diff --git a/README.md b/README.md index 845cb7fc46..140abe808f 100644 --- a/README.md +++ b/README.md @@ -53,9 +53,9 @@ Trivy is integrated with many popular platforms and applications. The complete l - See [Ecosystem] for more ### Canary builds -There are canary builds ([Docker Hub](https://hub.docker.com/r/aquasec/trivy/tags?page=1&name=canary), [GitHub](https://github.com/aquasecurity/trivy/pkgs/container/trivy/75776514?tag=canary), [ECR](https://gallery.ecr.aws/aquasecurity/trivy#canary) images and [binaries](https://github.com/aquasecurity/trivy/actions/workflows/canary.yaml)) as generated every push to main branch. +There are canary builds ([Docker Hub](https://hub.docker.com/r/aquasec/trivy/tags?page=1&name=canary), [GitHub](https://github.com/aquasecurity/trivy/pkgs/container/trivy/75776514?tag=canary), [ECR](https://gallery.ecr.aws/aquasecurity/trivy#canary) images and [binaries](https://github.com/aquasecurity/trivy/actions/workflows/canary.yaml)) generated with every push to the main branch. -Please be aware: canary builds might have critical bugs, it's not recommended for use in production. +Please be aware: canary builds might have critical bugs, so they are not recommended for use in production. ### General usage diff --git a/SECURITY.md b/SECURITY.md index 5e018e191b..3d20210454 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,8 +2,8 @@ ## Supported Versions -This is an open source project that is provided as-is without warrenty or liability. -As such no supportability commitment. The maintainers will do the best they can to address any report promptly and responsibly. +This is an open source project that is provided as-is without warranty or liability. +As such, there is no supportability commitment. The maintainers will do the best they can to address any report promptly and responsibly. ## Reporting a Vulnerability @@ -14,3 +14,4 @@ This policy is intended for vulnerabilities in **Trivy itself** (e.g., core func If you discover a vulnerability in a **dependency module** (e.g., a third-party library used by Trivy), please **do not report it here**. Instead, open a ticket in [GitHub Discussions](https://github.com/aquasecurity/trivy/discussions) so that the maintainers and community can evaluate and address it appropriately. + diff --git a/docs/community/contribute/pr.md b/docs/community/contribute/pr.md index 2c09540906..97e64a2dbf 100644 --- a/docs/community/contribute/pr.md +++ b/docs/community/contribute/pr.md @@ -3,7 +3,7 @@ Thank you for taking interest in contributing to Trivy! 1. Every Pull Request should have an associated GitHub issue link in the PR description. Note that issues are created by Trivy maintainers based on feedback provided in a GitHub discussion. Please refer to the [issue](./issue.md) and [discussion](./discussion.md) pages for explanation about this process. If you think your change is trivial enough, you can skip the issue and instead add justification and explanation in the PR description. 1. Your PR is more likely to be accepted if it focuses on just one change. 1. There's no need to add or tag reviewers. -1. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side). +1. If a reviewer commented on your code or asked for changes, please remember to respond with a comment. Do not mark the discussion as resolved. It's up to the reviewer to mark it resolved (in case the suggested fix addresses the problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side). 1. Please include a comment with the results before and after your change. 1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!). 1. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly. diff --git a/docs/docs/advanced/air-gap.md b/docs/docs/advanced/air-gap.md index 7c1068f5aa..797ab8891b 100644 --- a/docs/docs/advanced/air-gap.md +++ b/docs/docs/advanced/air-gap.md @@ -1,7 +1,7 @@ # Connectivity and Network considerations -Trivy requires internet connectivity in order to function normally. If your organizations blocks or restricts network traffic, that could prevent Trivy from working correctly. -This document explains Trivy's network connectivity requirements, and how to configure Trivy to work in restricted networks environments, including completely air-gapped environments. +Trivy requires internet connectivity in order to function normally. If your organization blocks or restricts network traffic, that could prevent Trivy from working correctly. +This document explains Trivy's network connectivity requirements, and how to configure Trivy to work in restricted network environments, including completely air-gapped environments. The following table lists all external resources that are required by Trivy: @@ -47,7 +47,7 @@ Checks Bundle is embedded in the Trivy binary (at build time), and will be used ### Connectivity Requirements -VEX Hub is hosted as at . +VEX Hub is hosted at . Trivy is fetching VEX Hub GitHub Repository directly using simple HTTPS requests. @@ -64,7 +64,7 @@ You can host a copy of VEX Hub on your own internal server. Please refer to the ## Maven Central / Remote Repositories -Trivy might call out to Maven central or other remote repositories to fetch in order to correctly identify Java packages during a vulnerability scan. +Trivy might call out to Maven Central or other remote repositories in order to correctly identify Java packages during a vulnerability scan. ### Connectivity requirements diff --git a/docs/docs/compliance/compliance.md b/docs/docs/compliance/compliance.md index 52c8276ad7..d44c3d63ca 100644 --- a/docs/docs/compliance/compliance.md +++ b/docs/docs/compliance/compliance.md @@ -12,12 +12,12 @@ Compliance report is currently supported in the following targets (trivy sub-com - `trivy image` - `trivy k8s` -Add the `--compliance` flag to the command line, and set it's value to desired report. +Add the `--compliance` flag to the command line, and set its value to the desired report. For example: `trivy k8s cluster --compliance k8s-nsa` (see below for built-in and custom reports) ### Options -The following flags are compatible with `--compliance` flag and allows customizing it's output: +The following flags are compatible with the `--compliance` flag and allow customizing its output: | flag | effect | |--------------------|--------------------------------------------------------------------------------------| @@ -28,8 +28,8 @@ The following flags are compatible with `--compliance` flag and allows customizi ## Built-in compliance -Trivy has a number of built-in compliance reports that you can asses right out of the box. -to specify a built-in compliance report, select it by ID like `trivy --compliance `. +Trivy has a number of built-in compliance reports that you can assess right out of the box. +To specify a built-in compliance report, select it by ID like `trivy --compliance `. For the list of built-in compliance reports, please see the relevant section: @@ -264,7 +264,7 @@ You can create your own custom compliance report. A compliance report is a simpl ```yaml spec: - id: "k8s-myreport" # report unique identifier. this should not container spaces. + id: "k8s-myreport" # report unique identifier. this should not contain spaces. title: "My custom Kubernetes report" # report title. Any one-line title. description: "Describe your report" # description of the report. Any text. relatedResources : diff --git a/docs/docs/configuration/cache.md b/docs/docs/configuration/cache.md index c01cb3256f..26439695e7 100644 --- a/docs/docs/configuration/cache.md +++ b/docs/docs/configuration/cache.md @@ -86,7 +86,7 @@ If you want to use TLS with Redis, you can enable it by specifying the `--redis- $ trivy server --cache-backend redis://localhost:6379 --redis-tls ``` -Trivy also supports for connecting to Redis with your certificates. +Trivy also supports connecting to Redis with your certificates. You need to specify `--redis-ca` , `--redis-cert` , and `--redis-key` options. ``` diff --git a/docs/docs/configuration/db.md b/docs/docs/configuration/db.md index 78189eb2a9..79b4f9fb22 100644 --- a/docs/docs/configuration/db.md +++ b/docs/docs/configuration/db.md @@ -62,7 +62,7 @@ For example: trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db alpine ``` -The flags accepts multiple values, which can be used to specify multiple alternative repository locations. In case of a transient errors (e.g. status 429 or 5xx), Trivy will fall back to alternative registries in the order specified. +The flag accepts multiple values, which can be used to specify multiple alternative repository locations. In case of transient errors (e.g. status 429 or 5xx), Trivy will fall back to alternative registries in the order specified. For example: @@ -72,8 +72,8 @@ trivy image --db-repository my.registry.local/trivy-db --db-repository registry. The Checks Bundle registry location option does not support fallback through multiple options. This is because in case of a failure pulling the Checks Bundle, Trivy will use the embedded checks as a fallback. -!!! note - Setting the repository location flags override the default values which include the official db locations. In case you want to preserve the default locations, you should include them in the list the you set as repository locations. +!!! note + Setting the repository location flags overrides the default values which include the official db locations. In case you want to preserve the default locations, you should include them in the list you set as repository locations. !!!note When pulling `trivy-db` or `trivy-java-db`, if image tag is not specified, Trivy defaults to the db schema number instead of the `latest` tag. diff --git a/docs/docs/configuration/index.md b/docs/docs/configuration/index.md index 8c7aa3475b..6459060575 100644 --- a/docs/docs/configuration/index.md +++ b/docs/docs/configuration/index.md @@ -9,7 +9,7 @@ Trivy's settings can be configured in any of the following methods, which will a You can view the list of available flags by adding the `--help` flag to a Trivy command, or by exploring the [CLI reference](../references/configuration/cli/trivy.md). ## Environment Variables -Any CLI option can be set as an environment variable. The environment variable name are similar to the CLI option name, with the following augmentations: +Any CLI option can be set as an environment variable. The environment variable names are similar to the CLI option names, with the following augmentations: - Add `TRIVY_` prefix - All uppercase letters diff --git a/docs/docs/references/troubleshooting.md b/docs/docs/references/troubleshooting.md index 68f35f3d06..09b36eb73a 100644 --- a/docs/docs/references/troubleshooting.md +++ b/docs/docs/references/troubleshooting.md @@ -10,7 +10,7 @@ analyze error: timeout: context deadline exceeded ``` -Your scan may time out. Java takes a particularly long time to scan. Try increasing the value of the ---timeout option such as `--timeout 15m`. +Your scan may time out. Java takes a particularly long time to scan. Try increasing the value of the `--timeout` option such as `--timeout 15m`. ### Unable to initialize an image scanner diff --git a/docs/docs/scanner/license.md b/docs/docs/scanner/license.md index a517f2799f..44a2837f5b 100644 --- a/docs/docs/scanner/license.md +++ b/docs/docs/scanner/license.md @@ -2,7 +2,7 @@ Trivy scans any container image for license files and offers an opinionated view on the risk associated with the license. -License are classified using the [Google License Classification][google-license-classification] - +Licenses are classified using the [Google License Classification][google-license-classification] - - Forbidden - Restricted @@ -33,7 +33,7 @@ To configure the confidence level, you can use `--license-confidence-level`. Thi | Standard | ✅ | ✅ | ✅[^1][^2] | ✅[^1][^2] | ✅ | | Full (--license-full) | ✅ | ✅ | ✅ | ✅ | - | -License checking classifies the identified licenses and map the classification to severity. +License checking classifies the identified licenses and maps the classification to severity. | Classification | Severity | | -------------- | -------- | @@ -136,7 +136,7 @@ Total: 6 (UNKNOWN: 4, HIGH: 0, CRITICAL: 2) ## Configuration -Trivy has number of configuration flags for use with license scanning; +Trivy has a number of configuration flags for use with license scanning: ### Ignored Licenses @@ -353,7 +353,7 @@ license: - "text://Text of Apache Software Foundation License" ``` -But a text license can by large. So for these cases Trivy supports using `regex` in license classification. +But a text license can be large. So for these cases, Trivy supports using `regex` in license classification. For example: ```yaml license: diff --git a/docs/docs/scanner/misconfiguration/index.md b/docs/docs/scanner/misconfiguration/index.md index 8d0edc55d5..da6fad3576 100644 --- a/docs/docs/scanner/misconfiguration/index.md +++ b/docs/docs/scanner/misconfiguration/index.md @@ -406,7 +406,7 @@ Ensure required tags are set on AWS resources ``` ## External connectivity -Trivy needs to connect to the internet to download the checks bundle. If you are running Trivy in an air-gapped environment, or an tightly controlled network, please refer to the [Advanced Network Scenarios document](../../advanced/air-gap.md). +Trivy needs to connect to the internet to download the checks bundle. If you are running Trivy in an air-gapped environment, or a tightly controlled network, please refer to the [Advanced Network Scenarios document](../../advanced/air-gap.md). ## Configuration More misconfiguration scanning specific configurations can be found [here](../misconfiguration/config/config.md). diff --git a/docs/docs/scanner/secret.md b/docs/docs/scanner/secret.md index ea74ae64c9..1f42263d0c 100644 --- a/docs/docs/scanner/secret.md +++ b/docs/docs/scanner/secret.md @@ -1,6 +1,6 @@ # Secret Scanning -Trivy scans any container image, filesystem and git repository to detect exposed secrets like passwords, api keys, and tokens. +Trivy scans any container image, filesystem, and git repository to detect exposed secrets like passwords, API keys, and tokens. Secret scanning is enabled by default. Trivy will scan every plaintext file, according to builtin rules or configuration. Also, Trivy can detect secrets in compiled Python files (`.pyc`). @@ -233,7 +233,7 @@ disable-allow-rules: ## Recommendation We would recommend specifying `--skip-dirs` for faster secret scanning. -In container image scanning, Trivy walks the file tree rooted `/` and scans all the files other than [built-in allowed paths][builtin-allow]. +In container image scanning, Trivy walks the file tree rooted at `/` and scans all the files other than [built-in allowed paths][builtin-allow]. It will take a while if your image contains a lot of files even though Trivy tries to avoid scanning layers from a base image. If you want to make scanning faster, `--skip-dirs` and `--skip-files` helps so that Trivy will skip scanning those files and directories. You can see more options [here](../configuration/others.md). diff --git a/docs/docs/target/container_image.md b/docs/docs/target/container_image.md index 15f3171c90..8bb267ff00 100644 --- a/docs/docs/target/container_image.md +++ b/docs/docs/target/container_image.md @@ -238,7 +238,7 @@ search in Containerd. If the image is not found there either, the scan will fail and no more image sources will be searched. ### Docker Engine -Trivy tries to looks for the specified image in your local Docker Engine. +Trivy tries to look for the specified image in your local Docker Engine. It will be skipped if Docker Engine is not running locally. If your docker socket is not the default path, you can override it via `DOCKER_HOST`. @@ -248,7 +248,7 @@ If your docker socket is not the default path, you can override it via `DOCKER_H !!! warning "EXPERIMENTAL" This feature might change without preserving backwards compatibility. -Trivy tries to looks for the specified image in your local [containerd](https://containerd.io/). +Trivy tries to look for the specified image in your local [containerd](https://containerd.io/). It will be skipped if containerd is not running locally. Specify your image name in containerd running locally. diff --git a/docs/docs/target/kubernetes.md b/docs/docs/target/kubernetes.md index b7602efbe0..e9aec4dafc 100644 --- a/docs/docs/target/kubernetes.md +++ b/docs/docs/target/kubernetes.md @@ -39,7 +39,7 @@ trivy k8s --report summary ``` !!! note "JSON result for multi-container pods" - For multi-container pods, it may be challenging to associate results with specific images in the json summary report. Kubernetes treats a pod as a single object, so individual images within the pod aren’t distinguished. + For multi-container pods, it may be challenging to associate results with specific images in the JSON summary report. Kubernetes treats a pod as a single object, so individual images within the pod aren't distinguished. For detailed information, please use the `--report all` option. By default Trivy will look for a [`kubeconfig` configuration file in the default location](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/), and use the default cluster that is specified. diff --git a/docs/getting-started/index.md b/docs/getting-started/index.md index b46ce3c340..f87e5f296d 100644 --- a/docs/getting-started/index.md +++ b/docs/getting-started/index.md @@ -9,7 +9,7 @@ Trivy is available in most common distribution channels. The complete list of in - Download binary from [GitHub Release](https://github.com/aquasecurity/trivy/releases/latest/) - See [Installation](./installation.md) for more -Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the [Ecosystem](../ecosystem/index.md) page. Here are a few popular options examples: +Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the [Ecosystem](../ecosystem/index.md) page. Here are a few popular examples: - [GitHub Actions](https://github.com/aquasecurity/trivy-action) - [Kubernetes operator](https://github.com/aquasecurity/trivy-operator) @@ -26,7 +26,7 @@ trivy [--scanners ] ### Examples -Scan a container image from registry, with the default scanner which is Vulnerabilities scanner: +Scan a container image from a registry with the default scanner, which is the Vulnerabilities scanner: ```bash trivy image python:3.4-alpine @@ -58,10 +58,10 @@ For a more complete introduction, check out the basic Trivy Demo: \ +cosign verify-blob \ --certificate \ --signature \ --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \ diff --git a/docs/tutorials/overview.md b/docs/tutorials/overview.md index 4ee0853977..f932fe4d6a 100644 --- a/docs/tutorials/overview.md +++ b/docs/tutorials/overview.md @@ -6,8 +6,8 @@ In this section you can find step-by-step guides that help you accomplish specif ## Adding tutorials -You are welcome to create tutorials and showcase them here. Tutorials can be either included in here as full articles, or included as external links under [external community resources][community-resources]. -Before sending PR, please first create an issue (of kind "Documentation") and describe the suggestion, if it's external link or article, and what category it's under. +You are welcome to create tutorials and showcase them here. Tutorials can be either included in here as full articles, or included as external links under [external community resources][community-resources]. +Before sending a PR, please first create an issue (of kind "Documentation") and describe the suggestion, whether it's an external link or article, and what category it's under. Guidelines: diff --git a/helm/trivy/README.md b/helm/trivy/README.md index 5825ffc3c6..2a5c7e7b3d 100644 --- a/helm/trivy/README.md +++ b/helm/trivy/README.md @@ -103,7 +103,7 @@ $ helm install my-release . \ ## Storage -This chart uses a PersistentVolumeClaim to reduce the number of database downloads between POD restarts or updates. The storageclass should have the reclaim policy `Retain`. +This chart uses a PersistentVolumeClaim to reduce the number of database downloads between POD restarts or updates. The storageclass should have the reclaim policy `Retain`. ## Caching diff --git a/pkg/iac/scanners/helm/test/mysql/README.md b/pkg/iac/scanners/helm/test/mysql/README.md index b03fa49589..df9c2794f3 100644 --- a/pkg/iac/scanners/helm/test/mysql/README.md +++ b/pkg/iac/scanners/helm/test/mysql/README.md @@ -2,12 +2,12 @@ # MySQL packaged by Bitnami -MySQL is a fast, reliable, scalable, and easy to use open source relational database system. Designed to handle mission-critical, heavy-load production applications. +MySQL is a fast, reliable, scalable, and easy-to-use open source relational database system designed to handle mission-critical, heavy-load production applications. [Overview of MySQL](http://www.mysql.com) Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. - + ## TL;DR ```bash