gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-22 23:26:39 -08:00
Code Issues Packages Projects Releases Wiki Activity

docs: aggregate targets (#3503)

Browse Source
This commit is contained in:
Teppei Fukuda
2023-02-01 08:48:33 +02:00
committed by GitHub
parent 0373e0822d
commit 0fe62a93df
32 changed files with 1131 additions and 1006 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
docs/docs/advanced/container/containerd.md
View File

@@ -1,29 +0,0 @@
# containerd
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
Scan your image in [containerd][containerd] running locally.
```bash
$ nerdctl images
REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE
aquasec/nginx latest 2bcabc23b454 3 hours ago linux/amd64 149.1 MiB 54.1 MiB
$ trivy image aquasec/nginx
```
If your containerd socket is not the default path (`//run/containerd/containerd.sock`), you can override it via `CONTAINERD_ADDRESS`.
```bash
$ export CONTAINERD_ADDRESS=/run/k3s/containerd/containerd.sock
$ trivy image aquasec/nginx
```
If your scan targets are images in a namespace other than containerd's default namespace (`default`), you can override it via `CONTAINERD_NAMESPACE`.
```bash
$ export CONTAINERD_NAMESPACE=k8s.io
$ trivy image aquasec/nginx
```
[containerd]: https://containerd.io/

17
docs/docs/advanced/container/oci.md
View File

@@ -1,17 +0,0 @@
# OCI Image Layout
An image directory compliant with [Open Container Image Layout Specification](https://github.com/opencontainers/image-spec/blob/master/spec.md).
Buildah:
```
$ buildah push docker.io/library/alpine:3.11 oci:/path/to/alpine
$ trivy image --input /path/to/alpine
```
Skopeo:
```
$ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine
$ trivy image --input /path/to/alpine
```

28
docs/docs/advanced/container/podman.md
View File

@@ -1,28 +0,0 @@
# Podman
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
Scan your image in Podman (>=2.0) running locally. The remote Podman is not supported.
Before performing Trivy commands, you must enable the podman.sock systemd service on your machine.
For more details, see [here][sock].
```bash
$ systemctl --user enable --now podman.socket
```
Then, you can scan your image in Podman.
```bash
$ cat Dockerfile
FROM alpine:3.12
RUN apk add --no-cache bash
$ podman build -t test .
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/test latest efc372d4e0de About a minute ago 7.94 MB
$ trivy image test
```
[sock]: https://github.com/containers/podman/blob/master/docs/tutorials/remote_client.md#enable-the-podman-service-on-the-server-machine

39
docs/docs/cloud/aws/compliance.md
View File

@@ -1,39 +0,0 @@
# AWS Compliance
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
This page describes AWS specific compliance reports. For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../../compliance/compliance.md).
## Built in reports
the following reports are available out of the box:
| Compliance | Name for command | More info
--- | --- | ---
AWS CIS Foundations Benchmark v1.2 | `aws-cis-1.2` | [link](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
AWS CIS Foundations Benchmark v1.4 | `aws-cis-1.4` | [link](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls-1.4.0.html)
## Examples
Scan a cloud account and generate a compliance summary report:
```
$ trivy aws --compliance=<compliance_id> --report=summary
```
***Note*** : The `Issues` column represent the total number of failed checks for this control.
Get all of the detailed output for checks:
```
$ trivy aws --compliance=<compliance_id> --report all
```
Report result in JSON format:
```
$ trivy aws --compliance=<compliance_id> --report all --format json
```

66
docs/docs/cloud/aws/scanning.md
View File

@@ -1,66 +0,0 @@
# Amazon Web Services
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
The Trivy AWS CLI allows you to scan your AWS account for misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline.
Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too.
The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks.
Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform.
You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` policy attached.
Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - infrastructure information is cached locally per AWS account/region.
## CLI Commands
Scan a full AWS account (all supported services):
```shell
trivy aws --region us-east-1
```
You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these.
![AWS Summary Report](../../../imgs/trivy-aws.png)
The summary view is the default when scanning multiple services.
Scan a specific service:
```shell
trivy aws --service s3
```
Scan multiple services:
```shell
# --service s3,ec2 works too
trivy aws --service s3 --service ec2
```
Show results for a specific AWS resource:
```shell
trivy aws --service s3 --arn arn:aws:s3:::example-bucket
```
All ARNs with detected issues will be displayed when showing results for their associated service.
## Compliance Spec
Trivy can also run specific checks by spec by specifying the compliance flag:
```shell
trivy aws --compliance=awscis1.2
```
Will only target the checks defined under the AWS CIS 1.2 spec. Currently, we support AWS CIS 1.2 and 1.4 specs. More details [here](compliance.md).
## Cached Results
By default, Trivy will cache a representation of each AWS service for 24 hours. This means you can filter and view results for a service without having to wait for the entire scan to run again. If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`. Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.). Regardless of whether the cache is used or not, rules will be evaluated again with each run of `trivy aws`.
## Custom Policies
You can write custom policies for Trivy to evaluate against your AWS account. These policies are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the same language used by [Open Policy Agent](https://www.openpolicyagent.org/). See the [Custom Policies](../../misconfiguration/custom/index.md) page for more information.

17
docs/docs/compliance/compliance.md
View File

@@ -20,12 +20,12 @@ For example: `trivy k8s cluster --compliance k8s-nsa` (see below for built-in an
The following flags are compatible with `--compliance` flag and allows customizing it's output:
flag | effect
--- | ---
`--report summary` | shows a summary of the results. for every control shows the number of failed checks.
`--report all` | shows fully detailed results. for every control shows where it failed and why.
`--format table` | shows results in textual table format (good for human readability).
`--format json` | shows results in json format (good for machine readability).
| flag | effect |
|--------------------|--------------------------------------------------------------------------------------|
| `--report summary` | shows a summary of the results. for every control shows the number of failed checks. |
| `--report all` | shows fully detailed results. for every control shows where it failed and why. |
| `--format table` | shows results in textual table format (good for human readability). |
| `--format json` | shows results in json format (good for machine readability). |
## Built-in compliance
@@ -34,8 +34,9 @@ to specify a built-in compliance report, select it by ID like `trivy --complianc
For the list of built-in compliance reports, please see the relevant section:
- [Kubernetes compliance](../kubernetes/cli/compliance.md)
- [AWS compliance](../cloud/aws/compliance.md)
- [Docker compliance](../target/container_image.md#compliance)
- [Kubernetes compliance](../target/kubernetes.md#compliance)
- [AWS compliance](../target/aws.md#compliance)
## Custom compliance

42
docs/docs/kubernetes/cli/compliance.md
View File

@@ -1,42 +0,0 @@
# Kubernetes Compliance
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
This page describes Kubernetes specific compliance reports. For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../../compliance/compliance.md).
## Built in reports
The following reports are available out of the box:
| Compliance | Name for command | More info
--- | --- | ---
NSA, CISA Kubernetes Hardening Guidance v1.2 | `k8s-nsa` | [Link](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF)
CIS Benchmark for Kubernetes v1.23 | `k8s-cis` | [Link](https://www.cisecurity.org/benchmark/kubernetes)
## Examples
Scan a full cluster and generate a compliance summary report:
```
$ trivy k8s cluster --compliance=<compliance_id> --report summary
```
***Note*** : The `Issues` column represent the total number of failed checks for this control.
Get all of the detailed output for checks:
```
trivy k8s cluster --compliance=<compliance_id> --report all
```
Report result in JSON format:
```
trivy k8s cluster --compliance=<compliance_id> --report summary --format json
```
```
trivy k8s cluster --compliance=<compliance_id> --report all --format json
```

14
docs/docs/kubernetes/operator/index.md
View File

@@ -1,14 +0,0 @@
# Trivy Operator
Trivy has a native [Kubernetes Operator][operator] which continuously scans your Kubernetes cluster for security issues, and generates security reports as Kubernetes [Custom Resources][crd]. It does it by watching Kubernetes for state changes and automatically triggering scans in response to changes, for example initiating a vulnerability scan when a new Pod is created.
> Kubernetes-native security toolkit. ([Documentation][trivy-operator]).
<figure>
<figcaption>Workload reconcilers discover K8s controllers, manage scan jobs, and create VulnerabilityReport and ConfigAuditReport objects.</figcaption>
</figure>
[operator]: https://kubernetes.io/docs/concepts/extend-kubernetes/operator/
[crd]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
[trivy-operator]: https://aquasecurity.github.io/trivy-operator/latest

32
docs/docs/sbom/cyclonedx.md
View File

@@ -1,6 +1,4 @@
# CycloneDX
## Generating
# CycloneDX generation
Trivy can generate SBOM in the [CycloneDX][cyclonedx] format.
Note that XML format is not supported at the moment.
@@ -245,34 +243,6 @@ If you want to include vulnerabilities, you can enable vulnerability scanning vi
$ trivy image --scanners vuln --format cyclonedx --output result.json alpine:3.15
```
## Scanning
Trivy can take CycloneDX as an input and scan for vulnerabilities.
To scan SBOM, you can use the `sbom` subcommand and pass the path to your CycloneDX report.
```bash
$ trivy sbom /path/to/cyclonedx.json
cyclonedx.json (alpine 3.7.1)
=========================
Total: 3 (CRITICAL: 3)
┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r0 │ curl: NTLM password overflow via integer overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-14618 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ sqlite-libs │ CVE-2019-8457 │ CRITICAL │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode()
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
```
!!! note
If you want to generate a CycloneDX report from a CycloneDX input, please be aware that the output stores references to your original CycloneDX report and contains only detected vulnerabilities, not components.
The report is called [BOV][bov].
[cyclonedx]: https://cyclonedx.org/
[sbom]: https://cyclonedx.org/capabilities/sbom/

65
docs/docs/sbom/index.md
View File

@@ -1,12 +1,12 @@
# SBOM
# SBOM generation
## Generating
Trivy can generate the following SBOM formats.
- [CycloneDX][cyclonedx]
- [SPDX][spdx]
To generate SBOM, you can use the `--format` option for each subcommand such as `image` and `fs`.
## CLI commands
To generate SBOM, you can use the `--format` option for each subcommand such as `image`, `fs` and `vm`.
```
$ trivy image --format spdx-json --output result.json alpine:3.15
@@ -177,56 +177,27 @@ $ trivy fs --format cyclonedx --output result.json /app/myproject
</details>
## Scanning
Trivy also can take the following SBOM formats as an input and scan for vulnerabilities.
## Supported packages
Trivy supports the following packages.
- CycloneDX
- SPDX
- SPDX JSON
- CycloneDX-type attestation
- [OS packages][os_packages]
- [Language-specific packages][language_packages]
To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM.
```bash
$ trivy sbom /path/to/cyclonedx.json
```
See [here][cyclonedx] for the detail.
In addition to the above packages, Trivy also supports the following packages for generating SBOM.
!!! note
CycloneDX XML is not supported at the moment.
These packages are not supported for vulnerability scanning.
```bash
$ trivy sbom /path/to/spdx.json
```
| Language | File | Dependency location[^1] |
|----------|-------------------|:-----------------------:|
| Python | conda package[^2] | - |
| Swift | Podfile.lock | - |
See [here][spdx] for the detail.
You can also scan an SBOM attestation.
In the following example, [Cosign][Cosign] can get an attestation and trivy scan it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [SBOM attestation page][sbom_attestation].
```bash
$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
$ trivy sbom ./sbom.cdx.intoto.jsonl
sbom.cdx.intoto.jsonl (alpine 3.7.3)
=========================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ musl │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
│ │ │ │ │ │ adjustment im ...... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │
├────────────┤ │ │ │ │ │
│ musl-utils │ │ │ │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
```
[^1]: Use `startline == 1 and endline == 1` for unsupported file types
[^2]: `envs/*/conda-meta/*.json`
[cyclonedx]: cyclonedx.md
[spdx]: spdx.md
[Cosign]: https://github.com/sigstore/cosign
[sbom_attestation]: ../attestation/sbom.md#sign-with-a-local-key-pair
[os_packages]: ../vulnerability/detection/os.md
[language_packages]: ../vulnerability/detection/language.md

48
docs/docs/sbom/spdx.md
View File

@@ -1,6 +1,5 @@
# SPDX
# SPDX generation
## Generating
Trivy can generate SBOM in the [SPDX][spdx] format.
You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `spdx` with the `--format` option.
@@ -295,50 +294,5 @@ $ cat result.spdx.json | jq .
</details>
## Scanning
Trivy can take the SPDX SBOM as an input and scan for vulnerabilities.
To scan SBOM, you can use the `sbom` subcommand and pass the path to your SPDX report.
The input format is automatically detected.
The following formats are supported:
- Tag-value (`--format spdx`)
- JSON (`--format spdx-json`)
```bash
$ trivy image --format spdx-json --output spdx.json alpine:3.16.0
$ trivy sbom spdx.json
2022-09-15T21:32:27.168+0300 INFO Vulnerability scanning is enabled
2022-09-15T21:32:27.169+0300 INFO Detected SBOM format: spdx-json
2022-09-15T21:32:27.210+0300 INFO Detected OS: alpine
2022-09-15T21:32:27.210+0300 INFO Detecting Alpine vulnerabilities...
2022-09-15T21:32:27.211+0300 INFO Number of language-specific files: 0
spdx.json (alpine 3.16.0)
=========================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 1)
┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ busybox │ CVE-2022-30065 │ HIGH │ 1.35.0-r13 │ 1.35.0-r15 │ busybox: A use-after-free in Busybox's awk applet leads to │
│ │ │ │ │ │ denial of service... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30065 │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libcrypto1.1 │ CVE-2022-2097 │ MEDIUM │ 1.1.1o-r0 │ 1.1.1q-r0 │ openssl: AES OCB fails to encrypt some bytes │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2097 │
├──────────────┤ │ │ │ │ │
│ libssl1.1 │ │ │ │ │ │
│ │ │ │ │ │ │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ ssl_client │ CVE-2022-30065 │ HIGH │ 1.35.0-r13 │ 1.35.0-r15 │ busybox: A use-after-free in Busybox's awk applet leads to │
│ │ │ │ │ │ denial of service... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30065 │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ zlib │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1 │ 1.2.12-r2 │ zlib: a heap-based buffer over-read or buffer overflow in │
│ │ │ │ │ │ inflate in inflate.c... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-37434 │
└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
```
[spdx]: https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf

16
docs/docs/sbom/supported.md
View File

@@ -1,16 +0,0 @@
## Packages that support vulnerability scanning
- [OS packages][os_packages]
- [Language-specific packages][language_packages]
## Other language-specific packages
| Language | File | Dependency location[^1] |
|----------|-------------------|:-----------------------:|
| Python | conda package[^2] | - |
| Swift | Podfile.lock | - |
[^1]: Use `startline == 1 and endline == 1` for unsupported file types
[^2]: `envs/*/conda-meta/*.json`
[os_packages]: ../vulnerability/detection/os.md
[language_packages]: ../vulnerability/detection/language.md

107
docs/docs/target/aws.md Normal file
View File

@@ -0,0 +1,107 @@
# Amazon Web Services
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
The Trivy AWS CLI allows you to scan your AWS account for misconfigurations.
You can either run the CLI locally or integrate it into your CI/CD pipeline.
Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too.
The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks.
Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform.
You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` policy attached.
Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - infrastructure information is cached locally per AWS account/region.
Trivy currently supports the following scanning for AWS accounts.
- Misconfigurations
## CLI Commands
Scan a full AWS account (all supported services):
```shell
trivy aws --region us-east-1
```
You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these.
![AWS Summary Report](../../imgs/trivy-aws.png)
The summary view is the default when scanning multiple services.
Scan a specific service:
```shell
trivy aws --service s3
```
Scan multiple services:
```shell
# --service s3,ec2 works too
trivy aws --service s3 --service ec2
```
Show results for a specific AWS resource:
```shell
trivy aws --service s3 --arn arn:aws:s3:::example-bucket
```
All ARNs with detected issues will be displayed when showing results for their associated service.
## Compliance
This section describes AWS specific compliance reports.
For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../compliance/compliance.md).
### Built in reports
the following reports are available out of the box:
| Compliance | Name for command | More info |
|------------------------------------|------------------|------------------------------------------------------------------------------------------------------|
| AWS CIS Foundations Benchmark v1.2 | `aws-cis-1.2` | [link](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf) |
| AWS CIS Foundations Benchmark v1.4 | `aws-cis-1.4` | [link](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls-1.4.0.html) |
### Examples
Scan a cloud account and generate a compliance summary report:
```
$ trivy aws --compliance=<compliance_id> --report=summary
```
***Note*** : The `Issues` column represent the total number of failed checks for this control.
Get all of the detailed output for checks:
```
$ trivy aws --compliance=<compliance_id> --report all
```
Report result in JSON format:
```
$ trivy aws --compliance=<compliance_id> --report all --format json
```
## Cached Results
By default, Trivy will cache a representation of each AWS service for 24 hours.
This means you can filter and view results for a service without having to wait for the entire scan to run again.
If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`.
Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.).
Regardless of whether the cache is used or not, rules will be evaluated again with each run of `trivy aws`.
## Custom Policies
You can write custom policies for Trivy to evaluate against your AWS account.
These policies are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the same language used by [Open Policy Agent](https://www.openpolicyagent.org/).
See the [Custom Policies](../misconfiguration/custom/index.md) page for more information.

450
docs/docs/target/container_image.md Normal file
View File

@@ -0,0 +1,450 @@
# Container Image
Trivy supports two targets for container images.
- Files inside container images
- Container image metadata
## Files inside container images
Container images consist of files.
For instance, new files will be installed if you install a package.
Trivy scans the files inside container images for
- Vulnerabilities
- Misconfigurations
- Secrets
- Licenses
By default, vulnerability and secret scanning are enabled, and you can configure that with `--scanners`.
### Vulnerabilities
It is enabled by default.
You can simply specify your image name (and a tag).
It detects known vulnerabilities in your container image.
See [here](../vulnerability/scanning.md) for the detail.
```
$ trivy image [YOUR_IMAGE_NAME]
```
For example:
```
$ trivy image python:3.4-alpine
```
<details>
<summary>Result</summary>
```
2019-05-16T01:20:43.180+0900 INFO Updating vulnerability database...
2019-05-16T01:20:53.029+0900 INFO Detecting Alpine vulnerabilities...
python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |
| | | | | | with long nonces |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
```
</details>
To enable only vulnerability scanning, you can specify `--scanners vuln`.
```shell
$ trivy image --scanners vuln [YOUR_IMAGE_NAME]
```
### Misconfigurations
It is supported, but it is not useful in most cases.
As mentioned [here](../misconfiguration/scanning.md), Trivy mainly supports Infrastructure as Code (IaC) files for misconfigurations.
If your container image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with `--scanners config`.
```
$ trivy image --scanners config [YOUR_IMAGE_NAME]
```
### Secrets
It is enabled by default.
See [here](../secret/scanning.md) for the detail.
```shell
$ trivy image [YOUR_IMAGE_NAME]
```
### Licenses
It is disabled by default.
See [here](../licenses/scanning.md) for the detail.
```shell
$ trivy image --scanners license [YOUR_IMAGE_NAME]
```
## Container image metadata
Container images have [configuration](https://github.com/opencontainers/image-spec/blob/2fb996805b3734779bf9a3a84dc9a9691ad7efdd/config.md).
`docker inspect` and `docker history` show the information according to the configuration.
Trivy scans the configuration of container images for
- Misconfigurations
- Secrets
They are disabled by default.
You can enable them with `--image-config-scanners`.
!!! tips
The configuration can be exported as the JSON file by `docker save`.
### Misconfigurations
Trivy detects misconfigurations on the configuration of container images.
The image config is converted into Dockerfile and Trivy handles it as Dockerfile.
See [here](../misconfiguration/scanning.md) for the detail of Dockerfile scanning.
It is disabled by default.
You can enable it with `--image-config-scanners config`.
```
$ trivy image --image-config-scanners config [YOUR_IMAGE_NAME]
```
If you just want to scan the image config, you can disable scanners with `--scanners none`.
For example:
```
$ trivy image --scanners none --image-config-scanners config alpine:3.17.0
```
<details>
<summary>Result</summary>
```
alpine:3.17 (dockerfile)
========================
Tests: 24 (SUCCESSES: 21, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
LOW: Consider using 'COPY file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /' command instead of 'ADD file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /'
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.
See https://avd.aquasec.com/misconfig/ds005
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
alpine:3.17:1
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 [ ADD file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
LOW: Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.
See https://avd.aquasec.com/misconfig/ds026
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
```
</details>
!!! tip
You can see how each layer is created with `docker history`.
### Secrets
Trivy detects secrets on the configuration of container images.
The image config is converted into JSON and Trivy scans the file for secrets.
It is especially useful for environment variables that are likely to have credentials by accident.
See [here](../secret/scanning.md) for the detail.
```shell
$ trivy image --image-config-scanners secret [YOUR_IMAGE_NAME]
```
If you just want to scan the image config, you can disable scanners with `--scanners none`.
For example:
```shell
$ trivy image --scanners none --image-config-scanners secret vuln-image
```
<details>
<summary>Result</summary>
```
vuln-image (alpine 3.17.1)
==========================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
vuln-image (secrets)
====================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
CRITICAL: GitHub (github-pat)
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
GitHub Personal Access Token
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
test:16
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
14 {
15 "created": "2023-01-09T17:05:20Z",
16 [ "created_by": "ENV secret=****************************************",
17 "comment": "buildkit.dockerfile.v0",
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
CRITICAL: GitHub (github-pat)
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
GitHub Personal Access Token
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
test:34
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
32 "Env": [
33 "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
34 [ "secret=****************************************"
35 ]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
```
</details>
!!! tip
You can see environment variables with `docker inspect`.
## Supported
### Docker Engine
Trivy tries to looks for the specified image in your local Docker Engine.
It will be skipped if Docker Engine is not running locally.
If your docker socket is not the default path, you can override it via `DOCKER_HOST`.
### containerd
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
Trivy tries to looks for the specified image in your local [containerd](https://containerd.io/).
It will be skipped if containerd is not running locally.
Specify your image name in containerd running locally.
```bash
$ nerdctl images
REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE
aquasec/nginx latest 2bcabc23b454 3 hours ago linux/amd64 149.1 MiB 54.1 MiB
$ trivy image aquasec/nginx
```
If your containerd socket is not the default path (`//run/containerd/containerd.sock`), you can override it via `CONTAINERD_ADDRESS`.
```bash
$ export CONTAINERD_ADDRESS=/run/k3s/containerd/containerd.sock
$ trivy image aquasec/nginx
```
If your scan targets are images in a namespace other than containerd's default namespace (`default`), you can override it via `CONTAINERD_NAMESPACE`.
```bash
$ export CONTAINERD_NAMESPACE=k8s.io
$ trivy image aquasec/nginx
```
### Podman
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
Scan your image in Podman (>=2.0) running locally. The remote Podman is not supported.
Before performing Trivy commands, you must enable the podman.sock systemd service on your machine.
For more details, see [here](https://github.com/containers/podman/blob/master/docs/tutorials/remote_client.md#enable-the-podman-service-on-the-server-machine).
```bash
$ systemctl --user enable --now podman.socket
```
Then, you can scan your image in Podman.
```bash
$ cat Dockerfile
FROM alpine:3.12
RUN apk add --no-cache bash
$ podman build -t test .
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/test latest efc372d4e0de About a minute ago 7.94 MB
$ trivy image test
```
### Container Registry
Trivy supports registries that comply with the following specifications.
- [Docker Registry HTTP API V2](https://docs.docker.com/registry/spec/api/)
- [OCI Distribution Specification](https://github.com/opencontainers/distribution-spec)
You can configure credentials with `docker login`.
See [here](../advanced/private-registries/index.md) for the detail.
### Tar Files
Trivy supports image tar files generated by the following tools.
- [Docker Image Specification](https://github.com/moby/moby/tree/master/image/spec)
- [Moby Project](https://github.com/moby/moby/)
- [Buildah](https://github.com/containers/buildah)
- [Podman](https://github.com/containers/podman)
- [img](https://github.com/genuinetools/img)
- [Kaniko](https://github.com/GoogleContainerTools/kaniko)
```
$ docker pull ruby:3.1-alpine3.15
$ docker save ruby:3.1-alpine3.15 -o ruby-3.1.tar
$ trivy image --input ruby-3.1.tar
```
<details>
<summary>Result</summary>
```
2022-02-03T10:08:19.127Z INFO Detected OS: alpine
2022-02-03T10:08:19.127Z WARN This OS version is not on the EOL list: alpine 3.15
2022-02-03T10:08:19.127Z INFO Detecting Alpine vulnerabilities...
2022-02-03T10:08:19.127Z INFO Number of language-specific files: 2
2022-02-03T10:08:19.127Z INFO Detecting gemspec vulnerabilities...
2022-02-03T10:08:19.128Z INFO Detecting node-pkg vulnerabilities...
2022-02-03T10:08:19.128Z WARN This OS version is no longer supported by the distribution: alpine 3.15.0
2022-02-03T10:08:19.128Z WARN The vulnerability detection may be insufficient because security updates are not provided
ruby-3.1.tar (alpine 3.15.0)
============================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0)
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| gmp | CVE-2021-43618 | HIGH | 6.2.1-r0 | 6.2.1-r1 | gmp: Integer overflow and resultant |
| | | | | | buffer overflow via crafted input |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-43618 |
+----------+ + + + + +
| gmp-dev | | | | | |
| | | | | | |
| | | | | | |
+----------+ + + + + +
| libgmpxx | | | | | |
| | | | | | |
| | | | | | |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
Node.js (node-pkg)
==================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Ruby (gemspec)
==============
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
```
</details>
### OCI Layout
Trivy supports image directories compliant with [Open Container Image Layout Specification](https://github.com/opencontainers/image-spec/blob/master/spec.md).
Buildah:
```
$ buildah push docker.io/library/alpine:3.11 oci:/path/to/alpine
$ trivy image --input /path/to/alpine
```
Skopeo:
```
$ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine
$ trivy image --input /path/to/alpine
```
## SBOM generation
Trivy can generate SBOM for container images.
See [here](../sbom/index.md) for the detail.
## Compliance
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
This section describes container image specific compliance reports.
For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../compliance/compliance.md).
### Built in reports
The following reports are available out of the box:
| Compliance | Version | Name for command | More info |
|----------------------------------------|---------|------------------|---------------------------------------------------------------------------------------------|
| CIS Docker Community Edition Benchmark | 1.1.0 | `docker-cis` | [Link](https://www.aquasec.com/cloud-native-academy/docker-container/docker-cis-benchmark/) |
### Examples
Scan a container image configuration and generate a compliance summary report:
```
$ trivy image --compliance docker-cis [YOUR_IMAGE_NAME]
```
!!! note
The `Issues` column represent the total number of failed checks for this control.
## Options
### Scan Image on a specific Architecture and OS
By default, Trivy loads an image on a "linux/amd64" machine.
To customise this, pass a `--platform` argument in the format OS/Architecture for the image:
```
$ trivy image --platform=os/architecture [YOUR_IMAGE_NAME]
```
For example:
```
$ trivy image --platform=linux/arm alpine:3.16.1
```
<details>
<summary>Result</summary>
```
2022-10-25T21:00:50.972+0300 INFO Vulnerability scanning is enabled
2022-10-25T21:00:50.972+0300 INFO Secret scanning is enabled
2022-10-25T21:00:50.972+0300 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2022-10-25T21:00:50.972+0300 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-10-25T21:00:56.190+0300 INFO Detected OS: alpine
2022-10-25T21:00:56.190+0300 INFO Detecting Alpine vulnerabilities...
2022-10-25T21:00:56.191+0300 INFO Number of language-specific files: 0
alpine:3.16.1 (alpine 3.16.1)
=============================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ zlib │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1 │ 1.2.12-r2 │ zlib: heap-based buffer over-read and overflow in inflate() │
│ │ │ │ │ │ in inflate.c via a... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-37434 │
└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
```
</details>

93
docs/docs/target/filesystem.md Normal file
View File

@@ -0,0 +1,93 @@
# Filesystem
Scan your local projects for
- Vulnerabilities
- Misconfigurations
- Secrets
- Licenses
By default, vulnerability and secret scanning are enabled, and you can configure that with `--scanners`.
```bash
$ trivy fs /path/to/project
```
It's also possible to scan a single file.
```
$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test/Pipfile.lock
```
## Scanners
### Vulnerabilities
It is enabled by default.
Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.
See [here](../vulnerability/scanning.md) for the detail.
```
$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test
```
<details>
<summary>Result</summary>
```
2020-06-01T17:06:58.652+0300 WARN OS is not detected and vulnerabilities in OS packages are not detected.
2020-06-01T17:06:58.652+0300 INFO Detecting pipenv vulnerabilities...
2020-06-01T17:06:58.691+0300 INFO Detecting cargo vulnerabilities...
Pipfile.lock
============
Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
| django | CVE-2020-7471 | HIGH | 2.0.9 | 3.0.3, 2.2.10, 1.11.28 | django: potential |
| | | | | | SQL injection via |
| | | | | | StringAgg(delimiter) |
+ +------------------+----------+ +------------------------+------------------------------------+
| | CVE-2019-19844 | MEDIUM | | 3.0.1, 2.2.9, 1.11.27 | Django: crafted email address |
| | | | | | allows account takeover |
+ +------------------+ + +------------------------+------------------------------------+
| | CVE-2019-3498 | | | 2.1.5, 2.0.10, 1.11.18 | python-django: Content |
| | | | | | spoofing via URL path in |
| | | | | | default 404 page |
+ +------------------+ + +------------------------+------------------------------------+
| | CVE-2019-6975 | | | 2.1.6, 2.0.11, 1.11.19 | python-django: |
| | | | | | memory exhaustion in |
| | | | | | django.utils.numberformat.format() |
+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
...
```
</details>
### Misconfigurations
It is disabled by default and can be enabled with `--scanners config`.
See [here](../misconfiguration/scanning.md) for the detail.
```shell
$ trivy fs --scanners config /path/to/project
```
### Secrets
It is enabled by default.
See [here](../secret/scanning.md) for the detail.
```shell
$ trivy fs /path/to/project
```
### Licenses
It is disabled by default.
See [here](../licenses/scanning.md) for the detail.
```shell
$ trivy fs --scanners license /path/to/project
```
## SBOM generation
Trivy can generate SBOM for local projects.
See [here](../sbom/index.md) for the detail.

119
docs/docs/vulnerability/scanning/git-repository.md → docs/docs/target/git-repository.md
View File

@@ -1,6 +1,23 @@
# Git Repository
Scan your remote git repository
Scan your remote git repositories for
- Vulnerabilities
- Misconfigurations
- Secrets
- Licenses
By default, vulnerability and secret scanning are enabled, and you can configure that with `--scanners`.
```bash
$ trivy repo [YOUR_REPO_URL]
```
## Scanners
### Vulnerabilities
It is enabled by default.
Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.
See [here](../vulnerability/scanning.md) for the detail.
```
$ trivy repo https://github.com/knqyf263/trivy-ci-test
@@ -147,7 +164,36 @@ Total: 20 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 5, CRITICAL: 5)
</details>
## Scanning a Branch
### Misconfigurations
It is disabled by default and can be enabled with `--scanners config`.
See [here](../misconfiguration/scanning.md) for the detail.
```shell
$ trivy repo --scanners config [YOUR_REPO_URL]
```
### Secrets
It is enabled by default.
See [here](../secret/scanning.md) for the detail.
```shell
$ trivy repo [YOUR_REPO_URL]
```
### Licenses
It is disabled by default.
See [here](../licenses/scanning.md) for the detail.
```shell
$ trivy repo --scanners license [YOUR_REPO_URL]
```
## SBOM generation
Trivy can generate SBOM for git repositories.
See [here](../sbom/index.md) for the detail.
## References
### Scanning a Branch
Pass a `--branch` argument with a valid branch name on the remote repository provided:
@@ -155,7 +201,7 @@ Pass a `--branch` argument with a valid branch name on the remote repository pro
$ trivy repo --branch <branch-name> <repo-name>
```
## Scanning upto a Commit
### Scanning upto a Commit
Pass a `--commit` argument with a valid commit hash on the remote repository provided:
@@ -163,7 +209,7 @@ Pass a `--commit` argument with a valid commit hash on the remote repository pro
$ trivy repo --commit <commit-hash> <repo-name>
```
## Scanning a Tag
### Scanning a Tag
Pass a `--tag` argument with a valid tag on the remote repository provided:
@@ -171,8 +217,7 @@ Pass a `--tag` argument with a valid tag on the remote repository provided:
$ trivy repo --tag <tag-name> <repo-name>
```
## Scanning Private Repositories
### Scanning Private Repositories
In order to scan private GitHub or GitLab repositories, the environment variable `GITHUB_TOKEN` or `GITLAB_TOKEN` must be set, respectively, with a valid token that has access to the private repository being scanned.
The `GITHUB_TOKEN` environment variable will take precedence over `GITLAB_TOKEN`, so if a private GitLab repository will be scanned, then `GITHUB_TOKEN` must be unset.
@@ -187,65 +232,3 @@ $ # or
$ export GITLAB_TOKEN="your_private_gitlab_token"
$ trivy repo <your private GitLab repo URL>
```
## Client/Server mode
You must launch Trivy server in advance.
```sh
$ trivy server
```
Then, Trivy works as a client if you specify the `--server` option.
```sh
$ trivy repo https://github.com/knqyf263/trivy-ci-test --server http://localhost:4954
```
<details>
<summary>Result</summary>
```
Cargo.lock (cargo)
==================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 1)
┌───────────┬─────────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├───────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ openssl │ CVE-2018-20997 │ CRITICAL │ 0.8.3 │ 0.10.9 │ Use after free in openssl │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-20997 │
│ ├─────────────────────┼──────────┤ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2016-10931 │ HIGH │ │ 0.9.0 │ Improper Certificate Validation in openssl │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-10931 │
└───────────┴─────────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
Pipfile.lock (pipenv)
=====================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 2)
┌─────────────────────┬────────────────┬──────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ py │ CVE-2020-29651 │ HIGH │ 1.8.0 │ 1.10.0 │ python-py: ReDoS in the py.path.svnwc component via │
│ │ │ │ │ │ mailicious input to blame functionality... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-29651 │
│ ├────────────────┤ │ ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-42969 │ │ │ │ The py library through 1.11.0 for Python allows remote │
│ │ │ │ │ │ attackers to co... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-42969 │
├─────────────────────┼────────────────┤ ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ pyjwt │ CVE-2022-29217 │ │ 1.7.1 │ 2.4.0 │ python-jwt: Key confusion through non-blocklisted public key │
│ │ │ │ │ │ formats │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29217 │
├─────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ pyyaml │ CVE-2019-20477 │ CRITICAL │ 5.1 │ 5.2b1 │ PyYAML: command execution through python/object/apply │
│ │ │ │ │ │ constructor in FullLoader │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-20477 │
│ ├────────────────┤ │ ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-1747 │ │ │ 5.3.1 │ PyYAML: arbitrary command execution through │
│ │ │ │ │ │ python/object/new when FullLoader is used │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-1747 │
└─────────────────────┴────────────────┴──────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘
```
</details>

70
docs/docs/kubernetes/cli/scanning.md → docs/docs/target/kubernetes.md
View File

@@ -3,13 +3,21 @@
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
The Trivy K8s CLI allows you to scan your Kubernetes cluster for Vulnerabilities, Secrets and Misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. The difference to the Trivy CLI is that the Trivy K8s CLI allows you to scan running workloads directly within your cluster.
## CLI
The Trivy K8s CLI allows you to scan your Kubernetes cluster for
If you are looking for continuous cluster audit scanning, have a look at the [Trivy K8s operator.](../operator/index.md)
- Vulnerabilities
- Misconfigurations
- Secrets
You can either run the CLI locally or integrate it into your CI/CD pipeline.
The difference to the Trivy CLI is that the Trivy K8s CLI allows you to scan running workloads directly within your cluster.
If you are looking for continuous cluster audit scanning, have a look at the Trivy K8s operator below.
Trivy uses your local kubectl configuration to access the API server to list artifacts.
## CLI Commands
### Commands
Scan a full cluster and generate a simple summary report:
@@ -17,7 +25,7 @@ Scan a full cluster and generate a simple summary report:
$ trivy k8s --report=summary cluster
```
![k8s Summary Report](../../../imgs/trivy-k8s.png)
![k8s Summary Report](../../imgs/trivy-k8s.png)
The summary report is the default. To get all of the detail the output contains, use `--report all`.
@@ -233,7 +241,7 @@ $ trivy k8s --format json -o results.json cluster
## Infra checks
### Infra checks
Trivy by default scans kubernetes infra components (apiserver, controller-manager, scheduler and etcd)
if they exist under the `kube-system` namespace. For example, if you run a full cluster scan, or scan all
@@ -275,5 +283,55 @@ Or, to filter for all other checks besides the infra checks, you can:
$ trivy k8s cluster --report summary --components=workload --scanners=config # scan all components besides infra
```
### Compliance
This section describes Kubernetes specific compliance reports.
For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../compliance/compliance.md).
#### Built in reports
The following reports are available out of the box:
| Compliance | Name for command | More info
--- | --- | ---
NSA, CISA Kubernetes Hardening Guidance v1.2 | `k8s-nsa` | [Link](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF)
CIS Benchmark for Kubernetes v1.23 | `k8s-cis` | [Link](https://www.cisecurity.org/benchmark/kubernetes)
#### Examples
Scan a full cluster and generate a compliance summary report:
```
$ trivy k8s cluster --compliance=<compliance_id> --report summary
```
***Note*** : The `Issues` column represent the total number of failed checks for this control.
Get all of the detailed output for checks:
```
trivy k8s cluster --compliance=<compliance_id> --report all
```
Report result in JSON format:
```
trivy k8s cluster --compliance=<compliance_id> --report summary --format json
```
```
trivy k8s cluster --compliance=<compliance_id> --report all --format json
```
## Operator
Trivy has a native [Kubernetes Operator][operator] which continuously scans your Kubernetes cluster for security issues, and generates security reports as Kubernetes [Custom Resources][crd]. It does it by watching Kubernetes for state changes and automatically triggering scans in response to changes, for example initiating a vulnerability scan when a new Pod is created.
> Kubernetes-native security toolkit. ([Documentation][trivy-operator]).
<figure>
<figcaption>Workload reconcilers discover K8s controllers, manage scan jobs, and create VulnerabilityReport and ConfigAuditReport objects.</figcaption>
</figure>
[operator]: https://kubernetes.io/docs/concepts/extend-kubernetes/operator/
[crd]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
[trivy-operator]: https://aquasecurity.github.io/trivy-operator/latest

15
docs/docs/target/rootfs.md Normal file
View File

@@ -0,0 +1,15 @@
# Rootfs
Rootfs scanning is for special use cases such as
- Host machine
- [Root filesystem](../advanced/container/embed-in-dockerfile.md)
- [Unpacked filesystem](../advanced/container/unpacked-filesystem.md)
```bash
$ trivy rootfs /path/to/rootfs
```
!!! note
Rootfs scanning works differently from the Filesystem scanning.
You should use `trivy fs` to scan your local projects in CI/CD.
See [here](../vulnerability/detection/language.md) for the differences.

113
docs/docs/target/sbom.md Normal file
View File

@@ -0,0 +1,113 @@
# SBOM scanning
Trivy can take the following SBOM formats as an input and scan for vulnerabilities.
- CycloneDX
- SPDX
- SPDX JSON
- CycloneDX-type attestation
To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM.
The input format is automatically detected.
```bash
$ trivy sbom /path/to/sbom_file
```
!!! note
Passing SBOMs generated by tool other than Trivy may result in inaccurate detection
because Trivy relies on custom properties in SBOM for accurate scanning.
## CycloneDX
Trivy supports CycloneDX as an input.
!!! note
CycloneDX XML is not supported at the moment.
```bash
$ trivy sbom /path/to/cyclonedx.json
```
!!! note
If you want to generate a CycloneDX report from a CycloneDX input, please be aware that the output stores references to your original CycloneDX report and contains only detected vulnerabilities, not components.
The report is called [BOV](https://cyclonedx.org/capabilities/sbom/).
## SPDX
Trivy supports the SPDX SBOM as an input.
The following SPDX formats are supported:
- Tag-value (`--format spdx`)
- JSON (`--format spdx-json`)
```bash
$ trivy image --format spdx-json --output spdx.json alpine:3.16.0
$ trivy sbom spdx.json
```
<details>
<summary>Result</summary>
```
2022-09-15T21:32:27.168+0300 INFO Vulnerability scanning is enabled
2022-09-15T21:32:27.169+0300 INFO Detected SBOM format: spdx-json
2022-09-15T21:32:27.210+0300 INFO Detected OS: alpine
2022-09-15T21:32:27.210+0300 INFO Detecting Alpine vulnerabilities...
2022-09-15T21:32:27.211+0300 INFO Number of language-specific files: 0
spdx.json (alpine 3.16.0)
=========================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 1)
┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ busybox │ CVE-2022-30065 │ HIGH │ 1.35.0-r13 │ 1.35.0-r15 │ busybox: A use-after-free in Busybox's awk applet leads to │
│ │ │ │ │ │ denial of service... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30065 │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libcrypto1.1 │ CVE-2022-2097 │ MEDIUM │ 1.1.1o-r0 │ 1.1.1q-r0 │ openssl: AES OCB fails to encrypt some bytes │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2097 │
├──────────────┤ │ │ │ │ │
│ libssl1.1 │ │ │ │ │ │
│ │ │ │ │ │ │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ ssl_client │ CVE-2022-30065 │ HIGH │ 1.35.0-r13 │ 1.35.0-r15 │ busybox: A use-after-free in Busybox's awk applet leads to │
│ │ │ │ │ │ denial of service... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30065 │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ zlib │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1 │ 1.2.12-r2 │ zlib: a heap-based buffer over-read or buffer overflow in │
│ │ │ │ │ │ inflate in inflate.c... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-37434 │
└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
```
</details>
## SBOM attestation
You can also scan an SBOM attestation.
In the following example, [Cosign](https://github.com/sigstore/cosign) gets an attestation and Trivy scans it.
You must create CycloneDX-type attestation before trying the example.
To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [SBOM attestation page](../attestation/sbom.md#sign-with-a-local-key-pair).
```bash
$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
$ trivy sbom ./sbom.cdx.intoto.jsonl
sbom.cdx.intoto.jsonl (alpine 3.7.3)
=========================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ musl │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
│ │ │ │ │ │ adjustment im ...... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │
├────────────┤ │ │ │ │ │
│ musl-utils │ │ │ │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
```

142
docs/docs/vm/index.md → docs/docs/target/vm.md
View File

@@ -3,15 +3,16 @@
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
## Scanning
Trivy supports VM image scanning for vulnerabilities, secrets, etc.
To scan virtual machine (VM) images, you can use the `vm` subcommand.
## Targets
The following targets are currently supported:
- Local file
- [AWS EC2][aws]
To scan VM images, you can use the `vm` subcommand.
- AWS EC2
- Amazon Machine Image (AMI)
- Amazon Elastic Block Store (EBS) Snapshot
### Local file
Pass the path to your local VM image file.
@@ -62,11 +63,126 @@ Total: 802 (UNKNOWN: 0, LOW: 17, MEDIUM: 554, HIGH: 221, CRITICAL: 10)
</details>
### AWS EC2
### Amazon Machine Image (AMI)
You can specify your AMI ID with the `ami:` prefix.
See [here][aws] for the detail.
```shell
$ trivy vm ami:${your_ami_id}
```
## Supported architectures
!!! note
AMIs in the marketplace are not supported because the EBS direct APIs don't support that.
See [the AWS documentation][ebsapi-elements] for the detail.
#### Example
```shell
$ trivy vm --scanners vuln ami:ami-0123456789abcdefg
```
If you want to scan a AMI of non-default setting region, you can set any region via `--aws-region` option.
```shell
$ trivy vm --aws-region ap-northeast-1 ami:ami-0123456789abcdefg
```
#### Required Actions
Some actions on EBS are also necessary since Trivy scans an EBS snapshot tied to the specified AMI under the hood.
- ec2:DescribeImages
- ebs:ListSnapshotBlocks
- ebs:GetSnapshotBlock
### Amazon Elastic Block Store (EBS) Snapshot
You can specify your EBS snapshot ID with the `ebs:` prefix.
```shell
$ trivy vm ebs:${your_ebs_snapshot_id}
```
!!! note
Public snapshots are not supported because the EBS direct APIs don't support that.
See [the AWS documentation][ebsapi-elements] for the detail.
#### Example
```shell
$ trivy vm --scanners vuln ebs:snap-0123456789abcdefg
```
If you want to scan an EBS Snapshot of non-default setting region, you can set any region via `--aws-region` option.
```shell
$ trivy vm --aws-region ap-northeast-1 ebs:ebs-0123456789abcdefg
```
The above command takes a while as it calls EBS API and fetches the EBS blocks.
If you want to scan the same snapshot several times, you can download the snapshot locally by using [coldsnap][coldsnap] maintained by AWS.
Then, Trivy can scan the local VM image file.
```shell
$ coldsnap download snap-0123456789abcdefg disk.img
$ trivy vm ./disk.img
```
#### Required Actions
- ebs:ListSnapshotBlocks
- ebs:GetSnapshotBlock
## Scanners
Trivy supports VM image scanning for
- Vulnerabilities
- Misconfigurations
- Secrets
- Licenses
### Vulnerabilities
It is enabled by default.
You can simply specify your VM image location.
It detects known vulnerabilities in your VM image.
See [here](../vulnerability/scanning.md) for the detail.
```
$ trivy vm [YOUR_VM_IMAGE]
```
### Misconfigurations
It is supported, but it is not useful in most cases.
As mentioned [here](../misconfiguration/scanning.md), Trivy mainly supports Infrastructure as Code (IaC) files for misconfigurations.
If your VM image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with `--scanners config`.
```
$ trivy vm --scanners config [YOUR_VM_IMAGE]
```
### Secrets
It is enabled by default.
See [here](../secret/scanning.md) for the detail.
```shell
$ trivy vm [YOUR_VM_IMAGE]
```
!!! tip
The scanning could be faster if you enable only vulnerability scanning (`--scanners vuln`) because Trivy tries to download only necessary blocks for vulnerability detection.
### Licenses
It is disabled by default.
See [here](../licenses/scanning.md) for the detail.
```shell
$ trivy vm --scanners license [YOUR_VM_IMAGE]
```
## SBOM generation
Trivy can generate SBOM for VM images.
See [here](../sbom/index.md) for the detail.
## Supported Architectures
### Virtual machine images
@@ -117,5 +233,9 @@ Reference: [VMware Virtual Disk Format 1.1.pdf][vmdk]
| EXT2/3 | |
| ZFS | |
[aws]: ./aws.md
[vmdk]: https://www.vmware.com/app/vmdk/?src=vmdk
[aws]: ../vm/aws.md
[vmdk]: https://www.vmware.com/app/vmdk/?src=vmdk
[ebsapi-elements]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-accessing-snapshot.html#ebsapi-elements
[coldsnap]: https://github.com/awslabs/coldsnap

83
docs/docs/vm/aws.md
View File

@@ -1,83 +0,0 @@
# AWS EC2
Trivy can scan the following targets in AWS EC2.
- Amazon Machine Image (AMI)
- Elastic Block Store (EBS) Snapshot
## Amazon Machine Image (AMI)
You can specify your AMI ID with the `ami:` prefix.
```shell
$ trivy vm ami:${your_ami_id}
```
!!! note
AMIs in the marketplace are not supported because the EBS direct APIs don't support that.
See [the AWS documentation][ebsapi-elements] for the detail.
### Example
```shell
$ trivy vm --scanners vuln ami:ami-0123456789abcdefg
```
!!! tip
The scanning could be faster if you enable only vulnerability scanning (`--scanners vuln`) because Trivy tries to download only necessary blocks for vulnerability detection.
If you want to scan a AMI of non-default setting region, you can set any region via `--aws-region` option.
```shell
$ trivy vm --aws-region ap-northeast-1 ami:ami-0123456789abcdefg
```
### Required Actions
Some actions on EBS are also necessary since Trivy scans an EBS snapshot tied to the specified AMI under the hood.
- ec2:DescribeImages
- ebs:ListSnapshotBlocks
- ebs:GetSnapshotBlock
## Elastic Block Store (EBS) Snapshot
You can specify your EBS snapshot ID with the `ebs:` prefix.
```shell
$ trivy vm ebs:${your_ebs_snapshot_id}
```
!!! note
Public snapshots are not supported because the EBS direct APIs don't support that.
See [the AWS documentation][ebsapi-elements] for the detail.
### Example
```shell
$ trivy vm --scanners vuln ebs:snap-0123456789abcdefg
```
!!! tip
The scanning could be faster if you enable only vulnerability scanning (`--scanners vuln`) because Trivy tries to download only necessary blocks for vulnerability detection.
If you want to scan an EBS Snapshot of non-default setting region, you can set any region via `--aws-region` option.
```shell
$ trivy vm --aws-region ap-northeast-1 ebs:ebs-0123456789abcdefg
```
The above command takes a while as it calls EBS API and fetches the EBS blocks.
If you want to scan the same snapshot several times, you can download the snapshot locally by using [coldsnap][coldsnap] maintained by AWS.
Then, Trivy can scan the local VM image file.
```shell
$ coldsnap download snap-0123456789abcdefg disk.img
$ trivy vm ./disk.img
```
### Required Actions
- ebs:ListSnapshotBlocks
- ebs:GetSnapshotBlock
[ebsapi-elements]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-accessing-snapshot.html#ebsapi-elements
[coldsnap]: https://github.com/awslabs/coldsnap

55
docs/docs/vulnerability/detection/os.md
View File

@@ -21,5 +21,60 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
| Ubuntu | All versions supported by Canonical | Installed by apt/apt-get/dpkg | YES |
| Distroless[^2] | Any | Installed by apt/apt-get/dpkg | YES |
## Distributions
### CBL-Mariner
Trivy scans [CBL-Mariner][mariner].
#### Support
The following table provides an outline of the features Trivy offers.
| Version | Container image | Virtual machine | Distroless | Multi-arch | Unfixed support |
|---------|:---------------:|:---------------:|:----------:|:------------:|:---------------:|
| 1.0 | ✔ | ✔ | ✔ | amd64, arm64 | ✔ |
| 2.0 | ✔ | ✔ | ✔ | amd64, arm64 | ✔ |
### Examples
=== "image"
```
➜ trivy image mcr.microsoft.com/cbl-mariner/base/core:2.0
2022-07-27T14:48:20.355+0600 INFO Detected OS: cbl-mariner
2022-07-27T14:48:20.355+0600 INFO Detecting CBL-Mariner vulnerabilities...
2022-07-27T14:48:20.356+0600 INFO Number of language-specific files: 0
mcr.microsoft.com/cbl-mariner/base/core:2.0 (cbl-mariner 2.0.20220527)
Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5)
```
=== "rootfs"
```
➜ docker run -it --rm --entrypoint bin/bash mcr.microsoft.com/cbl-mariner/base/core:2.0
root [ / ]# tdnf -y install ca-certificates
root [ / ]# # Install the latest Trivy
root [ / ]# trivy rootfs /
2022-07-27T09:30:06.815Z INFO Need to update DB
2022-07-27T09:30:06.815Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-07-27T09:30:06.815Z INFO Downloading DB...
33.25 MiB / 33.25 MiB [------------------------------] 100.00% 4.20 MiB p/s 8.1s
2022-07-27T09:30:21.756Z INFO Vulnerability scanning is enabled
2022-07-27T09:30:21.756Z INFO Secret scanning is enabled
2022-07-27T09:30:21.756Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2022-07-27T09:30:21.756Z INFO Please see also https://aquasecurity.github.io/trivy/v0.30.4/docs/secret/scanning/#recommendation for faster secret detection
2022-07-27T09:30:22.205Z INFO Detected OS: cbl-mariner
2022-07-27T09:30:22.205Z INFO Detecting CBL-Mariner vulnerabilities...
2022-07-27T09:30:22.205Z INFO Number of language-specific files: 0
40ba9a55397c (cbl-mariner 2.0.20220527)
=======================================
Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5)
```
[^1]: https://developers.redhat.com/products/rhel/ubi
[^2]: https://github.com/GoogleContainerTools/distroless
### Data source
See [here][source].
[mariner]: https://github.com/microsoft/CBL-Mariner
[source]: data-source.md

23
docs/docs/vulnerability/detection/supported.md
View File

@@ -1,23 +0,0 @@
# Supported
## Container Runtime
- [Docker Engine](https://docs.docker.com/engine/)
- [Podman](../../advanced/container/podman.md)
- [containerd](../../advanced/container/containerd.md)
## Container Registry
- [Docker Registry HTTP API V2](https://docs.docker.com/registry/spec/api/)
- [OCI Distribution Specification](https://github.com/opencontainers/distribution-spec)
## Image Tar Formats
Trivy scans a tar image with the following format.
- [Docker Image Specification](https://github.com/moby/moby/tree/master/image/spec)
- [Moby Project](https://github.com/moby/moby/)
- [Buildah](https://github.com/containers/buildah)
- [Podman](https://github.com/containers/podman)
- [img](https://github.com/genuinetools/img)
- [Kaniko](https://github.com/GoogleContainerTools/kaniko)
## Image Layout
- [OCI Image Format Specification](https://github.com/opencontainers/image-spec)

58
docs/docs/vulnerability/distributions.md
View File

@@ -1,58 +0,0 @@
## CBL-Mariner
Trivy scans [CBL-Mariner][mariner].
### Support
The following table provides an outline of the features Trivy offers.
| Version | Container image | Virtual machine | Distroless | Multi-arch | Unfixed support |
|---------|:---------------:|:---------------:|:----------:|:------------:|:---------------:|
| 1.0 | ✔ | ✔ | ✔ | amd64, arm64 | ✔ |
| 2.0 | ✔ | ✔ | ✔ | amd64, arm64 | ✔ |
### Examples
=== "image"
```
➜ trivy image mcr.microsoft.com/cbl-mariner/base/core:2.0
2022-07-27T14:48:20.355+0600 INFO Detected OS: cbl-mariner
2022-07-27T14:48:20.355+0600 INFO Detecting CBL-Mariner vulnerabilities...
2022-07-27T14:48:20.356+0600 INFO Number of language-specific files: 0
mcr.microsoft.com/cbl-mariner/base/core:2.0 (cbl-mariner 2.0.20220527)
Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5)
```
=== "fs"
```
➜ docker run -it --rm --entrypoint bin/bash mcr.microsoft.com/cbl-mariner/base/core:2.0
root [ / ]# tdnf -y install ca-certificates
...
root [ / ]# rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.30.4/trivy_0.30.4_Linux-64bit.rpm
...
root [ / ]# trivy fs /
2022-07-27T09:30:06.815Z INFO Need to update DB
2022-07-27T09:30:06.815Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-07-27T09:30:06.815Z INFO Downloading DB...
33.25 MiB / 33.25 MiB [------------------------------] 100.00% 4.20 MiB p/s 8.1s
2022-07-27T09:30:21.756Z INFO Vulnerability scanning is enabled
2022-07-27T09:30:21.756Z INFO Secret scanning is enabled
2022-07-27T09:30:21.756Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2022-07-27T09:30:21.756Z INFO Please see also https://aquasecurity.github.io/trivy/v0.30.4/docs/secret/scanning/#recommendation for faster secret detection
2022-07-27T09:30:22.205Z INFO Detected OS: cbl-mariner
2022-07-27T09:30:22.205Z INFO Detecting CBL-Mariner vulnerabilities...
2022-07-27T09:30:22.205Z INFO Number of language-specific files: 0
40ba9a55397c (cbl-mariner 2.0.20220527)
Total: 33 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 13, CRITICAL: 5)
```
### Data source
See [here][source].
[mariner]: https://github.com/microsoft/CBL-Mariner
[source]: detection/data-source.md

42
docs/docs/vulnerability/examples/others.md
View File

@@ -16,48 +16,6 @@ If your image contains lock files which are not maintained by you, you can skip
$ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
```
## Scan Image on a specific Architecture and OS
By default, Trivy loads an image on a "linux/amd64" machine.
To customise this, pass a `--platform` argument in the format OS/Architecture for the image:
```
$ trivy image --platform=os/architecture [YOUR_IMAGE_NAME]
```
For example:
```
$ trivy image --platform=linux/arm alpine:3.16.1
```
<details>
<summary>Result</summary>
```
2022-10-25T21:00:50.972+0300 INFO Vulnerability scanning is enabled
2022-10-25T21:00:50.972+0300 INFO Secret scanning is enabled
2022-10-25T21:00:50.972+0300 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2022-10-25T21:00:50.972+0300 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-10-25T21:00:56.190+0300 INFO Detected OS: alpine
2022-10-25T21:00:56.190+0300 INFO Detecting Alpine vulnerabilities...
2022-10-25T21:00:56.191+0300 INFO Number of language-specific files: 0
alpine:3.16.1 (alpine 3.16.1)
=============================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ zlib │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1 │ 1.2.12-r2 │ zlib: heap-based buffer over-read and overflow in inflate() │
│ │ │ │ │ │ in inflate.c via a... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-37434 │
└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
```
</details>
## File patterns
When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
The default file patterns are [here](../../misconfiguration/custom/index.md).

12
docs/docs/vulnerability/scanning.md Normal file
View File

@@ -0,0 +1,12 @@
# Vulnerability Scanning
This section describes the details of vulnerability scanning.
Trivy detects known vulnerabilities according to the versions of installed packages.
The following packages are supported.
- [OS packages](detection/os.md)
- [Language-specific packages](detection/language.md)
Trivy downloads [the vulnerabillity database](https://github.com/aquasecurity/trivy-db) every 6 hours.
The data source is listed [here](detection/data-source.md).

103
docs/docs/vulnerability/scanning/filesystem.md
View File

@@ -1,103 +0,0 @@
# Filesystem
Scan a local project including language-specific files.
```bash
$ trivy fs /path/to/project
```
## Standalone mode
### Local Project
Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.
```
$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test
```
<details>
<summary>Result</summary>
```
2020-06-01T17:06:58.652+0300 WARN OS is not detected and vulnerabilities in OS packages are not detected.
2020-06-01T17:06:58.652+0300 INFO Detecting pipenv vulnerabilities...
2020-06-01T17:06:58.691+0300 INFO Detecting cargo vulnerabilities...
Pipfile.lock
============
Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
| django | CVE-2020-7471 | HIGH | 2.0.9 | 3.0.3, 2.2.10, 1.11.28 | django: potential |
| | | | | | SQL injection via |
| | | | | | StringAgg(delimiter) |
+ +------------------+----------+ +------------------------+------------------------------------+
| | CVE-2019-19844 | MEDIUM | | 3.0.1, 2.2.9, 1.11.27 | Django: crafted email address |
| | | | | | allows account takeover |
+ +------------------+ + +------------------------+------------------------------------+
| | CVE-2019-3498 | | | 2.1.5, 2.0.10, 1.11.18 | python-django: Content |
| | | | | | spoofing via URL path in |
| | | | | | default 404 page |
+ +------------------+ + +------------------------+------------------------------------+
| | CVE-2019-6975 | | | 2.1.6, 2.0.11, 1.11.19 | python-django: |
| | | | | | memory exhaustion in |
| | | | | | django.utils.numberformat.format() |
+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
...
```
</details>
### Single file
It's also possible to scan a single file.
```
$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test/Pipfile.lock
```
## Client/Server mode
You must launch Trivy server in advance.
```sh
$ trivy server
```
Then, Trivy works as a client if you specify the `--server` option.
```sh
$ trivy fs --server http://localhost:4954 --severity CRITICAL ./integration/testdata/fixtures/fs/pom/
```
<details>
<summary>Result</summary>
```
pom.xml (pom)
=============
Total: 4 (CRITICAL: 4)
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| com.fasterxml.jackson.core:jackson-databind | CVE-2017-17485 | CRITICAL | 2.9.1 | 2.8.11, 2.9.4 | jackson-databind: Unsafe |
| | | | | | deserialization due to |
| | | | | | incomplete black list (incomplete |
| | | | | | fix for CVE-2017-15095)... |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-17485 |
+ +------------------+ + +--------------------------------+---------------------------------------+
| | CVE-2020-9546 | | | 2.7.9.7, 2.8.11.6, 2.9.10.4 | jackson-databind: Serialization |
| | | | | | gadgets in shaded-hikari-config |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9546 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2020-9547 | | | | jackson-databind: Serialization |
| | | | | | gadgets in ibatis-sqlmap |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9547 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2020-9548 | | | | jackson-databind: Serialization |
| | | | | | gadgets in anteros-core |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9548 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
```
</details>

90
docs/docs/vulnerability/scanning/image.md
View File

@@ -1,90 +0,0 @@
# Image
## Container Images
Simply specify an image name (and a tag).
```
$ trivy image [YOUR_IMAGE_NAME]
```
For example:
```
$ trivy image python:3.4-alpine
```
<details>
<summary>Result</summary>
```
2019-05-16T01:20:43.180+0900 INFO Updating vulnerability database...
2019-05-16T01:20:53.029+0900 INFO Detecting Alpine vulnerabilities...
python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |
| | | | | | with long nonces |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
```
</details>
## Tar Files
```
$ docker pull ruby:3.1-alpine3.15
$ docker save ruby:3.1-alpine3.15 -o ruby-3.1.tar
$ trivy image --input ruby-3.1.tar
```
<details>
<summary>Result</summary>
```
2022-02-03T10:08:19.127Z INFO Detected OS: alpine
2022-02-03T10:08:19.127Z WARN This OS version is not on the EOL list: alpine 3.15
2022-02-03T10:08:19.127Z INFO Detecting Alpine vulnerabilities...
2022-02-03T10:08:19.127Z INFO Number of language-specific files: 2
2022-02-03T10:08:19.127Z INFO Detecting gemspec vulnerabilities...
2022-02-03T10:08:19.128Z INFO Detecting node-pkg vulnerabilities...
2022-02-03T10:08:19.128Z WARN This OS version is no longer supported by the distribution: alpine 3.15.0
2022-02-03T10:08:19.128Z WARN The vulnerability detection may be insufficient because security updates are not provided
ruby-3.1.tar (alpine 3.15.0)
============================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0)
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| gmp | CVE-2021-43618 | HIGH | 6.2.1-r0 | 6.2.1-r1 | gmp: Integer overflow and resultant |
| | | | | | buffer overflow via crafted input |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-43618 |
+----------+ + + + + +
| gmp-dev | | | | | |
| | | | | | |
| | | | | | |
+----------+ + + + + +
| libgmpxx | | | | | |
| | | | | | |
| | | | | | |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
Node.js (node-pkg)
==================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Ruby (gemspec)
==============
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
```
</details>

9
docs/docs/vulnerability/scanning/index.md
View File

@@ -1,9 +0,0 @@
# Vulnerability Scanning
Trivy scans [Container Images][image], [Rootfs][rootfs], [Filesystem][fs], [Virtual Machine Image][vm] and [Git Repositories][repo] to detect vulnerabilities.
[image]: image.md
[rootfs]: rootfs.md
[fs]: filesystem.md
[repo]: git-repository.md
[vm]: ../../vm/index.md

103
docs/docs/vulnerability/scanning/rootfs.md
View File

@@ -1,103 +0,0 @@
# Rootfs
Scan a root filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem).
```bash
$ trivy rootfs /path/to/rootfs
```
## Standalone mode
### From Inside Containers
Scan your container from inside the container.
```bash
$ docker run --rm -it alpine:3.11
/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
/ # trivy rootfs /
```
<details>
<summary>Result</summary>
```
2021-03-08T05:22:26.378Z INFO Need to update DB
2021-03-08T05:22:26.380Z INFO Downloading DB...
20.37 MiB / 20.37 MiB [-------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8.24 MiB p/s 2s
2021-03-08T05:22:30.134Z INFO Detecting Alpine vulnerabilities...
2021-03-08T05:22:30.138Z INFO Trivy skips scanning programming language libraries because no supported file was detected
313430f09696 (alpine 3.11.7)
============================
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 6, CRITICAL: 0)
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2021-23839 | HIGH | 1.1.1i-r0 | 1.1.1j-r0 | openssl: incorrect SSLv2 |
| | | | | | rollback protection |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-23840 | | | | openssl: integer |
| | | | | | overflow in CipherUpdate |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-23841 | | | | openssl: NULL pointer dereference |
| | | | | | in X509_issuer_and_serial_hash() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 |
+--------------+------------------+ + + +---------------------------------------+
| libssl1.1 | CVE-2021-23839 | | | | openssl: incorrect SSLv2 |
| | | | | | rollback protection |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-23840 | | | | openssl: integer |
| | | | | | overflow in CipherUpdate |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-23841 | | | | openssl: NULL pointer dereference |
| | | | | | in X509_issuer_and_serial_hash() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
```
</details>
## Client/Server mode
You must launch Trivy server in advance.
```sh
$ trivy server
```
Then, Trivy works as a client if you specify the `--server` option.
```sh
$ trivy rootfs --server http://localhost:4954 --severity CRITICAL /tmp/rootfs
```
<details>
<summary>Result</summary>
```
/tmp/rootfs (alpine 3.10.2)
Total: 1 (CRITICAL: 1)
┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ apk-tools │ CVE-2021-36159 │ CRITICAL │ 2.10.4-r2 │ 2.10.7-r0 │ libfetch before 2021-07-26, as used in apk-tools, xbps, and │
│ │ │ │ │ │ other products, mishandles... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-36159 │
└───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
```
</details>
## Other Examples
- [Embed in Dockerfile][embedding]
- [Unpacked container image filesystem][unpacked]
[embedding]: ../../advanced/container/embed-in-dockerfile.md
[unpacked]: ../../advanced/container/unpacked-filesystem.md

2
docs/tutorials/kubernetes/cluster-scanning.md
View File

@@ -68,7 +68,7 @@ This has several benefits:
- The CRDs can be both machine and human-readable depending on which applications consume the CRDs. This allows for more versatile applications of the Trivy operator.
There are several ways that you can install the Trivy Operator in your cluster. In this guide, were going to use the Helm installation based on the [following documentation.](../../docs/kubernetes/operator/index.md)
There are several ways that you can install the Trivy Operator in your cluster. In this guide, were going to use the Helm installation based on the [following documentation.](../../docs/target/kubernetes.md#trivy-operator)
Make sure that you have the [Helm CLI installed.](https://helm.sh/docs/intro/install/)
Next, run the following commands.

35
mkdocs.yml
View File

@@ -34,25 +34,27 @@ nav:
- CKS Reference: tutorials/additional-resources/cks.md
- Docs:
- Overview: docs/index.md
- Target:
Container Image: docs/target/container_image.md
Filesystem: docs/target/filesystem.md
Rootfs: docs/target/rootfs.md
Git Repository: docs/target/git-repository.md
Virtual Machine Image: docs/target/vm.md
Kubernetes: docs/target/kubernetes.md
AWS: docs/target/aws.md
SBOM: docs/target/sbom.md
- Vulnerability:
- Scanning:
- Overview: docs/vulnerability/scanning/index.md
- Container Image: docs/vulnerability/scanning/image.md
- Filesystem: docs/vulnerability/scanning/filesystem.md
- Rootfs: docs/vulnerability/scanning/rootfs.md
- Git Repository: docs/vulnerability/scanning/git-repository.md
- Scanning: docs/vulnerability/scanning.md
- Detection:
- OS Packages: docs/vulnerability/detection/os.md
- Language-specific Packages: docs/vulnerability/detection/language.md
- Data Sources: docs/vulnerability/detection/data-source.md
- Supported: docs/vulnerability/detection/supported.md
- Examples:
- Vulnerability Filtering: docs/vulnerability/examples/filter.md
- Report Formats: docs/vulnerability/examples/report.md
- Vulnerability DB: docs/vulnerability/examples/db.md
- Cache: docs/vulnerability/examples/cache.md
- Others: docs/vulnerability/examples/others.md
- Distributions: docs/vulnerability/distributions.md
- Languages:
- Go: docs/vulnerability/languages/golang.md
- Java: docs/vulnerability/languages/java.md
@@ -80,24 +82,10 @@ nav:
- Examples: docs/secret/examples.md
- License:
- Scanning: docs/licenses/scanning.md
- Kubernetes:
- CLI:
- Scanning: docs/kubernetes/cli/scanning.md
- Compliance: docs/kubernetes/cli/compliance.md
- Operator:
- Overview: docs/kubernetes/operator/index.md
- Cloud:
- AWS:
- Scanning: docs/cloud/aws/scanning.md
- Compliance: docs/cloud/aws/compliance.md
- Virtual Machine Image:
- Overview: docs/vm/index.md
- AWS EC2: docs/vm/aws.md
- Compliance:
- Reports: docs/compliance/compliance.md
- SBOM:
- Overview: docs/sbom/index.md
- Supported: docs/sbom/supported.md
- CycloneDX: docs/sbom/cyclonedx.md
- SPDX: docs/sbom/spdx.md
- Attestation:
@@ -111,9 +99,6 @@ nav:
- Container Image:
- Embed in Dockerfile: docs/advanced/container/embed-in-dockerfile.md
- Unpacked container image filesystem: docs/advanced/container/unpacked-filesystem.md
- OCI Image: docs/advanced/container/oci.md
- Podman: docs/advanced/container/podman.md
- containerd: docs/advanced/container/containerd.md
- Private Docker Registries:
- Overview: docs/advanced/private-registries/index.md
- Docker Hub: docs/advanced/private-registries/docker-hub.md