-hikari-config | -| | | | | | -->avd.aquasec.com/nvd/cve-2020-9546 | -+ +------------------+ + + +---------------------------------------+ -| | CVE-2020-9547 | | | | jackson-databind: Serialization | -| | | | | | gadgets in ibatis-sqlmap | -| | | | | | -->avd.aquasec.com/nvd/cve-2020-9547 | -+ +------------------+ + + +---------------------------------------+ -| | CVE-2020-9548 | | | | jackson-databind: Serialization | -| | | | | | gadgets in anteros-core | -| | | | | | -->avd.aquasec.com/nvd/cve-2020-9548 | -+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ -``` -
- diff --git a/docs/docs/vulnerability/scanning/image.md b/docs/docs/vulnerability/scanning/image.md deleted file mode 100644 index 91e1681b79..0000000000 --- a/docs/docs/vulnerability/scanning/image.md +++ /dev/null @@ -1,90 +0,0 @@ -# Image - -## Container Images - -Simply specify an image name (and a tag). - -``` -$ trivy image [YOUR_IMAGE_NAME] -``` - -For example: - -``` -$ trivy image python:3.4-alpine -``` - -
-Result - -``` -2019-05-16T01:20:43.180+0900 INFO Updating vulnerability database... -2019-05-16T01:20:53.029+0900 INFO Detecting Alpine vulnerabilities... - -python:3.4-alpine3.9 (alpine 3.9.2) -=================================== -Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0) - -+---------+------------------+----------+-------------------+---------------+--------------------------------+ -| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | -+---------+------------------+----------+-------------------+---------------+--------------------------------+ -| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 | -| | | | | | with long nonces | -+---------+------------------+----------+-------------------+---------------+--------------------------------+ -``` - -
- -## Tar Files - -``` -$ docker pull ruby:3.1-alpine3.15 -$ docker save ruby:3.1-alpine3.15 -o ruby-3.1.tar -$ trivy image --input ruby-3.1.tar -``` - -
-Result - -``` -2022-02-03T10:08:19.127Z INFO Detected OS: alpine -2022-02-03T10:08:19.127Z WARN This OS version is not on the EOL list: alpine 3.15 -2022-02-03T10:08:19.127Z INFO Detecting Alpine vulnerabilities... -2022-02-03T10:08:19.127Z INFO Number of language-specific files: 2 -2022-02-03T10:08:19.127Z INFO Detecting gemspec vulnerabilities... -2022-02-03T10:08:19.128Z INFO Detecting node-pkg vulnerabilities... -2022-02-03T10:08:19.128Z WARN This OS version is no longer supported by the distribution: alpine 3.15.0 -2022-02-03T10:08:19.128Z WARN The vulnerability detection may be insufficient because security updates are not provided - -ruby-3.1.tar (alpine 3.15.0) -============================ -Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0) - -+----------+------------------+----------+-------------------+---------------+---------------------------------------+ -| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | -+----------+------------------+----------+-------------------+---------------+---------------------------------------+ -| gmp | CVE-2021-43618 | HIGH | 6.2.1-r0 | 6.2.1-r1 | gmp: Integer overflow and resultant | -| | | | | | buffer overflow via crafted input | -| | | | | | -->avd.aquasec.com/nvd/cve-2021-43618 | -+----------+ + + + + + -| gmp-dev | | | | | | -| | | | | | | -| | | | | | | -+----------+ + + + + + -| libgmpxx | | | | | | -| | | | | | | -| | | | | | | -+----------+------------------+----------+-------------------+---------------+---------------------------------------+ - -Node.js (node-pkg) -================== -Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) - - -Ruby (gemspec) -============== -Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) -``` - -
- diff --git a/docs/docs/vulnerability/scanning/index.md b/docs/docs/vulnerability/scanning/index.md deleted file mode 100644 index 416df44689..0000000000 --- a/docs/docs/vulnerability/scanning/index.md +++ /dev/null @@ -1,9 +0,0 @@ -# Vulnerability Scanning - -Trivy scans [Container Images][image], [Rootfs][rootfs], [Filesystem][fs], [Virtual Machine Image][vm] and [Git Repositories][repo] to detect vulnerabilities. - -[image]: image.md -[rootfs]: rootfs.md -[fs]: filesystem.md -[repo]: git-repository.md -[vm]: ../../vm/index.md diff --git a/docs/docs/vulnerability/scanning/rootfs.md b/docs/docs/vulnerability/scanning/rootfs.md deleted file mode 100644 index 6d37b155ee..0000000000 --- a/docs/docs/vulnerability/scanning/rootfs.md +++ /dev/null @@ -1,103 +0,0 @@ -# Rootfs - -Scan a root filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem). - -```bash -$ trivy rootfs /path/to/rootfs -``` - -## Standalone mode -### From Inside Containers -Scan your container from inside the container. - -```bash -$ docker run --rm -it alpine:3.11 -/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin -/ # trivy rootfs / -``` - -
-Result - -``` -2021-03-08T05:22:26.378Z INFO Need to update DB -2021-03-08T05:22:26.380Z INFO Downloading DB... -20.37 MiB / 20.37 MiB [-------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8.24 MiB p/s 2s -2021-03-08T05:22:30.134Z INFO Detecting Alpine vulnerabilities... -2021-03-08T05:22:30.138Z INFO Trivy skips scanning programming language libraries because no supported file was detected - -313430f09696 (alpine 3.11.7) -============================ -Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 6, CRITICAL: 0) - -+--------------+------------------+----------+-------------------+---------------+---------------------------------------+ -| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | -+--------------+------------------+----------+-------------------+---------------+---------------------------------------+ -| libcrypto1.1 | CVE-2021-23839 | HIGH | 1.1.1i-r0 | 1.1.1j-r0 | openssl: incorrect SSLv2 | -| | | | | | rollback protection | -| | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 | -+ +------------------+ + + +---------------------------------------+ -| | CVE-2021-23840 | | | | openssl: integer | -| | | | | | overflow in CipherUpdate | -| | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 | -+ +------------------+ + + +---------------------------------------+ -| | CVE-2021-23841 | | | | openssl: NULL pointer dereference | -| | | | | | in X509_issuer_and_serial_hash() | -| | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 | -+--------------+------------------+ + + +---------------------------------------+ -| libssl1.1 | CVE-2021-23839 | | | | openssl: incorrect SSLv2 | -| | | | | | rollback protection | -| | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 | -+ +------------------+ + + +---------------------------------------+ -| | CVE-2021-23840 | | | | openssl: integer | -| | | | | | overflow in CipherUpdate | -| | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 | -+ +------------------+ + + +---------------------------------------+ -| | CVE-2021-23841 | | | | openssl: NULL pointer dereference | -| | | | | | in X509_issuer_and_serial_hash() | -| | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 | -+--------------+------------------+----------+-------------------+---------------+---------------------------------------+ -``` - -
- -## Client/Server mode -You must launch Trivy server in advance. - -```sh -$ trivy server -``` - -Then, Trivy works as a client if you specify the `--server` option. - -```sh -$ trivy rootfs --server http://localhost:4954 --severity CRITICAL /tmp/rootfs -``` - -
-Result - -``` -/tmp/rootfs (alpine 3.10.2) - -Total: 1 (CRITICAL: 1) - -┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ -│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ -├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ -│ apk-tools │ CVE-2021-36159 │ CRITICAL │ 2.10.4-r2 │ 2.10.7-r0 │ libfetch before 2021-07-26, as used in apk-tools, xbps, and │ -│ │ │ │ │ │ other products, mishandles... │ -│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-36159 │ -└───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘ - -``` -
- - - -## Other Examples -- [Embed in Dockerfile][embedding] -- [Unpacked container image filesystem][unpacked] - -[embedding]: ../../advanced/container/embed-in-dockerfile.md -[unpacked]: ../../advanced/container/unpacked-filesystem.md diff --git a/docs/tutorials/kubernetes/cluster-scanning.md b/docs/tutorials/kubernetes/cluster-scanning.md index fc9f42db45..5a005a103d 100644 --- a/docs/tutorials/kubernetes/cluster-scanning.md +++ b/docs/tutorials/kubernetes/cluster-scanning.md @@ -68,7 +68,7 @@ This has several benefits: - The CRDs can be both machine and human-readable depending on which applications consume the CRDs. This allows for more versatile applications of the Trivy operator. -There are several ways that you can install the Trivy Operator in your cluster. In this guide, we’re going to use the Helm installation based on the [following documentation.](../../docs/kubernetes/operator/index.md) +There are several ways that you can install the Trivy Operator in your cluster. In this guide, we’re going to use the Helm installation based on the [following documentation.](../../docs/target/kubernetes.md#trivy-operator) Make sure that you have the [Helm CLI installed.](https://helm.sh/docs/intro/install/) Next, run the following commands. diff --git a/mkdocs.yml b/mkdocs.yml index 2ebe11f73b..0bc430c499 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -34,25 +34,27 @@ nav: - CKS Reference: tutorials/additional-resources/cks.md - Docs: - Overview: docs/index.md + - Target: + Container Image: docs/target/container_image.md + Filesystem: docs/target/filesystem.md + Rootfs: docs/target/rootfs.md + Git Repository: docs/target/git-repository.md + Virtual Machine Image: docs/target/vm.md + Kubernetes: docs/target/kubernetes.md + AWS: docs/target/aws.md + SBOM: docs/target/sbom.md - Vulnerability: - - Scanning: - - Overview: docs/vulnerability/scanning/index.md - - Container Image: docs/vulnerability/scanning/image.md - - Filesystem: docs/vulnerability/scanning/filesystem.md - - Rootfs: docs/vulnerability/scanning/rootfs.md - - Git Repository: docs/vulnerability/scanning/git-repository.md + - Scanning: docs/vulnerability/scanning.md - Detection: - OS Packages: docs/vulnerability/detection/os.md - Language-specific Packages: docs/vulnerability/detection/language.md - Data Sources: docs/vulnerability/detection/data-source.md - - Supported: docs/vulnerability/detection/supported.md - Examples: - Vulnerability Filtering: docs/vulnerability/examples/filter.md - Report Formats: docs/vulnerability/examples/report.md - Vulnerability DB: docs/vulnerability/examples/db.md - Cache: docs/vulnerability/examples/cache.md - Others: docs/vulnerability/examples/others.md - - Distributions: docs/vulnerability/distributions.md - Languages: - Go: docs/vulnerability/languages/golang.md - Java: docs/vulnerability/languages/java.md @@ -80,24 +82,10 @@ nav: - Examples: docs/secret/examples.md - License: - Scanning: docs/licenses/scanning.md - - Kubernetes: - - CLI: - - Scanning: docs/kubernetes/cli/scanning.md - - Compliance: docs/kubernetes/cli/compliance.md - - Operator: - - Overview: docs/kubernetes/operator/index.md - - Cloud: - - AWS: - - Scanning: docs/cloud/aws/scanning.md - - Compliance: docs/cloud/aws/compliance.md - - Virtual Machine Image: - - Overview: docs/vm/index.md - - AWS EC2: docs/vm/aws.md - Compliance: - Reports: docs/compliance/compliance.md - SBOM: - Overview: docs/sbom/index.md - - Supported: docs/sbom/supported.md - CycloneDX: docs/sbom/cyclonedx.md - SPDX: docs/sbom/spdx.md - Attestation: @@ -111,9 +99,6 @@ nav: - Container Image: - Embed in Dockerfile: docs/advanced/container/embed-in-dockerfile.md - Unpacked container image filesystem: docs/advanced/container/unpacked-filesystem.md - - OCI Image: docs/advanced/container/oci.md - - Podman: docs/advanced/container/podman.md - - containerd: docs/advanced/container/containerd.md - Private Docker Registries: - Overview: docs/advanced/private-registries/index.md - Docker Hub: docs/advanced/private-registries/docker-hub.md