For scanning container images with Trivy, mount the container engine socket from the host into the Trivy container.
Example:
-docker run -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.68.0 image python:3.4-alpine
+docker run -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.68.1 image python:3.4-alpine
GitHub Release (Official)¶
-- Download the file for your operating system/architecture from GitHub Release assets.
+- Download the file for your operating system/architecture from GitHub Release assets.
- Unpack the downloaded archive (
tar -xzf ./trivy.tar.gz).
- Make sure the binary has execution bit turned on (
chmod +x ./trivy).
Install Script (Official)¶
For convenience, you can use the install script to download and install Trivy from GitHub Release.
-curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.68.0
+curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.68.1
RHEL/CentOS (Official)¶
@@ -8426,7 +8426,7 @@ sudo yum -y
-rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.68.0/trivy_0.68.0_Linux-64bit.rpm
+rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.68.1/trivy_0.68.1_Linux-64bit.rpm
@@ -8444,8 +8444,8 @@ sudo apt-get install
-wget https://github.com/aquasecurity/trivy/releases/download/v0.68.0/trivy_0.68.0_Linux-64bit.deb
-sudo dpkg -i trivy_0.68.0_Linux-64bit.deb
+wget https://github.com/aquasecurity/trivy/releases/download/v0.68.1/trivy_0.68.1_Linux-64bit.deb
+sudo dpkg -i trivy_0.68.1_Linux-64bit.deb
Note
Internally, this backend uses BoltDB, which has an important limitation: only one process can access the cache at a time. Subsequent processes attempting to access the cache will be locked. -For more details on this limitation, refer to the troubleshooting guide.
+For more details on this limitation, refer to the troubleshooting guide.The memory backend stores analysis results in memory, which means the cache is discarded when the process ends.
diff --git a/v0.68/guide/configuration/filtering/index.html b/v0.68/guide/configuration/filtering/index.html
index dc9e96e031..8c7ec8a22d 100644
--- a/v0.68/guide/configuration/filtering/index.html
+++ b/v0.68/guide/configuration/filtering/index.html
@@ -8953,8 +8953,8 @@ The For more advanced use cases, there is a built-in Rego library with helper functions that you can import into your policy using: You can create a whitelist of checks using Rego, see the detailed example. Additional examples are available here.input for the evaluation is each }
import data.lib.trivy.
-More info about the helper functions are in the library here.
You can create a whitelist of checks using Rego, see the detailed example. Additional examples are available here.
The list of analyzers can be found here. +
The list of analyzers can be found here. Note that this flag is not applicable for parsers that accepts files of different extensions, for example the Terraform file parser which handles .tf and .tf.json files.
The file path can use a regular expression. For example:
# interpret any file with .txt extension as a python pip requirements file
diff --git a/v0.68/guide/references/configuration/config-file/index.html b/v0.68/guide/references/configuration/config-file/index.html
index ebd7656a31..6889b18fe1 100644
--- a/v0.68/guide/references/configuration/config-file/index.html
+++ b/v0.68/guide/references/configuration/config-file/index.html
@@ -8497,7 +8497,7 @@ You're not viewing the latest version of the documentation.
Config file¶
Trivy can be customized by tweaking a trivy.yaml file.
The config path can be overridden by the --config flag.
-An example is here.
+An example is here.
These samples contain default values for flags.
Global options¶
# Same as '--cacert'
diff --git a/v0.68/guide/scanner/misconfiguration/config/config/index.html b/v0.68/guide/scanner/misconfiguration/config/config/index.html
index 865c533df8..35307d35bc 100644
--- a/v0.68/guide/scanner/misconfiguration/config/config/index.html
+++ b/v0.68/guide/scanner/misconfiguration/config/config/index.html
@@ -8407,7 +8407,7 @@ You can configure this limit using the --rego-error-limit flag.
This flag controls the maximum number of compile errors Trivy will tolerate before stopping the compilation.
If the number of compile errors exceeds this limit, Trivy will terminate the scan.
You can set --rego-error-limit 0 to enforce strict checking and disallow any compile errors.
-The default value is defined internally via CompileErrorLimit.
+The default value is defined internally via CompileErrorLimit.
Private Terraform registries¶
Trivy can download Terraform code from private registries.
To pass credentials you must use the TF_TOKEN_ environment variables.
diff --git a/v0.68/search/search_index.json b/v0.68/search/search_index.json
index 5244a60965..1a6a3759db 100644
--- a/v0.68/search/search_index.json
+++ b/v0.68/search/search_index.json
@@ -1 +1 @@
-{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"],"fields":{"title":{"boost":1000.0},"text":{"boost":1.0},"tags":{"boost":1000000.0}}},"docs":[{"location":"","title":"Docs","text":"
Welcome to the Trivy documentation! Here you can find complete and thorough information about every aspect of Trivy, how to use it, features available, and configuration options.
\ud83d\udc48 Please use the left side navigation browse the different topics.
"},{"location":"commercial/compare/","title":"Aqua Security is the home of Trivy","text":"Trivy is proudly maintained by Aqua Security. If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering. In this page you can find a high level comparison between Trivy Open Source and Aqua's commercial product. If you'd like to learn more or request a demo, click here to contact us.
"},{"location":"commercial/compare/#user-experience","title":"User experience","text":"Feature Trivy OSS Aqua Interface CLI tool CLI tool Enterprise-grade web application SaaS or on-prem Search & Discover - Easily search for security issues across all workloads and infrastructure in your organization Visually discover risks across your organization User management - Multi account Granular permissions (RBAC) Single Sign On (SSO) Support Some skills required for setup and integration Best effort community support Personal onboarding by Aqua Customer Success SLA backed professional support Scalability & Availability Single scan at a time Centralized scanning service supports concurrent scans efficiently Highly available production grade architecture Rate limiting Assets hosted on public free infrastructure and could be rate limited Assets hosted on Aqua infrastructure and does not have limitations"},{"location":"commercial/compare/#vulnerability-scanning","title":"Vulnerability scanning","text":"Feature Trivy OSS Aqua Vulnerabilities sources Based on open source vulnerability feeds Based on open source and commercial vulnerability feeds New Vulnerabilities SLA No SLA Commercial level SLA Package managers Find packages in lock files Find packages in lock files or reconstructed lock files Vulnerability management Manually ignore specific vulnerabilities by ID or property Advanced vulnerability management solution Vulnerability tracking and suppression Incident lifecycle management Vulnerability prioritization Manually triage by severity Multiple prioritization tools: Accessibility of the affected resources Exploitability of the vulnerability Open Source packages health and trustworthiness score Affected image layers Reachability analysis - Analyze source code to eliminate vulnerabilities of unused dependencies Contextual vulnerabilities - Reduce irrelevant vulnerabilities based on environmental factors (e.g. Spring4Shell not relevant due to JDK version) Compiled binaries Find embedded dependencies in Go and Rust binaries Find SBOM by hash in public Sigstore In addition, identify popular applications"},{"location":"commercial/compare/#container-scanning","title":"Container scanning","text":"Feature Trivy OSS Aqua Windows containers - Support scanning windows containers Scan container registries - Connect to any container registries and automatically scan it Private registries Standard registry authenticationCloud authentication with ECR, GCR, ACR Supports registry specific authentication schemes Layer cache Local cache directory Scalable Cloud cache"},{"location":"commercial/compare/#advanced-scanning","title":"Advanced scanning","text":"Feature Trivy OSS Aqua Malware scanning - Scan container images for malware Sandbox scanning - Use DTA (Dynamic threat analysis) to run and test container images' behavior to detect sophisticated threats SAST (code scanning) - Analyze source code for security issues and vulnerabilities"},{"location":"commercial/compare/#policy-and-enforcement","title":"Policy and enforcement","text":"Feature Trivy OSS Aqua Kubernetes admission - Validating Kubernetes Admission based on automatic or user defined policy CI/CD policies Can fail the entire build on any finding Granular policies to fail builds based on custom criteria Container engine - Block incompliant images from running at container engine level Block vulnerable packages - vShield \u2013 monitor and block usage of vulnerable packages"},{"location":"commercial/compare/#secrets-scanning","title":"Secrets scanning","text":"Feature Trivy OSS Aqua Detected patterns Basic patterns Advanced patterns Leaked secrets validation - Automatically checks if leaked secrets are valid and usable"},{"location":"commercial/compare/#iaccspm-scanning","title":"IaC/CSPM scanning","text":"Feature Trivy OSS Aqua Infrastructure as Code (IaC) Many popular languages as detailed here In addition, Build Pipeline configuration scanning Checks customization Create custom checks with Rego Create custom checks in no-code interface Customize existing checks with organizational preferences Cloud scanning AWS (subset of services) AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud Compliance frameworks CIS, NSA, vendor guides More than 25 compliance programs Custom compliance Create in YAML Create in a web UI Remediation advice Basic AI powered specialized remediation guides"},{"location":"commercial/compare/#kubernetes-scanning","title":"Kubernetes scanning","text":"Feature Trivy OSS Aqua Scan initiation CLI / Kubernetes Operator Kubernetes Operator / Management web application Results consumption kubectl / CRD / Prometheus exporter In addition, Advanced UI dashboards, Automatic notifications and incident management flows Cluster discovery Kubeconfig Automatic discovery thorough cloud onboarding Workload image scanning Scanning in cluster, requires capacity planning Scanning offloaded to Aqua service, little impact on scanned clusters Cluster scanning CIS, NSA, PSS More than 25 compliance programs Scope Single cluster Multi cluster, Cloud relationship Scalability Reports limited by in-cluster etcd storage (size and number of reports) Cloud-based storage (unlimited scalability)"},{"location":"commercial/contact/","title":"Contact Us","text":""},{"location":"community/principles/","title":"Trivy Project Principles","text":"This document outlines the guiding principles and governance framework for the Trivy project.
"},{"location":"community/principles/#core-principles","title":"Core Principles","text":"Trivy is a security scanner focused on static analysis and designed with simplicity and security at its core. All new proposals to the project must adhere to the following principles.
"},{"location":"community/principles/#static-analysis-no-runtime-required","title":"Static Analysis (No Runtime Required)","text":"Trivy operates without requiring container or VM image startups, eliminating the need for Docker or similar runtimes, except for scanning images stored within a container runtime. This approach enhances security and efficiency by minimizing dependencies.
"},{"location":"community/principles/#external-dependency-free-single-binary","title":"External Dependency Free (Single Binary)","text":"Operating as a single binary, Trivy is independent of external environments and avoids executing external OS commands or processes. If specific functionality, like Maven's, is needed, Trivy opts for internal reimplementations or processing outputs of the tool without direct execution of external tools.
This approach obviously requires more effort but significantly reduces security risks associated with executing OS commands and dependency errors due to external environment versions. Simplifying the scanner's use by making it operational immediately upon binary download facilitates easier initiation of scans.
"},{"location":"community/principles/#no-setup-required","title":"No Setup Required","text":"Trivy must be ready to use immediately after installation. It's unacceptable for Trivy not to function without setting up a database or writing configuration files by default. Such setups should only be necessary for users requiring specific customizations.
Security often isn't a top priority for many organizations and can be easily deferred. Trivy aims to lower the barrier to entry by simplifying the setup process, making it easier for users to start securing their projects.
"},{"location":"community/principles/#security-focus","title":"Security Focus","text":"Trivy prioritizes the identification of security issues, excluding features unrelated to security, such as performance metrics or content listings of container images. It can, however, produce and output intermediate representations like SBOMs for comprehensive security assessments.
Trivy serves as a tool with opinions on security, used to warn users about potential issues.
"},{"location":"community/principles/#detecting-unintended-states","title":"Detecting Unintended States","text":"Trivy is designed to detect unintended vulnerable states in projects, such as the use of vulnerable versions of dependencies or misconfigurations in Infrastructure as Code (IaC) that may unintentionally expose servers to the internet. The focus is on identifying developer mistakes or undesirable states, not on detecting intentional attacks, such as malicious images and malware.
"},{"location":"community/principles/#out-of-scope-features","title":"Out of Scope Features","text":"Aqua Security offers a premium version with several features not available in the open-source Trivy project. While detailed information can be found here, it's beneficial to highlight specific functionalities frequently inquired about:
"},{"location":"community/principles/#runtime-security","title":"Runtime Security","text":"As mentioned in the Core Principles, Trivy is a static analysis security scanner, making runtime security outside its scope. Runtime security needs are addressed by Tracee or the commercial version of Aqua Security.
"},{"location":"community/principles/#intentional-attacks","title":"Intentional Attacks","text":"As mentioned in the Core Principles, detection of intentional attacks, such as malware or malicious container images, is not covered by Trivy and is supported in the commercial version.
"},{"location":"community/principles/#user-interface","title":"User Interface","text":"Trivy primarily operates via CLI for displaying results, with a richer UI available in the commercial version.
"},{"location":"community/contribute/discussion/","title":"Discussions","text":"Thank you for taking interest in contributing to Trivy!
Trivy uses GitHub Discussion for bug reports, feature requests, and questions. If maintainers decide to accept a new feature or confirm that it is a bug, they will close the discussion and create a GitHub Issue associated with that discussion.
- Feel free to open discussions for any reason. When you open a new discussion, you'll have to select a discussion category as described below.
- Please spend a small amount of time giving due diligence to the issue/discussion tracker. Your discussion might be a duplicate. If it is, please add your comment to the existing issue/discussion.
- Remember that users might search for your issue/discussion in the future, so please give it a meaningful title to help others.
- The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
There are 4 categories:
- \ud83d\udca1 Ideas
- Share ideas for new features
- \ud83d\udd0e False Detection
- Report false positives/negatives
- \ud83d\udc1b Bugs
- Report something that is not working as expected
- \ud83d\ude4f Q&A
- Ask the community for help
Note
If you find any false positives or false negatives, please make sure to report them under the \"False Detection\" category, not \"Bugs\".
"},{"location":"community/contribute/discussion/#false-detection","title":"False detection","text":"Trivy depends on multiple data sources. Sometime these databases contain mistakes.
If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:
- Run Trivy with
-f json that shows data sources. - According to the shown data source, make sure that the security advisory in the data source is correct.
If the data source is correct and Trivy shows wrong results, please raise an issue on Trivy.
"},{"location":"community/contribute/discussion/#github-advisory-database","title":"GitHub Advisory Database","text":"Visit here and search CVE-ID.
If you find a problem, it'll be nice to fix it: How to contribute to a GitHub security advisory
"},{"location":"community/contribute/discussion/#gitlab-advisory-database","title":"GitLab Advisory Database","text":"Visit here and search CVE-ID.
If you find a problem, it'll be nice to fix it: Create an issue to GitLab Advisory Database
"},{"location":"community/contribute/discussion/#red-hat-cve-database","title":"Red Hat CVE Database","text":"Visit here and search CVE-ID.
"},{"location":"community/contribute/issue/","title":"Issues","text":"Thank you for taking interest in contributing to Trivy!
Trivy uses GitHub Discussion for bug reports, feature requests, and questions.
Warning
Issues created by non-maintainers will be immediately closed.
"},{"location":"community/contribute/pr/","title":"Pull Requests","text":"Thank you for taking interest in contributing to Trivy!
- Every Pull Request should have an associated GitHub issue link in the PR description. Note that issues are created by Trivy maintainers based on feedback provided in a GitHub discussion. Please refer to the issue and discussion pages for explanation about this process. If you think your change is trivial enough, you can skip the issue and instead add justification and explanation in the PR description.
- Your PR is more likely to be accepted if it focuses on just one change.
- There's no need to add or tag reviewers.
- If a reviewer commented on your code or asked for changes, please remember to respond with a comment. Do not mark the discussion as resolved. It's up to the reviewer to mark it resolved (in case the suggested fix addresses the problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
- Please include a comment with the results before and after your change.
- Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
- If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
"},{"location":"community/contribute/pr/#development","title":"Development","text":"Install the necessary tools for development by following their respective installation instructions.
- Go
- Mage
"},{"location":"community/contribute/pr/#build","title":"Build","text":"After making changes to the Go source code, build the project with the following command:
$ mage build\n$ ./trivy -h\n
"},{"location":"community/contribute/pr/#lint","title":"Lint","text":"You must pass the linter checks:
$ mage lint:run\n
Additionally, you need to have run go mod tidy, so execute the following command as well:
$ mage tidy\n
To autofix linters use the following command:
$ mage lint:fix\n
"},{"location":"community/contribute/pr/#unit-tests","title":"Unit tests","text":"Your PR must pass all the unit tests. You can test it as below.
$ mage test:unit\n
"},{"location":"community/contribute/pr/#integration-tests","title":"Integration tests","text":"Your PR must pass all the integration tests. You can test it as below.
$ mage test:integration\n
"},{"location":"community/contribute/pr/#protocol-buffers","title":"Protocol Buffers","text":"If you update protobuf files (.proto), you need to regenerate the Go code:
$ mage protoc:generate\n
You can also format and lint protobuf files:
$ mage protoc:fmt # Format protobuf files\n$ mage protoc:lint # Lint protobuf files\n$ mage protoc:breaking # Check for breaking changes against main branch\n
"},{"location":"community/contribute/pr/#documentation","title":"Documentation","text":"If you update CLI flags, you need to generate the CLI references. The test will fail if they are not up-to-date.
$ mage docs:generate\n
You can build the documents as below and view it at http://localhost:8000.
$ mage docs:serve\n
"},{"location":"community/contribute/pr/#title","title":"Title","text":"It is not that strict, but we use the title conventions in this repository. Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
"},{"location":"community/contribute/pr/#format-of-the-title","title":"Format of the title","text":"<type>(<scope>): <subject>\n
The type and scope should always be lowercase as shown below.
Allowed <type> values:
- feat for a new feature for the user, not a new feature for build script. Such commit will trigger a release bumping a MINOR version.
- fix for a bug fix for the user, not a fix to a build script. Such commit will trigger a release bumping a PATCH version.
- perf for performance improvements. Such commit will trigger a release bumping a PATCH version.
- docs for changes to the documentation.
- style for formatting changes, missing semicolons, etc.
- refactor for refactoring production code, e.g. renaming a variable.
- test for adding missing tests, refactoring tests; no production code change.
- build for updating build configuration, development tools or other changes irrelevant to the user.
- chore for updates that do not apply to the above, such as dependency updates.
- ci for changes to CI configuration files and scripts
- revert for revert to a previous commit
Allowed <scope> values:
checks:
- vuln
- misconf
- secret
- license
mode:
- image
- fs
- repo
- sbom
- k8s
- server
- aws
- vm
- plugin
os:
- alpine
- redhat
- alma
- rocky
- azure
- oracle
- debian
- ubuntu
- amazon
- suse
- photon
- distroless
language:
- ruby
- php
- python
- nodejs
- rust
- dotnet
- java
- go
- elixir
- dart
- julia
vuln:
- os
- lang
config:
- kubernetes
- dockerfile
- terraform
- cloudformation
container
- docker
- podman
- containerd
- oci
cli:
- cli
- flag
SBOM:
- cyclonedx
- spdx
- purl
others:
- helm
- report
- db
- parser
- deps
The <scope> can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
Breaking changes
A PR, introducing a breaking API change, needs to append a ! after the type/scope.
"},{"location":"community/contribute/pr/#example-titles","title":"Example titles","text":"feat(alma): add support for AlmaLinux\n
feat(vuln)!: delete the existing CLI flag\n
fix(oracle): handle advisories with ksplice versions\n
docs(misconf): add comparison with Conftest and TFsec\n
chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0\n
NOTE: please do not use chore(deps): update fanal and something like that if you add new features or fix bugs in Trivy-related projects. The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
"},{"location":"community/contribute/pr/#commits","title":"Commits","text":""},{"location":"community/contribute/pr/#understand-where-your-pull-request-belongs","title":"Understand where your pull request belongs","text":"Trivy is composed of several repositories that work together:
- Trivy is the client-side, user-facing, command line tool.
- vuln-list is a vulnerability database, aggregated from different sources, and normalized for easy consumption. Think of this as the \"server\" side of the trivy command line tool. There should be no pull requests to this repo
- vuln-list-update is the code that maintains the vuln-list database.
- trivy-db maintains the vulnerability database pulled by Trivy CLI.
- go-dep-parser is a library for parsing lock files such as package-lock.json and Gemfile.lock.
"},{"location":"community/contribute/checks/overview/","title":"Contribute Rego Checks","text":"The following guide provides an overview of contributing checks to the default checks in Trivy.
All of the checks in Trivy can be found in the trivy-checks repository on GitHub. Before you begin writing a check, ensure:
- The check does not already exist as part of the default checks in the trivy-checks repository.
- The pull requests in the trivy-checks repository to see whether someone else is already contributing the check that you wanted to add.
- The issues in Trivy to see whether any specific checks are missing in Trivy that you can contribute.
If anything is unclear, please start a discussion and we will do our best to help.
"},{"location":"community/contribute/checks/overview/#check-structure","title":"Check structure","text":"Checks are written in Rego and follow a particular structure in Trivy. Below is an example check for AWS:
# METADATA\n# title: \"RDS IAM Database Authentication Disabled\"\n# description: \"Ensure IAM Database Authentication is enabled for RDS database instances to manage database access\"\n# scope: package\n# schemas:\n# - input: schema[\"aws\"]\n# related_resources:\n# - https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html\n# custom:\n# id: AVD-AWS-0176\n# avd_id: AVD-AWS-0176\n# provider: aws\n# service: rds\n# severity: MEDIUM\n# short_code: enable-iam-auth\n# recommended_action: \"Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication.\"\n# input:\n# selector:\n# - type: cloud\n# subtypes:\n# - service: rds\n# provider: aws\n\npackage builtin.aws.rds.aws0176\n\ndeny[res] {\n instance := input.aws.rds.instances[_]\n instance.engine.value == [\"postgres\", \"mysql\"][_]\n not instance.iamauthenabled.value\n res := result.new(\"Instance does not have IAM Authentication enabled\", instance.iamauthenabled)\n}\n
"},{"location":"community/contribute/checks/overview/#verify-the-provider-and-service-exists","title":"Verify the provider and service exists","text":"Every check for a cloud service references a cloud provider. The list of providers are found in the Trivy repository.
Before writing a new check for a cloud provider, you need to verify if the cloud provider or resource type that your check targets is supported by Trivy. If it's not, you'll need to add support for it. Additionally, if the provider that you want to target exists, you need to check whether the service your policy will target is supported. As a reference you can take a look at the AWS provider here.
Note New Kubernetes and Dockerfile checks do not require any additional provider definitions. You can find an example of a Dockerfile check here and a Kubernetes check here.
"},{"location":"community/contribute/checks/overview/#add-support-for-a-new-service-in-an-existing-provider","title":"Add Support for a New Service in an existing Provider","text":"Please reference the documentation on adding Support for a New Service.
This guide also showcases how to add new properties for an existing Service.
"},{"location":"community/contribute/checks/overview/#create-a-new-rego-file","title":"Create a new .rego file","text":"The following directory in the trivy-checks repository contains all of our custom checks. Depending on what type of check you want to create, you will need to nest a new .rego file in either of the subdirectories:
- cloud: All checks related to cloud providers and their services
- docker: Docker specific checks
- kubernetes: Kubernetes specific checks
"},{"location":"community/contribute/checks/overview/#check-package-name","title":"Check Package name","text":"Have a look at the existing package names in the built in checks.
The package name should be in the format builtin.PROVIDER.SERVICE.ID, e.g. builtin.aws.rds.aws0176.
"},{"location":"community/contribute/checks/overview/#generating-an-id","title":"Generating an ID","text":"Every check has a custom ID that is referenced throughout the metadata of the check to uniquely identify the check. If you plan to contribute your check back into the trivy-checks repository, it will require a valid ID.
Running make id in the root of the trivy-checks repository will provide you with the next available ID for your rule.
"},{"location":"community/contribute/checks/overview/#check-schemas","title":"Check Schemas","text":"Rego Checks for Trivy can utilise Schemas to map the input to specific objects. The schemas available are listed here..
More information on using the builtin schemas is provided in the main documentation.
"},{"location":"community/contribute/checks/overview/#check-metadata","title":"Check Metadata","text":"The metadata is the top section that starts with # METADATA, and has to be placed on top of the check. You can copy and paste from another check as a starting point. This format is effectively yaml within a Rego comment, and is defined as part of Rego itself.
For detailed information on each component of the Check Metadata, please refer to the main documentation.
Note that while the Metadata is optional in your own custom checks for Trivy, if you are contributing your check to the Trivy builtin checks, the Metadata section will be required.
"},{"location":"community/contribute/checks/overview/#writing-rego-rules","title":"Writing Rego Rules","text":"Rules are defined using OPA Rego. You can find a number of examples in the checks directory (Link). The OPA documentation is a great place to start learning Rego. You can also check out the Rego Playground to experiment with Rego, and join the OPA Slack.
deny[res] {\n instance := input.aws.rds.instances[_]\n instance.engine.value == [\"postgres\", \"mysql\"][_]\n not instance.iamauthenabled.value\n res := result.new(\"Instance does not have IAM Authentication enabled\", instance.iamauthenabled)\n}\n
The rule should return a result, which can be created using result.new. This function does not need to be imported, it is defined internally and provided at runtime. The first argument is the message to display and the second argument is the resource that the issue was detected on.
It is possible to pass any rego variable that references a field of the input document.
"},{"location":"community/contribute/checks/overview/#generate-docs","title":"Generate docs","text":"Finally, you'll want to generate documentation for your newly added rule. Please run make docs in the trivy-checks directory to generate the documentation for your new policy and submit a PR for us to take a look at.
"},{"location":"community/contribute/checks/overview/#adding-tests","title":"Adding Tests","text":"All Rego checks need to have tests. There are many examples of these in the checks directory for each check (Link). More information on how to write tests for Rego checks is provided in the custom misconfiguration section of the docs.
"},{"location":"community/contribute/checks/overview/#example-pr","title":"Example PR","text":"You can see a full example PR for a new rule being added here: https://github.com/aquasecurity/defsec/pull/1000.
"},{"location":"community/contribute/checks/service-support/","title":"Add Service Support","text":"A service refers to a service by a cloud provider. This section details how to add a new service to an existing provider. All contributions need to be made to the trivy repository.
"},{"location":"community/contribute/checks/service-support/#prerequisites","title":"Prerequisites","text":"Before you begin, verify that the provider does not already have the service that you plan to add.
"},{"location":"community/contribute/checks/service-support/#adding-a-new-service-to-an-existing-provider","title":"Adding a new service to an existing provider","text":"Adding a new service involves two steps. The service will need a data structure to store information about the required resources that will be scanned. Additionally, the service will require one or more adapters to convert the scan targetes as input(s) into the aforementioned data structure.
"},{"location":"community/contribute/checks/service-support/#create-a-new-file-in-the-provider-directory","title":"Create a new file in the provider directory","text":"In this example, we are adding the CodeBuild service to the AWS provider.
First, create a new directory and file for your new service under the provider directory: e.g. aws/codebuild/codebuild.go
The CodeBuild service will require a structure struct to hold the information on the input that is scanned. The input is the CodeBuild resource that a user configured and wants to scan for misconfiguration.
type CodeBuild struct {\n Projects []Project\n}\n
The CodeBuild service manages Project resources. The Project struct has been added to hold information about each Project resources; Project Resources in turn manage ArtifactSettings:
type Project struct {\n Metadata iacTypes.Metadata\n ArtifactSettings ArtifactSettings\n SecondaryArtifactSettings []ArtifactSettings\n}\n\ntype ArtifactSettings struct {\n Metadata iacTypes.Metadata\n EncryptionEnabled iacTypes.BoolValue\n}\n
The iacTypes.Metadata struct is embedded in all of the Trivy types and provides a common set of metadata for all resources. This includes the file and line number where the resource was defined and the name of the resource.
A resource in this example Project can have a name and can optionally be encrypted. Instead of using raw string and bool types respectively, we use the trivy types iacTypes.Metadata and iacTypes.BoolValue. These types wrap the raw values and provide additional metadata about the value. For instance, whether it was set by the user and the file and line number where the resource was defined.
Have a look at the other providers and services in the iac/providers directory in Trivy.
Next you'll need to add a reference to your new service struct in the provider struct at pkg/iac/providers/aws/aws.go:
type AWS struct {\n ...\n CodeBuild codebuild.CodeBuild\n ...\n}\n
"},{"location":"community/contribute/checks/service-support/#update-adapters","title":"Update Adapters","text":"Now you'll need to update all of the adapters which populate the struct of the provider that you have been using. Following the example above, if you want to add support for CodeBuild in Terraform, you'll need to update the Terraform AWS adapter as shown here: trivy/pkg/iac/adapters/terraform/aws/codebuild/adapt.go.
Another example for updating the adapters is provided in the following PR. Additionally, please refer to the respective Terraform documentation on the provider to which you are adding the service. For instance, the Terraform documentation for AWS CodeBuild is provided here.
"},{"location":"community/contribute/checks/service-support/#create-a-new-schema-for-your-provider","title":"Create a new Schema for your provider","text":"Once the new service has been added to the provider, you need to create the schema for the service as part of the provider schema.
This process has been automated with mage commands. In the Trivy root directory run mage schema:generate to generate the schema for your new service and mage schema:verify.
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/","title":"Add Vulnerability Advisory Source","text":"This guide walks through the process of adding a new vulnerability advisory source to Trivy.
Info
For an overview of how Trivy's vulnerability database works, see the Overview page.
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#prerequisites","title":"Prerequisites","text":"Before starting, ensure you have:
- Identified the upstream advisory source and its API/format
- Checked that the data source doesn't already exist in Trivy
- Created a GitHub discussion or issue to discuss the addition
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#required-changes","title":"Required Changes","text":"To add a new vulnerability advisory source, you'll need to make changes across three repositories. Below we'll use the Echo OS support as an example.
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#step-1-add-fetcher-script-vuln-list-update","title":"Step 1: Add Fetcher Script (vuln-list-update)","text":"Note
Skip this step if your advisory source is already managed in a Git repository (e.g., GitHub, GitLab).
Create a fetcher script in vuln-list-update to collect advisories from the upstream source.
Key tasks:
- Fetch advisories from the upstream API or source
- Validate the advisory format and data
- Save advisories as JSON files in the vuln-list directory structure
- Store original data as-is where possible: Avoid preprocessing or modifying advisory fields. Save the raw data exactly as provided by the upstream source (format conversion like YAML to JSON is acceptable for consistency)
- Include all necessary metadata (CVE ID, affected versions, severity, etc.)
Example PR:
- feat(echo): Add Echo Support (vuln-list-update#350)
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#step-2-add-parser-trivy-db","title":"Step 2: Add Parser (trivy-db)","text":"Create a parser in trivy-db to transform raw advisories into Trivy's database format.
Key tasks:
- Create a new vulnerability source in
pkg/vulnsrc/ - Implement the advisory parsing logic
- Map advisory fields to Trivy's vulnerability schema
- Handle version ranges and affected packages correctly
- Store CVE mappings if available
- Add unit tests for the parser
Example PR:
- feat(echo): Add Echo Support (trivy-db#528)
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#step-3-add-osecosystem-support-trivy","title":"Step 3: Add OS/Ecosystem Support (Trivy)","text":"Update trivy to support the new operating system or package ecosystem.
Key tasks:
- Add OS analyzer in
pkg/fanal/analyzer/os/ to detect the OS - Implement vulnerability detection logic if special handling is needed
- Add integration tests with test data
- Update documentation to include the new data source
Example PR:
- feat(echo): Add Echo Support (trivy#8833)
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#complete-example-echo-os-support","title":"Complete Example: Echo OS Support","text":"The Echo OS support was added through three coordinated PRs:
- vuln-list-update: Fetches Echo advisories from
https://advisory.echohq.com/data.json - PR: https://github.com/aquasecurity/vuln-list-update/pull/350
- trivy-db: Parses Echo advisories and stores them in the database
- PR: https://github.com/aquasecurity/trivy-db/pull/528
- Trivy: Detects Echo OS and scans for vulnerabilities
- PR: https://github.com/aquasecurity/trivy/pull/8833
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#testing-your-changes","title":"Testing Your Changes","text":""},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#test-vuln-list-update","title":"Test vuln-list-update","text":"First, fetch all existing advisories (required for building the database):
cd vuln-list-update\ngo run main.go -vuln-list-dir /path/to/vuln-list\n
Then, test your new data source by fetching only your target:
go run main.go -target your-source -vuln-list-dir /path/to/vuln-list\n
Verify that advisories are correctly saved in the vuln-list directory.
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#test-trivy-db","title":"Test trivy-db","text":"cd trivy-db\nmake db-build CACHE_DIR=/path/to/cache\n
Check that the database is built without errors and contains your advisories.
Note
The CACHE_DIR should point to the parent directory of your vuln-list directory. For example, if your vuln-list is at /tmp/test/vuln-list, set CACHE_DIR=/tmp/test.
You can inspect the built database using BoltDB viewer tools like boltwiz:
# Open the database\nboltwiz out/trivy.db\n
This allows you to verify that your vulnerabilities are correctly stored in the database.
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#test-trivy","title":"Test Trivy","text":"# Build Trivy with your changes\nmage build\n\n# Use your local database\n./trivy image --skip-db-update --cache-dir /path/to/cache your-test-image\n
Verify that vulnerabilities from your new data source are detected correctly.
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#getting-help","title":"Getting Help","text":"If you have questions or need help:
- Check existing data sources for reference implementations
- Start a discussion in the Trivy repository
"},{"location":"community/contribute/vulnerability-database/overview/","title":"Vulnerability Data Sources","text":"This section explains how Trivy's vulnerability database works and how to contribute new advisory data sources.
"},{"location":"community/contribute/vulnerability-database/overview/#overview","title":"Overview","text":"Trivy's vulnerability database is built through a multi-repository workflow involving three main repositories:
graph LR\n A[Advisory Sources] -->|vuln-list-update| B[vuln-list]\n B --> C[\"trivy-db<br/>(Trivy DB)\"]\n C --> D[\"trivy<br/>(Trivy CLI)\"]\n E[GitHub-managed<br/>Advisories] --> C
"},{"location":"community/contribute/vulnerability-database/overview/#workflow-steps","title":"Workflow Steps","text":" -
Advisory Collection (vuln-list-update)
- Fetch raw advisories from upstream sources
- Store them in vuln-list repository
- Run periodically via cron to keep advisories up-to-date
- This step can be skipped if advisories are already managed in a Git repository (e.g., GitHub Security Advisories)
-
Database Build (trivy-db)
- Parse advisories from vuln-list or directly from Git-managed sources
- Transform them into Trivy's database format
- Publish the built database periodically via cron
-
Database Consumption (trivy)
- Download the latest vulnerability database at scan time
- Use it to detect vulnerabilities in scan targets
"},{"location":"community/contribute/vulnerability-database/overview/#why-store-advisories-in-vuln-list","title":"Why Store Advisories in vuln-list?","text":"For data sources that are not already Git-managed, storing advisories in the vuln-list repository provides several benefits:
- Transparency: Easy to track changes and differences between advisory versions
- Web UI: Browse advisories directly on GitHub with a user-friendly interface
- Stability: Mitigate issues when upstream advisory servers are unstable or unavailable
- Shareability: Provide stable URLs to reference specific advisories
- Data Quality: Validate advisory data before committing to vuln-list, preventing malformed data or unexpected format changes from breaking Trivy DB
- Historical Data: Preserve past advisories when upstream formats change
"},{"location":"community/contribute/vulnerability-database/overview/#repository-overview","title":"Repository Overview","text":""},{"location":"community/contribute/vulnerability-database/overview/#vuln-list-update","title":"vuln-list-update","text":"This repository contains scripts that fetch advisories from various upstream sources. Each data source has its own package that handles:
- Fetching advisories from APIs or web sources
- Validating the advisory format and data
- Saving them to the vuln-list repository
"},{"location":"community/contribute/vulnerability-database/overview/#vuln-list","title":"vuln-list","text":"This repository serves as a data storage for raw advisories fetched by vuln-list-update. Key characteristics:
- Contains raw advisory data in JSON format
- Updated automatically by vuln-list-update scripts via cron
- Not for manual contributions: Direct pull requests to this repository are not accepted
- Used as the source for trivy-db to build the vulnerability database
"},{"location":"community/contribute/vulnerability-database/overview/#trivy-db","title":"trivy-db","text":"This repository contains parsers that transform raw advisories into Trivy's database format. Each data source has its own vulnerability source handler that:
- Reads advisory files from vuln-list or directly from Git-managed sources (e.g., GitHub Security Advisories)
- Maps advisory fields to Trivy's schema
- Stores vulnerability information in the database
"},{"location":"community/contribute/vulnerability-database/overview/#trivy","title":"trivy","text":"The main Trivy repository contains:
- OS and package analyzers to detect what's installed
- Vulnerability detection logic
"},{"location":"community/contribute/vulnerability-database/overview/#next-steps","title":"Next Steps","text":"Ready to add a new vulnerability advisory source? See the Add Vulnerability Advisory Source guide for detailed steps.
"},{"location":"community/maintainer/backporting/","title":"Backporting Process","text":"This document outlines the backporting process for Trivy, including when to create patch releases and how to perform the backporting.
"},{"location":"community/maintainer/backporting/#when-to-create-patch-releases","title":"When to Create Patch Releases","text":"In general, small changes should not be backported and should be included in the next minor release. However, patch releases should be made in the following cases:
- Fixes for HIGH or CRITICAL vulnerabilities in Trivy itself or Trivy's dependencies
- Fixes for bugs that cause panic during Trivy execution or otherwise interfere with normal usage
In these cases, the fixes should be backported using the procedure described below. At the maintainer's discretion, other bug fixes may be included in the patch release containing these hotfixes.
"},{"location":"community/maintainer/backporting/#versioning","title":"Versioning","text":"Trivy follows Semantic Versioning, using version numbers in the format MAJOR.MINOR.PATCH. When creating a patch release, the PATCH part of the version number is incremented. For example, if a fix is being distributed for v0.50.0, the patch release would be v0.50.1.
"},{"location":"community/maintainer/backporting/#backporting-procedure","title":"Backporting Procedure","text":" - A release branch (e.g.,
release/v0.50) is automatically created when a new minor version is released. - Create a pull request (PR) against the main branch with the necessary fixes. If the fixes are already merged into the main branch, skip this step.
- Once the PR with the fixes is merged, comment
@aqua-bot backport <release-branch> on the PR (e.g., @aqua-bot backport release/v0.50). This will trigger the automated backporting process using GitHub Actions. - The automated process will create a new PR with the backported changes. Ensure that all tests pass for this PR.
- Once the tests pass, merge the automatically created PR into the release branch.
- Merge a release PR on the release branch and release the patch version.
Note
Even if a conflict occurs, a PR is created by forceful commit, in which case the conflict should be resolved manually. If you want to re-run a backport of the same PR, close the existing PR, delete the branch and re-run it.
"},{"location":"community/maintainer/backporting/#example","title":"Example","text":"To better understand the backporting procedure, let's walk through an example using the releases of v0.50.
gitGraph:\n commit id:\"Feature 1\"\n commit id:\"v0.50.0 release\" tag:\"v0.50.0\"\n\n branch \"release/v0.50\"\n\n checkout main\n commit id:\"Bugfix 1\"\n\n checkout \"release/v0.50\"\n cherry-pick id:\"Bugfix 1\"\n\n checkout main\n commit id:\"Feature 2\"\n commit id:\"Bugfix 2\"\n commit id:\"Feature 3\"\n\n checkout \"release/v0.50\"\n cherry-pick id:\"Bugfix 2\"\n commit id:\"v0.50.1 release\" tag:\"v0.50.1\"
"},{"location":"community/maintainer/help-wanted/","title":"Overview","text":"We use two labels help wanted and good first issue to identify issues that have been specially groomed for new contributors. The good first issue label is a subset of help wanted label, indicating that members have committed to providing extra assistance for new contributors. All good first issue items also have the help wanted label.
"},{"location":"community/maintainer/help-wanted/#help-wanted","title":"Help Wanted","text":"Items marked with the help wanted label need to ensure that they are:
- Low Barrier to Entry
It should be tractable for new contributors. Documentation on how that type of change should be made should already exist.
- Clear Task
The task is agreed upon and does not require further discussions in the community. Call out if that area of code is untested and requires new fixtures.
API / CLI behavior is decided and included in the OP issue, for example: \"The new command syntax is trivy --format yaml IMAGE_NAME\"_ with expected validations called out.
- Goldilocks priority
Not too high that a core contributor should do it, but not too low that it isn't useful enough for a core contributor to spend time to review it, answer questions, help get it into a release, etc.
- Up-To-Date
Often these issues become obsolete and have already been done, are no longer desired, no longer make sense, have changed priority or difficulty , etc.
"},{"location":"community/maintainer/help-wanted/#good-first-issue","title":"Good First Issue","text":"Items marked with the good first issue label are intended for first-time contributors. It indicates that members will keep an eye out for these pull requests and shepherd it through our processes.
These items need to ensure that they follow the guidelines for help wanted labels (above) in addition to meeting the following criteria:
- No Barrier to Entry
The task is something that a new contributor can tackle without advanced setup, or domain knowledge.
- Solution Explained
The recommended solution is clearly described in the issue.
- Provides Context
If background knowledge is required, this should be explicitly mentioned and a list of suggested readings included.
- Gives Examples
Link to examples of similar implementations so new contributors have a reference guide for their changes.
- Identifies Relevant Code
The relevant code and tests to be changed should be linked in the issue.
- Ready to Test
There should be existing tests that can be modified, or existing test cases fit to be copied. If the area of code doesn't have tests, before labeling the issue, add a test fixture. This prep often makes a great help wanted task!
"},{"location":"community/maintainer/pr-review/","title":"Pull Request Review Policy","text":"This document outlines the review policy for pull requests in the Trivy project.
"},{"location":"community/maintainer/pr-review/#core-principles","title":"Core Principles","text":""},{"location":"community/maintainer/pr-review/#1-all-changes-through-pull-requests","title":"1. All Changes Through Pull Requests","text":"All changes to the main branch must be made through pull requests. Direct commits to main are not allowed.
"},{"location":"community/maintainer/pr-review/#2-required-approvals","title":"2. Required Approvals","text":"Every pull request requires approval from at least one CODEOWNER before merging.
For changes that span multiple domains (e.g., both vulnerability and misconfiguration scanning), approval from at least one code owner from each affected domain is required.
When a pull request is created by the only code owner of a domain, approval from any other maintainer is required.
When a code owner wants additional input from other owners or maintainers, they should comment requesting feedback and wait for others to approve before providing their own approval. This prevents accidental merging by the PR author.
"},{"location":"community/maintainer/pr-review/#3-merge-responsibility","title":"3. Merge Responsibility","text":" - General Rule: The pull request author should click the merge button after receiving required approvals
- Exception: For urgent fixes (hotfixes), a CODEOWNER may merge the PR directly
- External Contributors: Pull requests from external contributors should be merged by a CODEOWNER
"},{"location":"community/maintainer/release-flow/","title":"Release Flow","text":""},{"location":"community/maintainer/release-flow/#overview","title":"Overview","text":"Trivy adopts conventional commit messages, and Release Please automatically creates a release PR based on the messages of the merged commits. This release PR is automatically updated every time a new commit is added to the release branch.
If a commit has the prefix feat:, a PR is automatically created to increment the minor version, and if a commit has the prefix fix:, a PR is created to increment the patch version. When the PR is merged, GitHub Actions automatically creates a version tag and the release is performed. For detailed behavior, please refer to the GitHub Actions configuration.
Note
Commits with prefixes like chore or build are not considered releasable, and no release PR is created. To include such commits in a release, you need to either include commits with feat or fix prefixes or perform a manual release as described below.
Tip
It's a good idea to check if there are any outstanding vulnerability updates created by dependabot waiting for your review. They can be found in the \"Security\" tab of the repository. If there are any, please review and merge them before creating a release. This will help to ensure that the release includes the latest security patches.
"},{"location":"community/maintainer/release-flow/#flow","title":"Flow","text":"The release flow consists of the following main steps:
- Creating the release PR (automatically or manually)
- Drafting the release notes in GitHub Discussions
- Merging the release PR
- Updating the release notes in GitHub Discussions
- Navigating to the release notes in GitHub Releases page
"},{"location":"community/maintainer/release-flow/#automatic-release-pr-creation","title":"Automatic Release PR Creation","text":"When a releasable commit (a commit with feat or fix prefix) is merged, a release PR is automatically created. These Release PRs are kept up-to-date as additional work is merged. When it's ready to tag a release, simply merge the release PR. See the Release Please documentation for more information.
The title of the PR will be in the format release: v${version} [${branch}] (e.g., release: v0.51.0 [main]). The format of the PR title is important for identifying the release commit, so it should not be changed.
The release/vX.Y release branches are also subject to automatic release PR creation for patch releases. The PR title will be like release: v0.51.1 [release/v0.51].
"},{"location":"community/maintainer/release-flow/#manual-release-pr-creation","title":"Manual Release PR Creation","text":"If you want to release commits like chore, a release PR is not automatically created, so you need to manually trigger the creation of a release PR. The Release Please workflow supports workflow_dispatch and can be triggered manually. Click \"Run workflow\" in the top right corner and specify the release branch. In Trivy, the following branches are the release branches.
mainrelease/vX.Y (e.g. release/v0.51)
Specify the release version (without the v prefix) and click \"Run workflow\" to create a release PR for the specified version.
"},{"location":"community/maintainer/release-flow/#drafting-the-release-notes","title":"Drafting the Release Notes","text":"Next, create release notes for this version. Draft a new post in GitHub Discussions, and maintainers edit these release notes (e.g., https://github.com/aquasecurity/trivy/discussions/6605). Currently, the creation of this draft is done manually. For patch version updates, this step can be skipped since they only involve bug fixes.
"},{"location":"community/maintainer/release-flow/#merging-the-release-pr","title":"Merging the Release PR","text":"Once the draft of the release notes is complete, merge the release PR. When the PR is merged, a tag is automatically created, and GoReleaser releases binaries, container images, etc.
"},{"location":"community/maintainer/release-flow/#updating-the-release-notes","title":"Updating the Release Notes","text":"If the release completes without errors, a page for the release notes is created in GitHub Discussions (e.g., https://github.com/aquasecurity/trivy/discussions/6622). Copy the draft release notes, adjust the formatting, and finalize the release notes.
"},{"location":"community/maintainer/release-flow/#navigating-to-the-release-notes","title":"Navigating to the Release Notes","text":"To navigate to the release highlights and summary in GitHub Discussions, place a link in the GitHub Releases page as below:
## \u26a1Release highlights and summary\u26a1\n\n\ud83d\udc49 https://github.com/aquasecurity/trivy/discussions/6838\n\n## Changelog\nhttps://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0520-2024-06-03\n
Replace URLs with appropriate ones.
Example: https://github.com/aquasecurity/trivy/releases/tag/v0.52.0
"},{"location":"community/maintainer/release-flow/#merging-the-auto-generated-helm-chart-update-pr","title":"Merging the auto-generated Helm chart update PR","text":"Once the release PR is merged, there will be an auto-generated PR that bumps the Trivy version for the Trivy Helm Chart. An example can be seen here.
[!NOTE] It is possible that the release action takes a while to finish and the Helm chart action runs prior. In such a case the Helm chart action will fail as it will not be able to find the latest Trivy container image. In such a case, it is advised to manually restart the Helm chart action, once the release action is finished.
If things look good, approve and merge this PR to further trigger the publishing of the Helm Chart.
The release is now complete \ud83c\udf7b
"},{"location":"community/maintainer/triage/","title":"Triage","text":"Triage is an important part of maintaining the health of the trivy repo. A well organized repo allows maintainers to prioritize feature requests, fix bugs, and respond to users facing difficulty with the tool as quickly as possible.
Triage includes:
- Labeling issues
- Responding to issues
- Closing issues
"},{"location":"community/maintainer/triage/#daily-triage","title":"Daily Triage","text":"Daily triage has two goals:
- Responsiveness for new issues
- Responsiveness when explicitly requested information was provided
It covers:
- Issues without a
kind/ or triage/ label - Issues without a
priority/ label triage/needs-information issues which the user has followed up on, and now require a response.
"},{"location":"community/maintainer/triage/#categorization","title":"Categorization","text":"The most important level of categorizing the issue is defining what type it is. We typically want at least one of the following labels on every issue, and some issues may fall into multiple categories:
triage/support - The default for most incoming issueskind/bug - When it\u2019s a bug or we aren\u2019t delivering the best user experience
Other possibilities: - kind/feature- Identify new feature requests - kind/testing - Update or fix unit/integration tests - kind/cleanup - Cleaning up/refactoring the codebase - kind/documentation - Updates or additions to trivy documentation
If the issue is specific to a driver for OS packages or libraries:
co/[driver for OS packages]
co/alpineco/amazonco/debianco/oracleco/photonco/redhatco/suseco/ubuntu
co/[driver for libraries of programming languages]
co/bundlerco/cargoco/composerco/npmco/yarnco/pipenvco/poetry
Help wanted?
Good First Issue - bug has a proposed solution, can be implemented w/o further discussion.
Help wanted - if the bug could use help from a contributor
"},{"location":"community/maintainer/triage/#prioritization","title":"Prioritization","text":"If the issue is not triage/support, it needs a priority label.
priority/critical-urgent - someones top priority ASAP, such as security issue, user-visible bug, or build breakage. Rarely used.
priority/important-soon: in time for the next two releases. It should be attached to a milestone.
priority/important-longterm: 2-4 releases from now
priority/backlog: agreed that this would be good to have, but no one is available at the moment. Consider tagging as help wanted
priority/awaiting-more-evidence: may be useful, but there is not yet enough support.
"},{"location":"community/maintainer/triage/#weekly-triage","title":"Weekly Triage","text":"Weekly triage has three goals:
- Catching up on unresponded issues
- Reviewing and closing PR\u2019s
- Closing stale issues
"},{"location":"community/maintainer/triage/#post-release-triage","title":"Post-Release Triage","text":"Post-release triage occurs after a major release (around every 4-6 weeks). It focuses on:
- Closing bugs that have been resolved by the release
- Reprioritizing bugs that have not been resolved by the release
- Letting users know if we believe that there is still an issue
This includes reviewing:
- Every issue that hasn\u2019t been touched in the last 2 days
- Re-evaluation of long-term issues
- Re-evaluation of short-term issues
"},{"location":"community/maintainer/triage/#responding-to-issues","title":"Responding to Issues","text":""},{"location":"community/maintainer/triage/#needs-more-information","title":"Needs More Information","text":"A sample response to ask for more info:
I don\u2019t yet have a clear way to replicate this issue. Do you mind adding some additional details. Here is additional information that would be helpful:
* The exact trivy command line used
* The exact image you want to scan
* The full output of the trivy command, preferably with --debug for extra logging.
Thank you for sharing your experience!
Then: Label with triage/needs-information.
"},{"location":"community/maintainer/triage/#issue-might-be-resolved","title":"Issue might be resolved","text":"If you think a release may have resolved an issue, ask the author to see if their issue has been resolved:
Could you please check to see if trivy addresses this issue? We've made some changes with how this is handled, and improved the trivy logs output to help us debug tricky cases like this.
Then: Label with triage/needs-information.
"},{"location":"community/maintainer/triage/#closing-with-care","title":"Closing with Care","text":"Issues typically need to be closed for the following reasons:
- The issue has been addressed
- The issue is a duplicate of an existing issue
- There has been a lack of information over a long period of time
In any of these situations, we aim to be kind when closing the issue, and offer the author action items should they need to reopen their issue or still require a solution.
Samples responses for these situations include:
"},{"location":"community/maintainer/triage/#issue-has-been-addressed","title":"Issue has been addressed","text":"@author: I believe this issue is now addressed by trivy v1.0.0, as it . If you still see this issue with trivy v1.0 or higher, please reopen this issue.
Thank you for reporting this issue!
Then: Close the issue
"},{"location":"community/maintainer/triage/#duplicate-issue","title":"Duplicate Issue","text":"This issue appears to be a duplicate of #X, do you mind if we move the conversation there?
This way we can centralize the content relating to the issue. If you feel that this issue is not in fact a duplicate, please re-open it. If you have additional information to share, please add it to the new issue.
Thank you for reporting this!
Then: Label with triage/duplicate and close the issue.
"},{"location":"community/maintainer/triage/#lack-of-information","title":"Lack of Information","text":"If an issue hasn't been active for more than four weeks, and the author has been pinged at least once, then the issue can be closed.
Hey @author -- hopefully it's OK if I close this - there wasn't enough information to make it actionable, and some time has already passed. If you are able to provide additional details, you may reopen it at any point.
Here is additional information that may be helpful to us:
* Whether the issue occurs with the latest trivy release
* The exact trivy command line used
* The exact image you want to scan
* The full output of the trivy command, preferably with --debug for extra logging.
Thank you for sharing your experience!
Then: Close the issue.
"},{"location":"community/maintainer/triage/#help-wanted-issues","title":"Help Wanted issues","text":"We use two labels help wanted and good first issue to identify issues that have been specially groomed for new contributors.
We have specific guidelines for how to use these labels. If you see an issue that satisfies these guidelines, you can add the help wanted label and the good first issue label. Please note that adding the good first issue label must also add the help wanted label.
If an issue has these labels but does not satisfy the guidelines, please ask for more details to be added to the issue or remove the labels.
"},{"location":"ecosystem/","title":"Ecosystem","text":"Trivy is integrated into many popular tools and applications, so that you can easily add security to your workflow.
In this section you will find an aggregation of the different integrations. Integrations are listed as either \"official\" or \"community\". Official integrations are developed by the core Trivy team and supported by it. Community integrations are integrations developed by the community, and collected here for your convenience. For support or questions about community integrations, please contact the original developers.
\ud83d\udc48 Please use the side-navigation on the left in order to browse the different topics.
"},{"location":"ecosystem/#add-missing-integration","title":"Add missing integration","text":"We are happy to showcase community integrations in this section. To suggest an addition simply make a Pull Request to add the missing integration.
"},{"location":"ecosystem/cicd/","title":"CI/CD Integrations","text":""},{"location":"ecosystem/cicd/#azure-devops-official","title":"Azure DevOps (Official)","text":"Azure Devops is Microsoft Azure cloud native CI/CD service.
Trivy has a \"Azure Devops Pipelines Task\" for Trivy, that lets you easily introduce security scanning into your workflow, with an integrated Azure Devops UI.
\ud83d\udc49 Get it at: https://github.com/aquasecurity/trivy-azure-pipelines-task
"},{"location":"ecosystem/cicd/#github-actions","title":"GitHub Actions","text":"GitHub Actions is GitHub's native CI/CD and job orchestration service.
"},{"location":"ecosystem/cicd/#trivy-action-official","title":"trivy-action (Official)","text":"GitHub Action for integrating Trivy into your GitHub pipeline
\ud83d\udc49 Get it at: https://github.com/aquasecurity/trivy-action
"},{"location":"ecosystem/cicd/#trivy-action-community","title":"trivy-action (Community)","text":"GitHub Action to scan vulnerability using Trivy. If vulnerabilities are found by Trivy, it creates a GitHub Issue.
\ud83d\udc49 Get it at: https://github.com/marketplace/actions/trivy-action
"},{"location":"ecosystem/cicd/#trivy-github-issues-community","title":"trivy-github-issues (Community)","text":"In this action, Trivy scans the dependency files such as package-lock.json and go.sum in your repository, then create GitHub issues according to the result.
\ud83d\udc49 Get it at: https://github.com/marketplace/actions/trivy-github-issues
"},{"location":"ecosystem/cicd/#buildkite-plugin-community","title":"Buildkite Plugin (Community)","text":"The trivy buildkite plugin provides a convenient mechanism for running the open-source trivy static analysis tool on your project.
\ud83d\udc49 Get it at: https://github.com/equinixmetal-buildkite/trivy-buildkite-plugin
"},{"location":"ecosystem/cicd/#dagger-community","title":"Dagger (Community)","text":"Dagger is CI/CD as code that runs anywhere.
The Dagger module for Trivy provides functions for scanning container images from registries as well as Dagger Container objects from any Dagger SDK (e.g. Go, Python, Node.js, etc).
\ud83d\udc49 Get it at: https://daggerverse.dev/mod/github.com/jpadams/daggerverse/trivy
"},{"location":"ecosystem/cicd/#semaphore-community","title":"Semaphore (Community)","text":"Semaphore is a CI/CD service.
You can use Trivy in Semaphore for scanning code, containers, infrastructure, and Kubernetes in Semaphore workflow.
\ud83d\udc49 Get it at: https://docs.semaphore.io/using-semaphore/recipes/trivy
"},{"location":"ecosystem/cicd/#circleci-community","title":"CircleCI (Community)","text":"CircleCI is a CI/CD service.
You can use the Trivy Orb for Circle CI to introduce security scanning into your workflow.
\ud83d\udc49 Get it at: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb Source: https://github.com/15five/trivy-orb
"},{"location":"ecosystem/cicd/#woodpecker-ci-community","title":"Woodpecker CI (Community)","text":"Example Trivy step in pipeline
pipeline:\n securitycheck:\n image: aquasec/trivy:latest\n commands:\n # use any trivy command, if exit code is 0 woodpecker marks it as passed, else it assumes it failed\n - trivy fs --exit-code 1 --skip-dirs web/ --skip-dirs docs/ --severity MEDIUM,HIGH,CRITICAL .\n
Woodpecker does use Trivy itself so you can see it in use there.
"},{"location":"ecosystem/cicd/#concourse-ci-community","title":"Concourse CI (Community)","text":"Concourse CI is a CI/CD service.
You can use Trivy Resource in Concourse for scanning containers and introducing security scanning into your workflow. It has capabilities to fail the pipeline, create issues, alert communication channels (using respective resources) based on Trivy scan output.
\ud83d\udc49 Get it at: https://github.com/Comcast/trivy-resource/
"},{"location":"ecosystem/cicd/#secobserve-github-actions-and-gitlab-templates-community","title":"SecObserve GitHub actions and GitLab templates (Community)","text":"SecObserve GitHub actions and GitLab templates run various vulnerability scanners, providing uniform methods and parameters for launching the tools.
The Trivy integration supports scanning Docker images and local filesystems for vulnerabilities as well as scanning IaC files for misconfigurations.
\ud83d\udc49 Get it at: https://github.com/SecObserve/secobserve_actions_templates
"},{"location":"ecosystem/ide/","title":"IDE and developer tools Integrations","text":""},{"location":"ecosystem/ide/#vscode-official","title":"VSCode (Official)","text":"Visual Studio Code is an open source versatile code editor and development environment.
\ud83d\udc49 Get it at: https://github.com/aquasecurity/trivy-vscode-extension
"},{"location":"ecosystem/ide/#jetbrains-official","title":"JetBrains (Official)","text":"JetBrains makes IDEs such as Goland, Pycharm, IntelliJ, Webstorm, and more.
The Trivy plugin for JetBrains IDEs lets you use Trivy right from your development environment.
\ud83d\udc49 Get it at: https://plugins.jetbrains.com/plugin/18690-trivy-findings-explorer
"},{"location":"ecosystem/ide/#kubernetes-lens-official","title":"Kubernetes Lens (Official)","text":"Kubernetes Lens is a management application for Kubernetes clusters.
Trivy has an extension for Kubernetes Lens that lets you scan Kubernetes workloads and view the results in the Lens UI.
\ud83d\udc49 Get it at: https://github.com/aquasecurity/trivy-operator-lens-extension
"},{"location":"ecosystem/ide/#vim-community","title":"Vim (Community)","text":"Vim is a terminal based text editor.
Vim plugin for Trivy to install and run Trivy.
\ud83d\udc49 Get it at: https://github.com/aquasecurity/vim-trivy
"},{"location":"ecosystem/ide/#docker-desktop-community","title":"Docker Desktop (Community)","text":"Docker Desktop is an easy way to install Docker container engine on your development machine, and manage it in a GUI .
Trivy Docker Desktop extension for scanning container images for vulnerabilities and generating SBOMs
\ud83d\udc49 Get it at: https://github.com/aquasecurity/trivy-docker-extension
"},{"location":"ecosystem/ide/#rancher-desktop-community","title":"Rancher Desktop (Community)","text":"Rancher Desktop is an easy way to use containers and Kubernetes on your development machine, and manage it in a GUI.
Trivy is natively integrated with Rancher, no installation is needed. More info in Rancher documentation: https://docs.rancherdesktop.io/ui/images/#scanning-images
"},{"location":"ecosystem/ide/#lazytrivy-community","title":"LazyTrivy (Community)","text":"A terminal native UI for Trivy
\ud83d\udc49 Get it at: https://github.com/owenrumney/lazytrivy
"},{"location":"ecosystem/ide/#trivy-vulnerability-explorer-community","title":"Trivy Vulnerability explorer (Community)","text":"Web application that allows to load a Trivy report in json format and displays the vulnerabilities of a single target in an interactive data table
\ud83d\udc49 Get it at: https://github.com/dbsystel/trivy-vulnerability-explorer
"},{"location":"ecosystem/ide/#trivy-pre-commit-community","title":"Trivy pre-commit (Community)","text":"A trivy pre-commit hook that runs a trivy fs in your git repo before committing, preventing you from committing secrets in the first place.
\ud83d\udc49 Get it at: https://github.com/mxab/pre-commit-trivy
"},{"location":"ecosystem/ide/#aws-cdk","title":"AWS CDK","text":"The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation.
"},{"location":"ecosystem/ide/#image-scanner-with-trivy-community","title":"image-scanner-with-trivy (Community)","text":"A CDK Construct Library to scan an image with trivy in CDK codes.
\ud83d\udc49 Get it at: https://constructs.dev/packages/image-scanner-with-trivy
"},{"location":"ecosystem/ide/#headlamp-plugin-community","title":"Headlamp plugin (Community)","text":"Headlamp is a user-friendly Kubernetes UI focused on extensibility. The Kubescape plugin extends Headlamp with views on Trivy reports.
\ud83d\udc49 Get it at: https://github.com/kubebeam/trivy-headlamp-plugin
"},{"location":"ecosystem/prod/","title":"Production and cloud Integrations","text":""},{"location":"ecosystem/prod/#kubernetes","title":"Kubernetes","text":"Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.
"},{"location":"ecosystem/prod/#trivy-operator-official","title":"Trivy Operator (Official)","text":"Using the Trivy Operator you can install Trivy into a Kubernetes cluster so that it automatically and continuously scan your workloads and cluster for security issues.
\ud83d\udc49 Get it at: https://github.com/aquasecurity/trivy-operator
"},{"location":"ecosystem/prod/#harbor-official","title":"Harbor (Official)","text":"Harbor is an open source cloud native container and artifact registry.
Trivy is natively integrated into Harbor, no installation is needed. More info in Harbor documentation: https://goharbor.io/docs/2.6.0/administration/vulnerability-scanning
"},{"location":"ecosystem/prod/#kyverno-community","title":"Kyverno (Community)","text":"Kyverno is a policy management tool for Kubernetes.
You can use Kyverno to ensure and enforce that deployed workloads' images are scanned for vulnerabilities.
\ud83d\udc49 Get it at: https://neonmirrors.net/post/2022-07/attesting-image-scans-kyverno
"},{"location":"ecosystem/prod/#zora-community","title":"Zora (Community)","text":"Zora is an open-source solution that scans Kubernetes clusters with multiple plugins at scheduled times.
Trivy is integrated into Zora as a vulnerability scanner plugin.
\ud83d\udc49 Get it at: https://zora-docs.undistro.io/latest/plugins/trivy/
"},{"location":"ecosystem/prod/#helmper-community","title":"Helmper (Community)","text":"Helmper is a go program that reads Helm Charts from remote OCI registries and pushes the Helm Charts and the Helm Charts container images to your OCI registries with optional OS level vulnerability patching
Trivy is integrated into Helmper as a vulnerability scanner in combination with Copacetic to fix detected vulnerabilities.
\ud83d\udc49 Get it at: https://github.com/ChristofferNissen/helmper
"},{"location":"ecosystem/reporting/","title":"Reporting","text":""},{"location":"ecosystem/reporting/#defectdojo-community","title":"DefectDojo (Community)","text":"DefectDojo can parse Trivy JSON reports. The parser supports deduplication and auto-close features.
\ud83d\udc49 Get it at: https://github.com/DefectDojo/django-DefectDojo
"},{"location":"ecosystem/reporting/#secobserve-community","title":"SecObserve (Community)","text":"SecObserve can parse Trivy results as CycloneDX reports and provides an unified overview of vulnerabilities from different sources. Vulnerabilities can be evaluated with manual and rule based assessments.
\ud83d\udc49 Get it at: https://github.com/SecObserve/SecObserve
"},{"location":"ecosystem/reporting/#scan2html-community","title":"Scan2html (Community)","text":"A Trivy plugin that scans and outputs the results to an interactive html file.
\ud83d\udc49 Get it at: https://github.com/fatihtokus/scan2html
"},{"location":"ecosystem/reporting/#sonarqube-community","title":"SonarQube (Community)","text":"A Trivy plugin that converts JSON report to SonarQube generic issues format.
\ud83d\udc49 Get it at: https://github.com/umax/trivy-plugin-sonarqube
"},{"location":"ecosystem/reporting/#trivy-streamlit-community","title":"Trivy-Streamlit (Community)","text":"Trivy-Streamlit is a Streamlit application that allows you to quickly parse the results from a Trivy JSON report.
\ud83d\udc49 Get it at: https://github.com/mfreeman451/trivy-streamlit
"},{"location":"ecosystem/reporting/#trivy-vulnerability-explorer-community","title":"Trivy-Vulnerability-Explorer (Community)","text":"This project is a web application that allows to load a Trivy report in json format and displays the vulnerabilities of a single target in an interactive data table.
\ud83d\udc49 Get it at: https://github.com/dbsystel/trivy-vulnerability-explorer
"},{"location":"ecosystem/reporting/#plopseccom-community","title":"plopsec.com (Community)","text":"This project is a web application designed to help you visualize Trivy image scan reports. It enriches the data with additional exploitability metrics from EPSS, Metasploit, and Exploit-DB, updated daily.
\ud83d\udc49 Get it at: https://plopsec.com | https://github.com/pl0psec/plopsec.com
"},{"location":"getting-started/","title":"First steps with Trivy","text":""},{"location":"getting-started/#get-trivy","title":"Get Trivy","text":"Trivy is available in most common distribution channels. The complete list of installation options is available in the Installation page. Here are a few popular examples:
- macOS:
brew install trivy - Docker:
docker run aquasec/trivy - Download binary from GitHub Release
- See Installation for more
Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the Ecosystem page. Here are a few popular examples:
- GitHub Actions
- Kubernetes operator
- VS Code plugin
- See Ecosystem for more
"},{"location":"getting-started/#general-usage","title":"General usage","text":"Trivy's Command Line Interface pattern follows its major concepts: targets (what you want to scan), and scanners (what you want to scan for):
trivy <target> [--scanners <scanner1,scanner2>] <subject>\n
"},{"location":"getting-started/#examples","title":"Examples","text":"Scan a container image from a registry with the default scanner, which is the Vulnerabilities scanner:
trivy image python:3.4-alpine\n
Scan a local code repository, for vulnerabilities, exposed secrets and misconfigurations:
trivy fs --scanners vuln,secret,misconfig /path/to/myproject\n
Scan a Kubernetes cluster, with all available scanners, and show a summary report:
trivy k8s --report summary cluster\n
For a more complete introduction, check out the basic Trivy Demo: https://github.com/itaysk/trivy-demo
"},{"location":"getting-started/#learn-more","title":"Learn more","text":"Now that you are up and ready, here are some resources to help you deepen your knowledge:
- Learn more about Trivy's capabilities by exploring the complete documentation.
- Explore community questions under GitHub Discussions.
- Stay up to date by watching for New Releases & Announcements.
- Follow Trivy on Twitter/X: @aquatrivy
- Explore and subscribe to our YouTube channel @AquaSecOSS
"},{"location":"getting-started/#want-more-check-out-aqua","title":"Want more? Check out Aqua","text":"If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering. You can find a high level comparison table specific to Trivy users here. In addition, check out the https://aquasec.com website for more information about our products and services. If you'd like to contact Aqua or request a demo, please use this form: https://www.aquasec.com/demo
"},{"location":"getting-started/faq/","title":"FAQ","text":""},{"location":"getting-started/faq/#faq","title":"FAQ","text":""},{"location":"getting-started/faq/#how-to-pronounce-the-name-trivy","title":"How to pronounce the name \"Trivy\"?","text":"tri is pronounced like trigger, vy is pronounced like envy.
"},{"location":"getting-started/faq/#does-trivy-support-x","title":"Does Trivy support X?","text":"Check out the Scanning coverage page.
"},{"location":"getting-started/faq/#is-there-a-paid-version-of-trivy","title":"Is there a paid version of Trivy?","text":"If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering. You can find a high level comparison table specific to Trivy users here. In addition check out the https://aquasec.com website for more information about our products and services. If you'd like to contact Aqua or request a demo, please use this form: https://www.aquasec.com/demo
"},{"location":"getting-started/faq/#how-to-generate-multiple-reports","title":"How to generate multiple reports?","text":"See here.
"},{"location":"getting-started/faq/#how-to-run-trivy-under-air-gapped-environment","title":"How to run Trivy under air-gapped environment?","text":"See here.
"},{"location":"getting-started/faq/#why-trivy-fs-and-trivy-repo-does-not-scan-jar-files-for-vulnerabilities","title":"Why trivy fs and trivy repo does not scan JAR files for vulnerabilities?","text":"See here.
"},{"location":"getting-started/installation/","title":"Installing Trivy","text":"In this section you will find an aggregation of the different ways to install Trivy. Installation options are labeled as either \"Official\" or \"Community\". Official installations are developed by the Trivy team and supported by it. Community installations could be developed by anyone from the Trivy community, and collected here for your convenience. For support or questions about community installations, please contact the original developers.
Note
If you are looking to integrate Trivy into another system, such as CI/CD, IDE, Kubernetes, etc, please see Ecosystem section to explore integrations of Trivy with other tools.
"},{"location":"getting-started/installation/#container-image-official","title":"Container image (Official)","text":"Use one of the official Trivy images:
Registry Repository Link Docker Hub docker.io/aquasec/trivy https://hub.docker.com/r/aquasec/trivy GitHub Container Registry (GHCR) ghcr.io/aquasecurity/trivy https://github.com/orgs/aquasecurity/packages/container/package/trivy AWS Elastic Container Registry (ECR) public.ecr.aws/aquasecurity/trivy https://gallery.ecr.aws/aquasecurity/trivy Tip
It is advisable to mount a persistent cache dir on the host into the Trivy container.
Tip
For scanning container images with Trivy, mount the container engine socket from the host into the Trivy container.
Example:
docker run -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.68.0 image python:3.4-alpine\n
"},{"location":"getting-started/installation/#github-release-official","title":"GitHub Release (Official)","text":" - Download the file for your operating system/architecture from GitHub Release assets.
- Unpack the downloaded archive (
tar -xzf ./trivy.tar.gz). - Make sure the binary has execution bit turned on (
chmod +x ./trivy).
"},{"location":"getting-started/installation/#install-script-official","title":"Install Script (Official)","text":"For convenience, you can use the install script to download and install Trivy from GitHub Release.
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.68.0\n
"},{"location":"getting-started/installation/#rhelcentos-official","title":"RHEL/CentOS (Official)","text":"RepositoryRPM Add repository setting to /etc/yum.repos.d.
cat << EOF | sudo tee -a /etc/yum.repos.d/trivy.repo\n[trivy]\nname=Trivy repository\nbaseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/\\$basearch/\ngpgcheck=1\nenabled=1\ngpgkey=https://aquasecurity.github.io/trivy-repo/rpm/public.key\nEOF\nsudo yum -y update\nsudo yum -y install trivy\n
rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.68.0/trivy_0.68.0_Linux-64bit.rpm\n
"},{"location":"getting-started/installation/#debianubuntu-official","title":"Debian/Ubuntu (Official)","text":"RepositoryDEB Add repository setting to /etc/apt/sources.list.d.
sudo apt-get install wget gnupg\nwget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null\necho \"deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main\" | sudo tee -a /etc/apt/sources.list.d/trivy.list\nsudo apt-get update\nsudo apt-get install trivy\n
wget https://github.com/aquasecurity/trivy/releases/download/v0.68.0/trivy_0.68.0_Linux-64bit.deb\nsudo dpkg -i trivy_0.68.0_Linux-64bit.deb\n
"},{"location":"getting-started/installation/#homebrew-official","title":"Homebrew (Official)","text":"Homebrew for macOS and Linux.
brew install trivy\n
"},{"location":"getting-started/installation/#windows-official","title":"Windows (Official)","text":" - Download trivy_x.xx.x_windows-64bit.zip file from releases page.
- Unzip file and copy to any folder.
"},{"location":"getting-started/installation/#arch-linux-community","title":"Arch Linux (Community)","text":"Arch Linux Package Repository.
sudo pacman -S trivy\n
References: - https://archlinux.org/packages/extra/x86_64/trivy/ - https://gitlab.archlinux.org/archlinux/packaging/packages/trivy/-/blob/main/PKGBUILD
"},{"location":"getting-started/installation/#opensuse-community","title":"OpenSUSE (Community)","text":"OpenSUSE Package Repository.
sudo zypper install trivy\n
References: - https://software.opensuse.org/package/trivy
"},{"location":"getting-started/installation/#macports-community","title":"MacPorts (Community)","text":"MacPorts for macOS.
sudo port install trivy\n
References: - https://ports.macports.org/port/trivy/details/
"},{"location":"getting-started/installation/#nixnixos-community","title":"Nix/NixOS (Community)","text":"Nix package manager for Linux and macOS.
Command lineConfigurationHome Manager nix-env --install -A nixpkgs.trivy
# your other config ...\nenvironment.systemPackages = with pkgs; [\n # your other packages ...\n trivy\n];\n
# your other config ...\nhome.packages = with pkgs; [\n # your other packages ...\n trivy\n];\n
References:
- https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/admin/trivy/default.nix
"},{"location":"getting-started/installation/#freebsd-official","title":"FreeBSD (Official)","text":"Pkg package manager for FreeBSD.
pkg install trivy\n
"},{"location":"getting-started/installation/#asdfmise-community","title":"asdf/mise (Community)","text":"asdf and mise are quite similar tools you can use to install trivy. See their respective documentation for more information of how to install them and use them:
- asdf
- mise
The plugin used by both tools is developed here
asdfmise A basic global installation is shown below, for specific version or/and local version to a directory see \"asdf\" documentation.
# Install plugin\nasdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git\n\n# Install latest version\nasdf install trivy latest\n\n# Set a version globally (on your ~/.tool-versions file)\nasdf global trivy latest\n\n# Now trivy commands are available\ntrivy --version\n
A basic global installation is shown below, for specific version or/and local version to a directory see \"mise\" documentation.
# Install plugin and install latest version\nmise install trivy@latest\n\n# Set a version globally (on your ~/.tool-versions file)\nmise use -g trivy@latest\n\n# Now trivy commands are available\ntrivy --version\n
"},{"location":"getting-started/signature-verification/","title":"Signature Verification","text":"All binaries and container images are signed by Cosign.
"},{"location":"getting-started/signature-verification/#verifying-container-image","title":"Verifying container image","text":"Use the following command for keyless verification:
cosign verify aquasec/trivy:<version> \\\n--certificate-identity-regexp 'https://github\\.com/aquasecurity/trivy/\\.github/workflows/.+' \\\n--certificate-oidc-issuer \"https://token.actions.githubusercontent.com\"\n
You should get the following output
Verification for index.docker.io/aquasec/trivy:latest --\nThe following checks were performed on each of these signatures:\n - The cosign claims were validated\n - Existence of the claims in the transparency log was verified offline\n - The code-signing certificate was verified using trusted certificate authority certificates\n\n ....\n
"},{"location":"getting-started/signature-verification/#verifying-binary","title":"Verifying binary","text":"Download the required tarball, associated signature and certificate files from the GitHub Release.
Use the following command for keyless verification:
cosign verify-blob <path to binary> \\\n--certificate <path to cert> \\\n--signature <path to sig> \\\n--certificate-identity-regexp 'https://github\\.com/aquasecurity/trivy/\\.github/workflows/.+' \\\n--certificate-oidc-issuer \"https://token.actions.githubusercontent.com\"\n
You should get the following output
Verified OK\n
"},{"location":"getting-started/signature-verification/#verifying-a-gpg-signature","title":"Verifying a GPG signature","text":"RPM and Deb packages are also signed by GPG.
"},{"location":"getting-started/signature-verification/#verifying-rpm","title":"Verifying RPM","text":"The public key is available at https://aquasecurity.github.io/trivy-repo/rpm/public.key.
First, download and import the key:
curl https://aquasecurity.github.io/trivy-repo/rpm/public.key \\\n--output pub.key\nrpm --import pub.key\nrpm -q --queryformat \"%{SUMMARY}\\n\" $(rpm -q gpg-pubkey)\n
You should get the following output:
gpg(trivy)\n
Then you can verify the signature:
curl -L https://github.com/aquasecurity/trivy/releases/download/<version>/<file name>.rpm \\\n--output trivy.rpm\nrpm -K trivy.rpm\n
You should get the following output
trivy.rpm: digests signatures OK\n
"},{"location":"guide/","title":"User Guide","text":"Welcome to the Trivy User Guide! Here you can find complete and thorough information about every aspect of Trivy, how to use it, features available, and configuration options.
\ud83d\udc48 Please use the left side navigation browse the different topics.
"},{"location":"guide/advanced/air-gap/","title":"Connectivity and Network considerations","text":"Trivy requires internet connectivity in order to function normally. If your organization blocks or restricts network traffic, that could prevent Trivy from working correctly. This document explains Trivy's network connectivity requirements, and how to configure Trivy to work in restricted network environments, including completely air-gapped environments.
The following table lists all external resources that are required by Trivy:
External Resource Feature Details Vulnerability Database Vulnerability scanning Trivy DB Java Vulnerability Database Java vulnerability scanning Trivy Java DB Checks Bundle Misconfigurations scanning Trivy Checks VEX Hub VEX Hub VEX Hub Maven Central / Remote Repositories Java vulnerability scanning Java Scanner/Remote Repositories Note
Trivy is an open source project that relies on public free infrastructure. In case of extreme load, you may encounter rate limiting when Trivy attempts to connect to external resources.
The rest of this document details each resource's connectivity requirements and network related considerations.
"},{"location":"guide/advanced/air-gap/#oci-databases","title":"OCI Databases","text":"Trivy's Vulnerability, Java, and Checks Bundle are packaged as OCI images and stored in public container registries.
"},{"location":"guide/advanced/air-gap/#connectivity-requirements","title":"Connectivity requirements","text":"The specific registries and locations are detailed in the databases document.
Communication with OCI Registries follows the OCI Distribution spec.
The following hosts are known to be used by the default container registries:
Registry Hosts Additional info Google Artifact Registry mirror.gcr.iogooglecode.l.googleusercontent.com
Google's IP addresses GitHub Container Registry ghcr.iopkg-containers.githubusercontent.com
GitHub's IP addresses"},{"location":"guide/advanced/air-gap/#self-hosting","title":"Self-hosting","text":"You can host Trivy's databases in your own container registry. Please refer to Self-hosting document for a detailed guide.
"},{"location":"guide/advanced/air-gap/#embedded-checks","title":"Embedded Checks","text":"Checks Bundle is embedded in the Trivy binary (at build time), and will be used as a fallback if the external database is not available. This means that you can still scan for misconfigurations in an air-gapped environment using the database from the time of the Trivy release you are using.
"},{"location":"guide/advanced/air-gap/#vex-hub","title":"VEX Hub","text":""},{"location":"guide/advanced/air-gap/#connectivity-requirements_1","title":"Connectivity Requirements","text":"VEX Hub is hosted at https://github.com/aquasecurity/vexhub.
Trivy is fetching VEX Hub GitHub Repository directly using simple HTTPS requests.
The following hosts are known to be used by GitHub's services:
api.github.comcodeload.github.com
For more information about GitHub connectivity (including specific IP addresses), please refer to GitHub's connectivity troubleshooting guide.
"},{"location":"guide/advanced/air-gap/#self-hosting_1","title":"Self-hosting","text":"You can host a copy of VEX Hub on your own internal server. Please refer to the self-hosting document for a detailed guide.
"},{"location":"guide/advanced/air-gap/#maven-central-remote-repositories","title":"Maven Central / Remote Repositories","text":"Trivy might call out to Maven Central or other remote repositories in order to correctly identify Java packages during a vulnerability scan.
"},{"location":"guide/advanced/air-gap/#connectivity-requirements_2","title":"Connectivity requirements","text":"Trivy might attempt to connect (over HTTPS) to the following URLs:
https://repo.maven.apache.org/maven2
"},{"location":"guide/advanced/air-gap/#offline-mode","title":"Offline mode","text":"There's no way to leverage Maven Central in a network-restricted environment, but you can prevent Trivy from trying to connect to it by using the --offline-scan flag.
"},{"location":"guide/advanced/air-gap/#check-updates-service","title":"Check updates service","text":"Trivy checks for updates and collects usage telemetry by connecting to the following domain: https://check.trivy.dev. Connectivity with this domain is entirely optional and is not necessary for the normal operation of Trivy.
"},{"location":"guide/advanced/modules/","title":"Modules","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy provides a module feature to allow others to extend the Trivy CLI without the need to change the Trivy code base. It changes the behavior during scanning by WebAssembly.
"},{"location":"guide/advanced/modules/#overview","title":"Overview","text":"Trivy modules are add-on tools that integrate seamlessly with Trivy. They provide a way to extend the core feature set of Trivy, but without updating the Trivy binary.
- They can be added and removed from a Trivy installation without impacting the core Trivy tool.
- They can be written in any programming language supporting WebAssembly.
- It supports only Go at the moment.
You can write your own detection logic.
- Evaluate complex vulnerability conditions like Spring4Shell
- Detect a shell script communicating with malicious domains
- Detect malicious python install script (setup.py)
- Even detect misconfigurations in WordPress setting
- etc.
Then, you can update the scan result however you want.
- Change a severity
- Remove a vulnerability
- Add a new vulnerability
- etc.
Modules should be distributed in OCI registries like GitHub Container Registry.
Warning
WebAssembly doesn't allow file access and network access by default. Modules can read required files only, but cannot overwrite them. WebAssembly is sandboxed and secure by design, but Trivy modules available in public are not audited for security. You should install and run third-party modules at your own risk even though
Under the hood Trivy leverages wazero to run WebAssembly modules without CGO.
"},{"location":"guide/advanced/modules/#installing-a-module","title":"Installing a Module","text":"A module can be installed using the trivy module install command. This command takes an url. It will download the module and install it in the module cache.
Trivy adheres to the XDG specification, so the location depends on whether XDG_DATA_HOME is set. Trivy will now search XDG_DATA_HOME for the location of the Trivy modules cache. The preference order is as follows:
- XDG_DATA_HOME if set and .trivy/modules exists within the XDG_DATA_HOME dir
- $HOME/.trivy/modules
For example, to download the WebAssembly module, you can execute the following command:
$ trivy module install ghcr.io/aquasecurity/trivy-module-spring4shell\n
"},{"location":"guide/advanced/modules/#using-modules","title":"Using Modules","text":"Once the module is installed, Trivy will load all available modules in the cache on the start of the next Trivy execution. The modules may inject custom logic into scanning and change the result. You can run Trivy as usual and modules are loaded automatically.
You will see the log messages about WASM modules.
$ trivy image ghcr.io/aquasecurity/trivy-test-images:spring4shell-jre8\n2022-06-12T12:57:13.210+0300 INFO Loading ghcr.io/aquasecurity/trivy-module-spring4shell/spring4shell.wasm...\n2022-06-12T12:57:13.596+0300 INFO Registering WASM module: spring4shell@v1\n...\n2022-06-12T12:57:14.865+0300 INFO Module spring4shell: Java Version: 8, Tomcat Version: 8.5.77\n2022-06-12T12:57:14.865+0300 INFO Module spring4shell: change CVE-2022-22965 severity from CRITICAL to LOW\n\nJava (jar)\n\nTotal: 9 (UNKNOWN: 1, LOW: 3, MEDIUM: 2, HIGH: 3, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 org.springframework.boot:spring-boot (helloworld.war) \u2502 CVE-2022-22965 \u2502 LOW \u2502 2.6.3 \u2502 2.5.12, 2.6.6 \u2502 spring-framework: RCE via Data Binding on JDK 9+ \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2022-22965 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n...(snip)...\n
In the above example, the Spring4Shell module changed the severity from CRITICAL to LOW because the application doesn't satisfy one of conditions.
"},{"location":"guide/advanced/modules/#uninstalling-modules","title":"Uninstalling Modules","text":"Specify a module repository with trivy module uninstall command.
$ trivy module uninstall ghcr.io/aquasecurity/trivy-module-spring4shell\n
"},{"location":"guide/advanced/modules/#building-modules","title":"Building Modules","text":"It supports Go only at the moment.
"},{"location":"guide/advanced/modules/#go","title":"Go","text":"Trivy provides Go SDK including three interfaces. Your own module needs to implement either or both Analyzer and PostScanner in addition to Module.
type Module interface {\n Version() int\n Name() string\n}\n\ntype Analyzer interface {\n RequiredFiles() []string\n Analyze(filePath string) (*serialize.AnalysisResult, error)\n}\n\ntype PostScanner interface {\n PostScanSpec() serialize.PostScanSpec\n PostScan(types.Results) (types.Results, error)\n}\n
In the following tutorial, it creates a WordPress module that detects a WordPress version and a critical vulnerability accordingly.
Tips
You can use logging functions such as Debug and Info for debugging. See examples for the detail.
"},{"location":"guide/advanced/modules/#initialize-your-module","title":"Initialize your module","text":"Replace the repository name with yours.
$ go mod init github.com/aquasecurity/trivy-module-wordpress\n
"},{"location":"guide/advanced/modules/#module-interface","title":"Module interface","text":"Version() returns your module version and should be incremented after updates. Name() returns your module name.
package main\n\nimport (\n \"github.com/aquasecurity/trivy/pkg/module/wasm\"\n)\n\nconst (\n version = 1\n name = \"wordpress-module\"\n)\n\n// main is required for Go to compile the Wasm module\nfunc main() {} \n\nfunc init() {\n wasm.RegisterModule(WordpressModule{})\n}\n\ntype WordpressModule struct{\n // Cannot define fields as modules can't keep state.\n}\n\nfunc (WordpressModule) Version() int {\n return version\n}\n\nfunc (WordpressModule) Name() string {\n return name\n}\n
Info
A struct cannot have any fields. Each method invocation is performed in different states.
"},{"location":"guide/advanced/modules/#analyzer-interface","title":"Analyzer interface","text":"If you implement the Analyzer interface, Analyze method is called when the file path is matched to file patterns returned by RequiredFiles(). A file pattern must be a regular expression. The syntax detail is here.
Analyze takes the matched file path, then the file can be opened by os.Open().
const typeWPVersion = \"wordpress-version\"\n\nfunc (WordpressModule) RequiredFiles() []string {\n return []string{\n `wp-includes\\/version.php`,\n }\n}\n\nfunc (WordpressModule) Analyze(filePath string) (*serialize.AnalysisResult, error) {\n f, err := os.Open(filePath) // e.g. filePath: /usr/src/wordpress/wp-includes/version.php\n if err != nil {\n return nil, err\n }\n defer f.Close()\n\n var wpVersion string\n scanner := bufio.NewScanner(f)\n for scanner.Scan() {\n line := scanner.Text()\n if !strings.HasPrefix(line, \"$wp_version=\") {\n continue\n }\n\n ss := strings.Split(line, \"=\")\n if len(ss) != 2 {\n return nil, fmt.Errorf(\"invalid wordpress version: %s\", line)\n }\n\n // NOTE: it is an example; you actually need to handle comments, etc\n ss[1] = strings.TrimSpace(ss[1])\n wpVersion = strings.Trim(ss[1], `\";`)\n }\n\n if err = scanner.Err(); err != nil {\n return nil, err\n }\n\n return &serialize.AnalysisResult{\n CustomResources: []ftypes.CustomResource{\n {\n Type: typeWPVersion,\n FilePath: filePath,\n Data: wpVersion,\n },\n },\n }, nil\n}\n
Tips
Trivy caches analysis results according to the module version. We'd recommend cleaning the cache or changing the module version every time you update Analyzer.
"},{"location":"guide/advanced/modules/#postscanner-interface","title":"PostScanner interface","text":"PostScan is called after scanning and takes the scan result as an argument from Trivy. In post scanning, your module can perform one of three actions:
- Insert
- Add a new security finding
- e.g. Add a new vulnerability and misconfiguration
- Update
- Update the detected vulnerability and misconfiguration
- e.g. Change a severity
- Delete
- Delete the detected vulnerability and misconfiguration
- e.g. Remove Spring4Shell because it is not actually affected.
PostScanSpec() returns which action the module does. If it is Update or Delete, it also needs to return IDs such as CVE-ID and misconfiguration ID, which your module wants to update or delete.
serialize.Results contains the filtered results matching IDs you specified. Also, it includes CustomResources with the values your Analyze returns, so you can modify the scan result according to the custom resources.
func (WordpressModule) PostScanSpec() serialize.PostScanSpec {\n return serialize.PostScanSpec{\n Action: api.ActionInsert, // Add new vulnerabilities\n }\n}\n\nfunc (WordpressModule) PostScan(results types.Results) (types.Results, error) {\n // e.g. results\n // [\n // {\n // \"Target\": \"\",\n // \"Class\": \"custom\",\n // \"CustomResources\": [\n // {\n // \"Type\": \"wordpress-version\",\n // \"FilePath\": \"/usr/src/wordpress/wp-includes/version.php\",\n // \"Layer\": {\n // \"DiffID\": \"sha256:057649e61046e02c975b84557c03c6cca095b8c9accd3bd20eb4e432f7aec887\"\n // },\n // \"Data\": \"5.7.1\"\n // }\n // ]\n // }\n // ] \n var wpVersion int\n for _, result := range results {\n if result.Class != types.ClassCustom {\n continue\n }\n\n for _, c := range result.CustomResources {\n if c.Type != typeWPVersion {\n continue\n }\n wpVersion = c.Data.(string)\n wasm.Info(fmt.Sprintf(\"WordPress Version: %s\", wpVersion))\n\n ...snip...\n\n if affectedVersion.Check(ver) {\n vulnerable = true\n }\n break\n }\n }\n\n if vulnerable {\n // Add CVE-2020-36326\n results = append(results, types.Result{\n Target: wpPath,\n Class: types.ClassLangPkg,\n Type: \"wordpress\",\n Vulnerabilities: []types.DetectedVulnerability {\n {\n VulnerabilityID: \"CVE-2020-36326\",\n PkgName: \"wordpress\",\n InstalledVersion: wpVersion,\n FixedVersion: \"5.7.2\",\n Vulnerability: dbTypes.Vulnerability{\n Title: \"PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname.\",\n Severity: \"CRITICAL\",\n },\n },\n },\n })\n }\n return results, nil\n}\n
The new vulnerability will be added to the scan results. This example shows how the module inserts a new finding. If you are interested in Update, you can see an example of Spring4Shell.
In the Delete action, PostScan needs to return results you want to delete. If PostScan returns an empty, Trivy will not delete anything.
"},{"location":"guide/advanced/modules/#build","title":"Build","text":"Follow the install guide and install Go.
$ GOOS=wasip1 GOARCH=wasm go build -o wordpress.wasm -buildmode=c-shared wordpress.go\n
Put the built binary to the module directory that is under the home directory by default.
$ mkdir -p ~/.trivy/modules\n$ cp wordpress.wasm ~/.trivy/modules\n
"},{"location":"guide/advanced/modules/#distribute-your-module","title":"Distribute Your Module","text":"You can distribute your own module in OCI registries. Please follow the oras installation instruction.
oras push ghcr.io/aquasecurity/trivy-module-wordpress:latest wordpress.wasm:application/vnd.module.wasm.content.layer.v1+wasm\nUploading 3daa3dac086b wordpress.wasm\nPushed ghcr.io/aquasecurity/trivy-module-wordpress:latest\nDigest: sha256:6416d0199d66ce52ced19f01d75454b22692ff3aa7737e45f7a189880840424f\n
"},{"location":"guide/advanced/modules/#examples","title":"Examples","text":" - Spring4Shell
- WordPress
"},{"location":"guide/advanced/self-hosting/","title":"Self-Hosting Trivy's Databases","text":"This document explains how to host Trivy's external dependencies in your own infrastructure to prevent external network access. If you haven't already, please familiarize yourself with the Databases document that explains about the different databases used by Trivy and the different configuration options that control them. This guide assumes you are already familiar with the concepts explained there.
"},{"location":"guide/advanced/self-hosting/#oci-databases","title":"OCI databases","text":"The following Trivy Databases are packaged as OCI images:
trivy-dbtrivy-java-dbtrivy-checks
To host these databases in your own infrastructure:
"},{"location":"guide/advanced/self-hosting/#make-a-local-copy","title":"Make a local copy","text":"Use any container registry manipulation tool (e.g , crane, ORAS, regclient) to copy the images to your destination registry.
Note
You will need to keep the databases updated in order to maintain relevant scanning results over time.
"},{"location":"guide/advanced/self-hosting/#configure-trivy","title":"Configure Trivy","text":"Use the appropriate database location flags to change the db-repository location:
--db-repository--java-db-repository--checks-bundle-repository
"},{"location":"guide/advanced/self-hosting/#authentication","title":"Authentication","text":"If the registry requires authentication, you can configure it as described in the private registry authentication document.
"},{"location":"guide/advanced/self-hosting/#oci-media-types","title":"OCI Media Types","text":"When serving, proxying, or manipulating Trivy's databases, note that the media type of the OCI layer is not a standard container image type:
DB Media Type Reference trivy-db application/vnd.aquasec.trivy.db.layer.v1.tar+gzip https://github.com/aquasecurity/trivy-db/pkgs/container/trivy-db trivy-java-db application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip https://github.com/aquasecurity/trivy-java-db/pkgs/container/trivy-java-db trivy-checks application/vnd.oci.image.manifest.v1+json https://github.com/aquasecurity/trivy-checks/pkgs/container/trivy-checks"},{"location":"guide/advanced/self-hosting/#manual-cache-population","title":"Manual cache population","text":"Trivy uses a local cache directory to store the database files, as described in the cache document. You can download the databases files and surgically populate the Trivy cache directory with them.
"},{"location":"guide/advanced/self-hosting/#downloading-the-db-files","title":"Downloading the DB files","text":"On a machine with internet access, pull the database container archive from the public registry into your local workspace:
Note that these examples operate in the current working directory.
Using ORASUsing Trivy This example uses ORAS, but you can use any other container registry manipulation tool.
oras pull ghcr.io/aquasecurity/trivy-db:2\n
You should now have a file called db.tar.gz. Next, extract it to reveal the db files:
tar -xzf db.tar.gz\n
This example uses Trivy to pull the database container archive. The --cache-dir flag makes Trivy download the database files into our current working directory. The --download-db-only flag tells Trivy to only download the database files, not to scan any images.
trivy image --cache-dir . --download-db-only\n
You should now have 2 new files, metadata.json and trivy.db. These are the Trivy DB files, copy them over to the air-gapped environment.
"},{"location":"guide/advanced/self-hosting/#populating-the-trivy-cache","title":"Populating the Trivy Cache","text":"In order to populate the cache, you need to identify the location of the cache directory. If it is under the default location, you can run the following command to find it:
trivy -h | grep cache\n
For the example, we will assume the TRIVY_CACHE_DIR variable holds the cache location:
TRIVY_CACHE_DIR=/home/user/.cache/trivy\n
Put the Trivy DB files in the Trivy cache directory under a db subdirectory:
# ensure cache db directory exists\nmkdir -p ${TRIVY_CACHE_DIR}/db\n# copy the db files\ncp /path/to/trivy.db /path/to/metadata.json ${TRIVY_CACHE_DIR}/db/\n
"},{"location":"guide/advanced/self-hosting/#java-db-adaptations","title":"Java DB adaptations","text":"For Java DB the process is the same, except for the following:
- Image location is
ghcr.io/aquasecurity/trivy-java-db:1 - Archive file name is
javadb.tar.gz - Java DB files names are
trivy-java.db and metadata.json - The cache subdirectory is
java-db.
"},{"location":"guide/advanced/self-hosting/#vex-hub","title":"VEX Hub","text":""},{"location":"guide/advanced/self-hosting/#make-a-local-copy_1","title":"Make a local copy","text":"To make a copy of VEX Hub in a location that is accessible to Trivy.
- Download the VEX Hub archive from: https://github.com/aquasecurity/vexhub/archive/refs/heads/main.zip.
- Download the VEX Hub Repository Manifest file from: https://github.com/aquasecurity/vexhub/blob/main/vex-repository.json.
- Create or identify an internal HTTP server that can serve the VEX Hub repository in your environment (e.g
https://server.local). - Make the downloaded archive file available for serving from your server (e.g
https://server.local/main.zip). - Modify the downloaded manifest file's Location URL field to the URL of the archive file on your server (e.g
url: https://server.local/main.zip). - Make the manifest file available for serving from your server under the
/.well-known path (e.g https://server.local/.well-known/vex-repository.json).
"},{"location":"guide/advanced/self-hosting/#configure-trivy_1","title":"Configure Trivy","text":"To configure Trivy to use the local VEX Repository:
- Locate your Trivy VEX configuration file by running
trivy vex repo init. Make the following changes to the file. - Disable the default VEX Hub repo (
enabled: false) - Add your internal VEX Hub repository as a custom repository with the URL pointing to your local server (e.g
url: https://server.local).
"},{"location":"guide/advanced/self-hosting/#authentication_1","title":"Authentication","text":"If your server requires authentication, you can configure it as described in the VEX Repository Authentication document.
"},{"location":"guide/advanced/telemetry-flags/","title":"Telemetry flags","text":"--clear-cache\n--debug\n--dependency-tree\n--detection-priority\n--distro\n--exit-code\n--exit-on-eol\n--format\n--ignore-status\n--ignore-unfixed\n--image-config-scanners\n--include-deprecated-checks\n--include-dev-deps\n--include-non-failures\n--insecure\n--license-full\n--list-all-pkgs\n--misconfig-scanners\n--offline-scan\n--parallel\n--password-stdin\n--pkg-relationships\n--pkg-types\n--quiet\n--redis-tls\n--rego-error-limit\n--removed-pkgs\n--report\n--scanners\n--severity\n--show-suppressed\n--skip-check-update\n--skip-version-check\n--skip-vex-repo-update\n--slow\n--tf-exclude-downloaded-modules\n--timeout\n--trace-http\n--trace-rego\n--vuln-severity-source\n
"},{"location":"guide/advanced/telemetry/","title":"Usage Telemetry","text":"Trivy collects anonymous usage data in order to help us improve the product. This document explains what is collected and how you can control it.
"},{"location":"guide/advanced/telemetry/#data-collected","title":"Data collected","text":"The following information could be collected:
- Environmental information:
- Installation identifier
- Trivy version
- Operating system
- Scan:
- Non-revealing scan options (see below for comprehensive list)
"},{"location":"guide/advanced/telemetry/#captured-scan-options","title":"Captured scan options","text":"The following flags will be included with their value:
--clear-cache\n--debug\n--dependency-tree\n--detection-priority\n--distro\n--exit-code\n--exit-on-eol\n--format\n--ignore-status\n--ignore-unfixed\n--image-config-scanners\n--include-deprecated-checks\n--include-dev-deps\n--include-non-failures\n--insecure\n--license-full\n--list-all-pkgs\n--misconfig-scanners\n--offline-scan\n--parallel\n--password-stdin\n--pkg-relationships\n--pkg-types\n--quiet\n--redis-tls\n--rego-error-limit\n--removed-pkgs\n--report\n--scanners\n--severity\n--show-suppressed\n--skip-check-update\n--skip-version-check\n--skip-vex-repo-update\n--slow\n--tf-exclude-downloaded-modules\n--timeout\n--trace-http\n--trace-rego\n--vuln-severity-source\n
"},{"location":"guide/advanced/telemetry/#privacy","title":"Privacy","text":"No personal information, scan results, or sensitive data is specifically collected. We take the following measures to ensure that:
- Installation identifier: one-way hash of machine fingerprint, resulting in opaque ID.
- Scan: any option that is user-controlled is omitted (never collected). For example, file paths, image names, etc are never collected.
Trivy is an Aqua Security product and adheres to the company's privacy policy: https://aquasec.com/privacy.
"},{"location":"guide/advanced/telemetry/#disabling-telemetry","title":"Disabling telemetry","text":"You can disable telemetry altogether using the --disable-telemetry flag. Like other Trivy flags, this can be set on the command line, YAML configuration file, or environment variable. For more details see here.
For example:
trivy image --disable-telemetry alpine\n
"},{"location":"guide/advanced/container/embed-in-dockerfile/","title":"Embed in Dockerfile","text":"Scan your image as part of the build process by embedding Trivy in the Dockerfile. This approach can be used to update Dockerfiles currently using Aqua\u2019s Microscanner.
$ cat Dockerfile\nFROM alpine:3.7\n\nRUN apk add curl \\\n && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \\\n && trivy rootfs --exit-code 1 --no-progress /\n\n$ docker build -t vulnerable-image .\n
Alternatively you can use Trivy in a multistage build. Thus avoiding the insecure curl | sh. Also the image is not changed. [...]\n# Run vulnerability scan on build image\nFROM build AS vulnscan\nCOPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy\nRUN trivy rootfs --exit-code 1 --no-progress /\n[...]\n
"},{"location":"guide/advanced/container/unpacked-filesystem/","title":"Unpacked Filesystem","text":"Scan an unpacked container image filesystem.
In this case, Trivy works the same way when scanning containers
$ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -\n$ trivy rootfs /tmp/rootfs\n
Result 2021-03-08T05:22:26.378Z INFO Need to update DB\n2021-03-08T05:22:26.380Z INFO Downloading DB...\n20.37 MiB / 20.37 MiB [-------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8.24 MiB p/s 2s\n2021-03-08T05:22:30.134Z INFO Detecting Alpine vulnerabilities...\n\n/tmp/rootfs (alpine 3.10.2)\n===========================\nTotal: 20 (UNKNOWN: 0, LOW: 2, MEDIUM: 10, HIGH: 8, CRITICAL: 0)\n\n+--------------+------------------+----------+-------------------+---------------+---------------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+--------------+------------------+----------+-------------------+---------------+---------------------------------------+\n| libcrypto1.1 | CVE-2020-1967 | HIGH | 1.1.1c-r0 | 1.1.1g-r0 | openssl: Segmentation |\n| | | | | | fault in SSL_check_chain |\n| | | | | | causes denial of service |\n| | | | | | -->avd.aquasec.com/nvd/cve-2020-1967 |\n+ +------------------+ + +---------------+---------------------------------------+\n| | CVE-2021-23839 | | | 1.1.1j-r0 | openssl: incorrect SSLv2 |\n| | | | | | rollback protection |\n| | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2021-23840 | | | | openssl: integer |\n| | | | | | overflow in CipherUpdate |\n| | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2021-23841 | | | | openssl: NULL pointer dereference |\n| | | | | | in X509_issuer_and_serial_hash() |\n| | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 |\n+ +------------------+----------+ +---------------+---------------------------------------+\n| | CVE-2019-1547 | MEDIUM | | 1.1.1d-r0 | openssl: side-channel weak |\n| | | | | | encryption vulnerability |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-1547 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2019-1549 | | | | openssl: information |\n| | | | | | disclosure in fork() |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-1549 |\n+ +------------------+ + +---------------+---------------------------------------+\n| | CVE-2019-1551 | | | 1.1.1d-r2 | openssl: Integer overflow in RSAZ |\n| | | | | | modular exponentiation on x86_64 |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-1551 |\n+ +------------------+ + +---------------+---------------------------------------+\n| | CVE-2020-1971 | | | 1.1.1i-r0 | openssl: EDIPARTYNAME |\n| | | | | | NULL pointer de-reference |\n| | | | | | -->avd.aquasec.com/nvd/cve-2020-1971 |\n+ +------------------+----------+ +---------------+---------------------------------------+\n| | CVE-2019-1563 | LOW | | 1.1.1d-r0 | openssl: information |\n| | | | | | disclosure in PKCS7_dataDecode |\n| | | | | | and CMS_decrypt_set1_pkey |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-1563 |\n+--------------+------------------+----------+ +---------------+---------------------------------------+\n| libssl1.1 | CVE-2020-1967 | HIGH | | 1.1.1g-r0 | openssl: Segmentation |\n| | | | | | fault in SSL_check_chain |\n| | | | | | causes denial of service |\n| | | | | | -->avd.aquasec.com/nvd/cve-2020-1967 |\n+ +------------------+ + +---------------+---------------------------------------+\n| | CVE-2021-23839 | | | 1.1.1j-r0 | openssl: incorrect SSLv2 |\n| | | | | | rollback protection |\n| | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2021-23840 | | | | openssl: integer |\n| | | | | | overflow in CipherUpdate |\n| | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2021-23841 | | | | openssl: NULL pointer dereference |\n| | | | | | in X509_issuer_and_serial_hash() |\n| | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 |\n+ +------------------+----------+ +---------------+---------------------------------------+\n| | CVE-2019-1547 | MEDIUM | | 1.1.1d-r0 | openssl: side-channel weak |\n| | | | | | encryption vulnerability |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-1547 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2019-1549 | | | | openssl: information |\n| | | | | | disclosure in fork() |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-1549 |\n+ +------------------+ + +---------------+---------------------------------------+\n| | CVE-2019-1551 | | | 1.1.1d-r2 | openssl: Integer overflow in RSAZ |\n| | | | | | modular exponentiation on x86_64 |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-1551 |\n+ +------------------+ + +---------------+---------------------------------------+\n| | CVE-2020-1971 | | | 1.1.1i-r0 | openssl: EDIPARTYNAME |\n| | | | | | NULL pointer de-reference |\n| | | | | | -->avd.aquasec.com/nvd/cve-2020-1971 |\n+ +------------------+----------+ +---------------+---------------------------------------+\n| | CVE-2019-1563 | LOW | | 1.1.1d-r0 | openssl: information |\n| | | | | | disclosure in PKCS7_dataDecode |\n| | | | | | and CMS_decrypt_set1_pkey |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-1563 |\n+--------------+------------------+----------+-------------------+---------------+---------------------------------------+\n| musl | CVE-2020-28928 | MEDIUM | 1.1.22-r3 | 1.1.22-r4 | In musl libc through 1.2.1, |\n| | | | | | wcsnrtombs mishandles particular |\n| | | | | | combinations of destination buffer... |\n| | | | | | -->avd.aquasec.com/nvd/cve-2020-28928 |\n+--------------+ + + + + +\n| musl-utils | | | | | |\n| | | | | | |\n| | | | | | |\n| | | | | | |\n+--------------+------------------+----------+-------------------+---------------+---------------------------------------+\n
"},{"location":"guide/advanced/private-registries/","title":"Overview","text":"Trivy can download images from a private registry without the need for installing Docker or any other 3rd party tools. This makes it easy to run within a CI process.
"},{"location":"guide/advanced/private-registries/#login","title":"Login","text":"You can log in to a private registry using the trivy registry login command. It uses the Docker configuration file (~/.docker/config.json) to store the credentials under the hood, and the configuration file path can be configured by DOCKER_CONFIG environment variable.
$ cat ~/my_password.txt | trivy registry login --username foo --password-stdin ghcr.io\n$ trivy image ghcr.io/your/private_image\n
"},{"location":"guide/advanced/private-registries/#passing-credentials","title":"Passing Credentials","text":"You can also provide your credentials when scanning.
$ TRIVY_USERNAME=YOUR_USERNAME TRIVY_PASSWORD=YOUR_PASSWORD trivy image YOUR_PRIVATE_IMAGE\n
Warning
When passing credentials via environment variables or CLI flags, Trivy will attempt to use these credentials for all registries encountered during scanning, regardless of the target registry. This can potentially lead to unintended credential exposure. To mitigate this risk:
- Set credentials cautiously and only when necessary.
- Prefer using
trivy registry login to pre-configure credentials with specific registries, which ensures credentials are only sent to appropriate registries.
Trivy also supports providing credentials through CLI flags:
$ TRIVY_PASSWORD=YOUR_PASSWORD trivy image --username YOUR_USERNAME YOUR_PRIVATE_IMAGE\n
Warning
The CLI flag --password is available, but its use is not recommended for security reasons.
You can also store your credentials in trivy.yaml. For more information, please refer to the documentation.
It can handle multiple sets of credentials as well:
$ export TRIVY_USERNAME=USERNAME1,USERNAME2\n$ export TRIVY_PASSWORD=PASSWORD1,PASSWORD2\n$ trivy image YOUR_PRIVATE_IMAGE\n
In the example above, Trivy attempts to use two pairs of credentials:
- USERNAME1/PASSWORD1
- USERNAME2/PASSWORD2
Please note that the number of usernames and passwords must be the same.
Note
--password-stdin doesn't support comma-separated passwords.
"},{"location":"guide/advanced/private-registries/acr/","title":"Requirements","text":"None, Trivy uses Azure SDK for Go. You don't need to install az command.
"},{"location":"guide/advanced/private-registries/acr/#privileges","title":"Privileges","text":"Service principal must have the AcrPull permissions.
"},{"location":"guide/advanced/private-registries/acr/#creation-of-a-service-principal","title":"Creation of a service principal","text":"export SP_DATA=$(az ad sp create-for-rbac --name TrivyTest --role AcrPull --scope \"/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ContainerRegistry/registries/<registry_name>\")\n
"},{"location":"guide/advanced/private-registries/acr/#usage","title":"Usage","text":"# must set TRIVY_USERNAME empty char\nexport AZURE_CLIENT_ID=$(echo $SP_DATA | jq -r '.appId')\nexport AZURE_CLIENT_SECRET=$(echo $SP_DATA | jq -r '.password')\nexport AZURE_TENANT_ID=$(echo $SP_DATA | jq -r '.tenant')\n
"},{"location":"guide/advanced/private-registries/acr/#testing","title":"Testing","text":"You can test credentials in the following manner.
docker run -it --rm -v /tmp:/tmp \\\n -e AZURE_CLIENT_ID -e AZURE_CLIENT_SECRET -e AZURE_TENANT_ID \\\n aquasec/trivy image your_special_project.azurecr.io/your_special_image:your_special_tag\n
"},{"location":"guide/advanced/private-registries/docker-hub/","title":"Docker Hub","text":"See here for the detail. You don't need to provide a credential when download from public repository.
"},{"location":"guide/advanced/private-registries/ecr/","title":"AWS ECR (Elastic Container Registry)","text":"Trivy uses AWS SDK. You don't need to install aws CLI tool. You can use AWS CLI's ENV Vars.
"},{"location":"guide/advanced/private-registries/ecr/#aws-private-registry-permissions","title":"AWS private registry permissions","text":"You may need to grant permissions to allow Trivy to pull images from private ECR.
It depends on how you want to provide AWS Role to trivy.
- IAM Role Service account
- Kube2iam or Kiam
"},{"location":"guide/advanced/private-registries/ecr/#iam-role-service-account","title":"IAM Role Service account","text":"Add the AWS role in trivy's service account annotations:
trivy:\n\n serviceAccount:\n annotations: {}\n # eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME\n
"},{"location":"guide/advanced/private-registries/ecr/#kube2iam-or-kiam","title":"Kube2iam or Kiam","text":"Add the AWS role to pod's annotations:
podAnnotations: {}\n ## kube2iam/kiam annotation\n # iam.amazonaws.com/role: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME\n
"},{"location":"guide/advanced/private-registries/gcr/","title":"Requirements","text":"None, Trivy uses Google Cloud SDK. You don't need to install gcloud command.
"},{"location":"guide/advanced/private-registries/gcr/#privileges","title":"Privileges","text":"Credential file must have the roles/storage.objectViewer permissions. More information can be found in Google's documentation
"},{"location":"guide/advanced/private-registries/gcr/#json-file-format","title":"JSON File Format","text":"The JSON file specified should have the following format provided by google's service account mechanisms:
{\n \"type\": \"service_account\",\n \"project_id\": \"your_special_project\",\n \"private_key_id\": \"XXXXXXXXXXXXXXXXXXXXxx\",\n \"private_key\": \"-----BEGIN PRIVATE KEY-----\\nNONONONO\\n-----END PRIVATE KEY-----\\n\",\n \"client_email\": \"somedude@your_special_project.iam.gserviceaccount.com\",\n \"client_id\": \"1234567890\",\n \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\n \"token_uri\": \"https://oauth2.googleapis.com/token\",\n \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\n \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/somedude%40your_special_project.iam.gserviceaccount.com\"\n}\n
"},{"location":"guide/advanced/private-registries/gcr/#usage","title":"Usage","text":"If you want to use target project's repository, you can set them via GOOGLE_APPLICATION_CREDENTIALS.
# must set TRIVY_USERNAME empty char\nexport GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json\n
"},{"location":"guide/advanced/private-registries/gcr/#testing","title":"Testing","text":"You can test credentials in the following manner (assuming they are in /tmp on host machine).
docker run -it --rm -v /tmp:/tmp\\\n -e GOOGLE_APPLICATION_CREDENTIALS=/tmp/service_account.json\\\n aquasec/trivy image gcr.io/your_special_project/your_special_image:your_special_tag\n
"},{"location":"guide/advanced/private-registries/self/","title":"Self-Hosted","text":"BasicAuth server needs TRIVY_USERNAME and TRIVY_PASSWORD.
export TRIVY_USERNAME={USERNAME}\nexport TRIVY_PASSWORD={PASSWORD}\n\n# if you want to use 80 port, use NonSSL\nexport TRIVY_NON_SSL=true\n
"},{"location":"guide/compliance/compliance/","title":"Built-in Compliance Reports","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy\u2019s compliance flag lets you curate a specific set of checks into a report. In a typical Trivy scan, there are hundreds of different checks for many different components and configurations, but sometimes you already know which specific checks you are interested in. Often this would be an industry accepted set of checks such as CIS, or some vendor specific guideline, or your own organization policy that you want to comply with. These are all possible using the flexible compliance infrastructure that's built into Trivy. Compliance reports are defined as simple YAML documents that select checks to include in the report.
"},{"location":"guide/compliance/compliance/#usage","title":"Usage","text":"Compliance report is currently supported in the following targets (trivy sub-commands):
trivy imagetrivy k8s
Add the --compliance flag to the command line, and set its value to the desired report. For example: trivy k8s cluster --compliance k8s-nsa (see below for built-in and custom reports)
"},{"location":"guide/compliance/compliance/#options","title":"Options","text":"The following flags are compatible with the --compliance flag and allow customizing its output:
flag effect --report summary shows a summary of the results. for every control shows the number of failed checks. --report all shows fully detailed results. for every control shows where it failed and why. --format table shows results in textual table format (good for human readability). --format json shows results in json format (good for machine readability)."},{"location":"guide/compliance/compliance/#built-in-compliance","title":"Built-in compliance","text":"Trivy has a number of built-in compliance reports that you can assess right out of the box. To specify a built-in compliance report, select it by ID like trivy --compliance <compliance_id>.
For the list of built-in compliance reports, please see the relevant section:
- Docker compliance
- Kubernetes compliance
"},{"location":"guide/compliance/compliance/#contribute-a-built-in-compliance-report","title":"Contribute a Built-in Compliance Report","text":""},{"location":"guide/compliance/compliance/#define-a-compliance-spec-based-on-cis-benchmark-or-other-specs","title":"Define a Compliance spec, based on CIS benchmark or other specs","text":"Here is an example for CIS compliance report:
---\nspec:\n id: k8s-cis-1.23\n title: CIS Kubernetes Benchmarks v1.23\n description: CIS Kubernetes Benchmarks\n platform: k8s\n type: cis\n version: '1.23'\n relatedResources:\n - https://www.cisecurity.org/benchmark/kubernetes\n controls:\n - id: 1.1.1\n name: Ensure that the API server pod specification file permissions are set to\n 600 or more restrictive\n description: Ensure that the API server pod specification file has permissions\n of 600 or more restrictive\n checks:\n - id: AVD-KCV-0073\n commands:\n - id: CMD-0001\n severity: HIGH\n
"},{"location":"guide/compliance/compliance/#compliance-id","title":"Compliance ID","text":"ID field is the name used to execute the compliance scan via trivy example:
trivy k8s --compliance k8s-cis-1.23\n
ID naming convention: {platform}-{type}-{version}
"},{"location":"guide/compliance/compliance/#compliance-platform","title":"Compliance Platform","text":"The platform field specifies the type of platform on which to run this compliance report. Supported platforms:
- k8s (native kubernetes cluster)
- eks (elastic kubernetes service)
- aks (azure kubernetes service)
- gke (google kubernetes engine)
- rke2 (rancher kubernetes engine v2)
- ocp (OpenShift Container Platform)
- docker (docker engine)
- aws (amazon web services)
"},{"location":"guide/compliance/compliance/#compliance-type","title":"Compliance Type","text":"The type field specifies the kind compliance report.
- cis (Center for Internet Security)
- nsa (National Security Agency)
- pss (Pod Security Standards)
"},{"location":"guide/compliance/compliance/#compliance-version","title":"Compliance Version","text":"The version field specifies the version of the compliance report.
- 1.23
"},{"location":"guide/compliance/compliance/#compliance-check-id","title":"Compliance Check ID","text":"Specify the check ID that needs to be evaluated based on the information collected from the command data output to assess the control.
Example of how to define check data under checks folder:
# METADATA\n# title: \"Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive\"\n# description: \"Ensure that the kubelet.conf file has permissions of 600 or more restrictive.\"\n# scope: package\n# schemas:\n# - input: schema[\"kubernetes\"]\n# related_resources:\n# - https://www.cisecurity.org/benchmark/kubernetes\n# custom:\n# id: KCV0073\n# avd_id: AVD-KCV-0073\n# severity: HIGH\n# short_code: ensure-kubelet.conf-file-permissions-600-or-more-restrictive.\n# recommended_action: \"Change the kubelet.conf file permissions to 600 or more restrictive if exist\"\n# input:\n# selector:\n# - type: kubernetes\npackage builtin.kubernetes.KCV0073\n\nimport data.lib.kubernetes\n\ntypes := [\"master\", \"worker\"]\n\nvalidate_kubelet_file_permission(sp) := {\"kubeletConfFilePermissions\": violation} {\n sp.kind == \"NodeInfo\"\n sp.type == types[_]\n violation := {permission | permission = sp.info.kubeletConfFilePermissions.values[_]; permission > 600}\n count(violation) > 0\n}\n\ndeny[res] {\n output := validate_kubelet_file_permission(input)\n msg := \"Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive\"\n res := result.new(msg, output)\n}\n
"},{"location":"guide/compliance/compliance/#compliance-command-id","title":"Compliance Command ID","text":"Note: This field is not mandatory, it is relevant to k8s compliance report when node-collector is in use
Specify the command ID (#ref) that needs to be executed to collect the information required to evaluate the control.
Example of how to define command data under commands folder
---\n- id: CMD-0001\n key: kubeletConfFilePermissions\n title: kubelet.conf file permissions\n nodeType: worker\n audit: stat -c %a $kubelet.kubeconfig\n platforms:\n - k8s\n - aks\n
"},{"location":"guide/compliance/compliance/#command-id","title":"Command ID","text":"Find the next command ID by running the command on trivy-checks project.
make command-id\n
"},{"location":"guide/compliance/compliance/#command-key","title":"Command Key","text":" - Re-use an existing key or specify a new one (make sure key name has no spaces)
Note: The key value should match the key name evaluated by the Rego check.
"},{"location":"guide/compliance/compliance/#command-title","title":"Command Title","text":"Represent the purpose of the command
"},{"location":"guide/compliance/compliance/#command-nodetype","title":"Command NodeType","text":"Specify the node type on which the command is supposed to run.
- worker
- master
"},{"location":"guide/compliance/compliance/#command-audit","title":"Command Audit","text":"Specify here the shell command to be used please make sure to add error suppression (2>/dev/null)
"},{"location":"guide/compliance/compliance/#command-platforms","title":"Command Platforms","text":"The list of platforms that support this command. Name should be taken from this list Platforms
"},{"location":"guide/compliance/compliance/#command-config-files","title":"Command Config Files","text":"The commands use a configuration file that helps obtain the paths to binaries and configuration files based on different platforms (e.g., Rancher, native Kubernetes, etc.).
For example:
kubelet:\n bins:\n - kubelet\n - hyperkube kubelet\n confs:\n - /etc/kubernetes/kubelet-config.yaml\n - /var/lib/kubelet/config.yaml\n
"},{"location":"guide/compliance/compliance/#commands-files-location","title":"Commands Files Location","text":"Currently checks files location are :https://github.com/aquasecurity/trivy-checks/tree/main/checks
Command files location: https://github.com/aquasecurity/trivy-checks/tree/main/commands under command file
Note: command config files will be located under https://github.com/aquasecurity/trivy-checks/tree/main/commands as well
"},{"location":"guide/compliance/compliance/#node-collector-output","title":"Node-collector output","text":"The node collector will read commands and execute each command, and incorporate the output into the NodeInfo resource.
example:
{\n \"apiVersion\": \"v1\",\n \"kind\": \"NodeInfo\",\n \"metadata\": {\n \"creationTimestamp\": \"2023-01-04T11:37:11+02:00\"\n },\n \"type\": \"master\",\n \"info\": {\n \"adminConfFileOwnership\": {\n \"values\": [\n \"root:root\"\n ]\n },\n \"adminConfFilePermissions\": {\n \"values\": [\n 600\n ]\n }\n ...\n }\n}\n
"},{"location":"guide/compliance/compliance/#custom-compliance","title":"Custom compliance","text":"You can create your own custom compliance report. A compliance report is a simple YAML document in the following format:
spec:\n id: \"k8s-myreport\" # report unique identifier. this should not contain spaces.\n title: \"My custom Kubernetes report\" # report title. Any one-line title.\n description: \"Describe your report\" # description of the report. Any text.\n relatedResources :\n - https://some.url # useful references. URLs only.\n version: \"1.0\" # spec version (string)\n controls:\n - name: \"Non-root containers\" # Name for the control (appears in the report as is). Any one-line name.\n description: 'Check that container is not running as root' # Description (appears in the report as is). Any text.\n id: \"1.0\" # control identifier (string)\n checks: # list of existing Trivy checks that define the control\n - id: AVD-KSV-0012 # check ID. Must start with `AVD-` or `CVE-` \n severity: \"MEDIUM\" # Severity for the control (note that checks severity isn't used)\n - name: \"Immutable container file systems\"\n description: 'Check that container root file system is immutable'\n id: \"1.1\"\n checks:\n - id: AVD-KSV-0014\n severity: \"LOW\"\n
The check id field (controls[].checks[].id) is referring to existing check by it's \"AVD ID\". This AVD ID is easily located in the check's source code metadata header, or by browsing Aqua vulnerability DB, specifically in the Misconfigurations and Vulnerabilities sections.
Once you have a compliance spec, you can select it by file path: trivy --compliance @</path/to/compliance.yaml> (note the @ indicating file path instead of report id).
"},{"location":"guide/compliance/contrib-compliance/","title":"Custom Compliance Spec","text":"Trivy supports several different compliance specs. The details on compliance scanning with Trivy are provided in the compliance documentation. All of the Compliance Specs currently available in Trivy can be found in the trivy-checks/pkg/specs/compliance/ directory (Link).
New checks are based on the custom compliance report detailed in the main documentation. If you would like to create your custom compliance report, please reference the information in the main documentation. This section details how community members can contribute new Compliance Specs to Trivy.
All compliance specs in Trivy are based on formal compliance reports such as CIS Benchmarks.
"},{"location":"guide/compliance/contrib-compliance/#contributing-new-compliance-specs","title":"Contributing new Compliance Specs","text":"Compliance specs can be based on new compliance reports becoming available e.g. a new CIS Benchmark version, or identifying missing compliance specs that Trivy users would like to access.
"},{"location":"guide/compliance/contrib-compliance/#create-a-new-compliance-spec","title":"Create a new Compliance Spec","text":"The existing compliance specs in Trivy are located under the trivy-checks/pkg/specs/compliance/ directory (Link).
Create a new file under trivy-checks/specs/compliance/ and name the file in the format of \"provider-resource-spectype-version.yaml\". For example, the file name for AWS CIS Benchmarks for EKS version 1.4 is: aws-eks-cis-1.4.yaml. Note that if the compliance spec is not specific to a provider, the provider field can be ignored.
"},{"location":"guide/compliance/contrib-compliance/#minimum-spec-structure","title":"Minimum spec structure","text":"The structure of the compliance spec is detailed in the main documentation.
The first section in the spec is focused on the metadata of the spec. Replace all the fields of the metadata with the information relevant to the compliance spec that will be added. This information can be taken from the official report e.g. the CIS Benchmark report.
"},{"location":"guide/compliance/contrib-compliance/#populating-the-control-section","title":"Populating the control section","text":"Compliance specs detail a set of checks that should pass so that the resource is compliant with the official benchmark specifications. There are two ways in which Trivy compliance checks can enforce the compliance specification:
- The check is available in Trivy, as part of the
trivy-checks and can be referenced in the Compliance Spec - The check is not available in Trivy and a manual check has to be added to the Compliance Spec
Additional information is provided below.
"},{"location":"guide/compliance/contrib-compliance/#1-referencing-a-check-that-is-already-part-of-trivy","title":"1. Referencing a check that is already part of Trivy","text":"Trivy has a comprehensive list of checks as part of its misconfiguration scanning. These can be found in the trivy-checks/checks directory (Link). If the check is present, the AVD_ID and other information from the check has to be used.
Note: Take a look at the more generic compliance specs that are already available in Trivy. If you are adding new compliance spec to Kubernetes e.g. AWS EKS CIS Benchmarks, chances are high that the check you would like to add to the new spec has already been defined in the general k8s-ci-v.000.yaml compliance spec. The same applies for creating specific Cloud Provider Compliance Specs and the generic compliance specs available.
For example, the following check is detailed in the AWS EKS CIS v1.4 Benchmark: 3.1.2 Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual)
This check can be found in the general K8s CIS Compliance Benchmark: k8s-cis-1.23.yaml (Link)
Thus, we can use the information already present:
- id: 3.1.2\n name: Ensure that the kubelet service file ownership is set to root:root (Manual)\n description: Ensure that the kubelet service file ownership is set to root:root\n checks:\n - id: AVD-KCV-0070\n severity: HIGH\n
- The
ID, name, and description is taken directly from the AWS EKS CIS Benchmarks - The
check and severity are taken from the existing compliance check in the k8s-cis-1.23.yaml
"},{"location":"guide/compliance/contrib-compliance/#2-referencing-a-check-manually-that-is-not-part-of-the-trivy-default-checks","title":"2. Referencing a check manually that is not part of the Trivy default checks","text":"If the check does not already exist in the Aqua Vulnerability Database (AVD) and is not part of the trivy-checks, the fields in the compliance spec for the check have to be populated manually. This is done by referencing the information in the official compliance specification.
Below is the beginning of the information of the EKS CIS Benchmarks v1.4.0:
The corresponding check in the control section will look like this:
- id: 2.1.1\n name: Enable audit Logs (Manual)\n description: |\n Control plane logs provide visibility into operation of the EKS Control plane components systems. \n The API server audit logs record all accepted and rejected requests in the cluster. \n When enabled via EKS configuration the control plane logs for a cluster are exported to a CloudWatch \n Log Group for persistence.\n checks: null\n severity: MEDIUM\n
- Again, the
id, name and description are taken directly from the EKS CIS Benchmarks v1.4.0 - The
checks is in this case null as the check is not currently present in the AVD and does not have a check in the trivy policies repository - Since the check does not exist in Trivy, the
severity will be MEDIUM. However, in some cases, the compliance report e.g. the CIS Benchmark report will specify the severity
"},{"location":"guide/compliance/contrib-compliance/#contributing-new-checks-to-trivy-checks","title":"Contributing new checks to trivy-checks","text":"All of the checks in trivy-policies can be referenced in the compliance specs. To write new Rego checks for Trivy, please take a look at the contributing documentation for checks.
"},{"location":"guide/compliance/contrib-compliance/#test-the-compliance-spec","title":"Test the Compliance Spec","text":"To test the compliance check, pass the new path into the Trivy scan through the --compliance flag. For instance, to pass the check to the Trivy Kubernetes scan use the following command structure:
trivy k8s cluster --compliance @</path/to/compliance.yaml> --report summary\n
Note: The @ is required before the filepath.
"},{"location":"guide/configuration/","title":"Configuration","text":"Trivy's settings can be configured in any of the following methods, which will apply in the following precedence:
- CLI flags (overrides all other settings)
- Environment variables (overrides config file settings)
- Configuration file
"},{"location":"guide/configuration/#cli-flags","title":"CLI Flags","text":"You can view the list of available flags by adding the --help flag to a Trivy command, or by exploring the CLI reference.
"},{"location":"guide/configuration/#environment-variables","title":"Environment Variables","text":"Any CLI option can be set as an environment variable. The environment variable names are similar to the CLI option names, with the following augmentations:
- Add
TRIVY_ prefix - All uppercase letters
- Replace
- with _
For example:
--debug => TRIVY_DEBUG--cache-dir => TRIVY_CACHE_DIR
$ TRIVY_DEBUG=true TRIVY_SEVERITY=CRITICAL trivy image alpine:3.15\n
"},{"location":"guide/configuration/#configuration-file","title":"Configuration File","text":"Any setting can be set in a YAML file. By default, config file named trivy.yaml is read from the current directory where Trivy is run. To load configuration from a different file, use the --config flag and specify the config path to load: trivy --config /etc/trivy/myconfig.yaml.
The structure and settings of the YAML config file is documented in the Config file document.
"},{"location":"guide/configuration/cache/","title":"Cache","text":"The cache directory includes
- Cache of previous scans (Scan cache).
- Vulnerability Database1
- Java Index Database2
- Misconfiguration Checks3
- VEX Repositories
The cache option is common to all scanners.
"},{"location":"guide/configuration/cache/#clear-caches","title":"Clear Caches","text":"trivy clean subcommand removes caches.
$ trivy clean --scan-cache\n
Result 2024-06-21T21:58:21+04:00 INFO Removing scan cache...\n
If you want to delete cached vulnerability databases, use --vuln-db. You can also delete all caches with --all. See trivy clean --help for details.
"},{"location":"guide/configuration/cache/#cache-directory","title":"Cache Directory","text":"Specify where the cache is stored with --cache-dir.
$ trivy --cache-dir /tmp/trivy/ image python:3.4-alpine3.9\n
"},{"location":"guide/configuration/cache/#scan-cache-backend","title":"Scan Cache Backend","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy utilizes a scan cache to store analysis results, such as package lists. It supports three types of backends for this cache:
- Local File System (
fs) - The cache path can be specified by
--cache-dir
- Memory (
memory) - Redis (
redis://) redis://[HOST]:[PORT]- TTL can be configured via
--cache-ttl
"},{"location":"guide/configuration/cache/#local-file-system","title":"Local File System","text":"The local file system backend is the default choice for container image, VM image and repository scans.
Note
Internally, this backend uses BoltDB, which has an important limitation: only one process can access the cache at a time. Subsequent processes attempting to access the cache will be locked. For more details on this limitation, refer to the troubleshooting guide.
"},{"location":"guide/configuration/cache/#memory","title":"Memory","text":"The memory backend stores analysis results in memory, which means the cache is discarded when the process ends. This makes it useful in scenarios where caching is not required or desired. It serves as the default for filesystem and SBOM scans and can also be employed for container image scans when caching is unnecessary.
To use the memory backend for a container image scan, you can use the following command:
$ trivy image debian:11 --cache-backend memory\n
"},{"location":"guide/configuration/cache/#redis","title":"Redis","text":"The Redis backend is particularly useful when you need to share the cache across multiple Trivy instances. You can set up Trivy to use a Redis backend with a command like this:
$ trivy server --cache-backend redis://localhost:6379\n
This approach allows for centralized caching, which can be beneficial in distributed or high-concurrency environments.
If you want to use TLS with Redis, you can enable it by specifying the --redis-tls flag.
$ trivy server --cache-backend redis://localhost:6379 --redis-tls\n
Trivy also supports connecting to Redis with your certificates. You need to specify --redis-ca , --redis-cert , and --redis-key options.
$ trivy server --cache-backend redis://localhost:6379 \\\n --redis-ca /path/to/ca-cert.pem \\\n --redis-cert /path/to/cert.pem \\\n --redis-key /path/to/key.pem\n
-
Downloaded when scanning for vulnerabilities\u00a0\u21a9
-
Downloaded when scanning jar/war/par/ear files\u00a0\u21a9
-
Downloaded when scanning for misconfigurations\u00a0\u21a9
"},{"location":"guide/configuration/db/","title":"Trivy Databases","text":"When you install Trivy, the installed artifact contains the scanner engine but is lacking relevant security information needed to make security detections and recommendations. These so called \"databases\" are automatically fetched and maintained by Trivy as needed, so normally you shouldn't notice or worry about them. This document elaborates on the database management mechanism and its configuration options.
Trivy relies on the following databases:
DB Artifact name Contents Purpose Vulnerabilities DB trivy-db CVE information collected from various feeds used only for vulnerability scanning Java DB trivy-java-db Index of Java artifacts and their hash digest used to identify Java artifacts only in JAR scanning Checks Bundle trivy-checks Logic of misconfiguration checks used only in misconfiguration/IaC scanning Note
This is not an exhaustive list of Trivy's external connectivity requirements. There are additional external resources which may be required by specific Trivy features. To learn about external connectivity requirements, see the Advanced Network Scenarios.
"},{"location":"guide/configuration/db/#locations","title":"Locations","text":"Trivy's databases are published to the following locations:
Registry Image Address Link GHCR ghcr.io/aquasecurity/trivy-db https://ghcr.io/aquasecurity/trivy-db ghcr.io/aquasecurity/trivy-java-db https://ghcr.io/aquasecurity/trivy-java-db ghcr.io/aquasecurity/trivy-checks https://ghcr.io/aquasecurity/trivy-checks Docker Hub aquasec/trivy-db https://hub.docker.com/r/aquasec/trivy-db aquasec/trivy-java-db https://hub.docker.com/r/aquasec/trivy-java-db aquasec/trivy-checks https://hub.docker.com/r/aquasec/trivy-checks AWS ECR public.ecr.aws/aquasecurity/trivy-db https://gallery.ecr.aws/aquasecurity/trivy-db public.ecr.aws/aquasecurity/trivy-java-db https://gallery.ecr.aws/aquasecurity/trivy-java-db public.ecr.aws/aquasecurity/trivy-checks https://gallery.ecr.aws/aquasecurity/trivy-checks In addition, images are also available via pull-through cache registries like Google Container Registry Mirror.
"},{"location":"guide/configuration/db/#default-locations","title":"Default Locations","text":"Trivy will attempt to pull images from the following registries in the order specified.
mirror.gcr.io/aquasecghcr.io/aquasecurity
You can specify additional alternative repositories as explained in the configuring database locations section.
"},{"location":"guide/configuration/db/#db-management-configuration","title":"DB Management Configuration","text":""},{"location":"guide/configuration/db/#database-locations","title":"Database Locations","text":"You can configure Trivy to download databases from alternative locations by using the flags:
--db-repository--java-db-repository--checks-bundle-repository
The value should be an image address in a container registry.
For example:
trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db alpine\n
The flag accepts multiple values, which can be used to specify multiple alternative repository locations. In case of transient errors (e.g. status 429 or 5xx), Trivy will fall back to alternative registries in the order specified.
For example:
trivy image --db-repository my.registry.local/trivy-db --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db alpine\n
The Checks Bundle registry location option does not support fallback through multiple options. This is because in case of a failure pulling the Checks Bundle, Trivy will use the embedded checks as a fallback.
Note
Setting the repository location flags overrides the default values which include the official db locations. In case you want to preserve the default locations, you should include them in the list you set as repository locations.
Note
When pulling trivy-db or trivy-java-db, if image tag is not specified, Trivy defaults to the db schema number instead of the latest tag.
"},{"location":"guide/configuration/db/#skip-updates","title":"Skip updates","text":"You can configure Trivy to not attempt to download any or all database(s), using the flags:
--skip-db-update--skip-java-db-update--skip-check-update
For example:
trivy image --skip-db-update --skip-java-db-update --skip-check-update alpine\n
"},{"location":"guide/configuration/db/#only-update","title":"Only update","text":"You can ask Trivy to only update the database without performing a scan. This action will ensure Trivy is up to date, and populate Trivy's database cache for subsequent scans.
--download-db-only--download-java-db-only
For example:
trivy image --download-db-only\n
Note that currently there is no option to download only the Checks Bundle.
"},{"location":"guide/configuration/db/#remove-databases","title":"Remove Databases","text":"trivy clean command removes caches and databases. You can select which cache component to remove:
option description -a/--all remove all caches --checks-bundle remove checks bundle --java-db remove Java database --scan-cache remove scan cache (container and VM image analysis results) --vuln-db remove vulnerability database Example:
$ trivy clean --vuln-db --java-db\n2024-06-24T11:42:31+06:00 INFO Removing vulnerability database...\n2024-06-24T11:42:31+06:00 INFO Removing Java database...\n
"},{"location":"guide/configuration/filtering/","title":"Filtering","text":"Trivy provides various methods for filtering the results.
flowchart LR\n Issues(\"Detected\\nIssues\") --> Severity\n\n subgraph Filtering\n subgraph Prioritization\n direction TB\n Severity(\"By Severity\") --> Status(\"By Status\")\n end\n subgraph Suppression\n Status --> Ignore(\"By Finding IDs\")\n Ignore --> Rego(\"By Rego\")\n Rego --> VEX(\"By VEX\")\n end\n end\n VEX --> Results
Similar to the functionality of filtering results, you can also limit the sub-targets for each scanner. For information on these settings, please refer to the scanner-specific documentation (vulnerability , misconfiguration, etc.).
"},{"location":"guide/configuration/filtering/#prioritization","title":"Prioritization","text":"You can filter the results by
- Severity
- Status
"},{"location":"guide/configuration/filtering/#by-severity","title":"By Severity","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713 Use --severity option.
$ trivy image --severity HIGH,CRITICAL ruby:2.4.0\n
Result 2019-05-16T01:51:46.255+0900 INFO Updating vulnerability database...\n2019-05-16T01:51:49.213+0900 INFO Detecting Debian vulnerabilities...\n\nruby:2.4.0 (debian 8.7)\n=======================\nTotal: 1785 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1680, CRITICAL: 105)\n\n+-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+\n| apt | CVE-2019-3462 | CRITICAL | 1.0.9.8.3 | 1.0.9.8.5 | Incorrect sanitation of the |\n| | | | | | 302 redirect field in HTTP |\n| | | | | | transport method of... |\n+-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+\n| bash | CVE-2019-9924 | HIGH | 4.3-11 | 4.3-11+deb8u2 | bash: BASH_CMD is writable in |\n| | | | | | restricted bash shells |\n+ +------------------+ + +----------------------------------+-------------------------------------------------+\n| | CVE-2016-7543 | | | 4.3-11+deb8u1 | bash: Specially crafted |\n| | | | | | SHELLOPTS+PS4 variables allows |\n| | | | | | command substitution |\n+-----------------------------+------------------+ +---------------------------+----------------------------------+-------------------------------------------------+\n| binutils | CVE-2017-8421 | | 2.25-5 | | binutils: Memory exhaustion in |\n| | | | | | objdump via a crafted PE file |\n+ +------------------+ + +----------------------------------+-------------------------------------------------+\n| | CVE-2017-14930 | | | | binutils: Memory leak in |\n| | | | | | decode_line_info |\n+ +------------------+ + +----------------------------------+-------------------------------------------------+\n| | CVE-2017-7614 | | | | binutils: NULL |\n| | | | | | pointer dereference in |\n| | | | | | bfd_elf_final_link function |\n+ +------------------+ + +----------------------------------+-------------------------------------------------+\n| | CVE-2014-9939 | | | | binutils: buffer overflow in |\n| | | | | | ihex.c |\n+ +------------------+ + +----------------------------------+-------------------------------------------------+\n| | CVE-2017-13716 | | | | binutils: Memory leak with the |\n| | | | | | C++ symbol demangler routine |\n| | | | | | in libiberty |\n+ +------------------+ + +----------------------------------+-------------------------------------------------+\n| | CVE-2018-12699 | | | | binutils: heap-based buffer |\n| | | | | | overflow in finish_stab in |\n| | | | | | stabs.c |\n+-----------------------------+------------------+ +---------------------------+----------------------------------+-------------------------------------------------+\n| bsdutils | CVE-2015-5224 | | 2.25.2-6 | | util-linux: File name |\n| | | | | | collision due to incorrect |\n| | | | | | mkstemp use |\n+ +------------------+ + +----------------------------------+-------------------------------------------------+\n| | CVE-2016-2779 | | | | util-linux: runuser tty hijack |\n| | | | | | via TIOCSTI ioctl |\n+-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+\n
trivy config --severity HIGH,CRITICAL examples/misconf/mixed\n
Result 2022-05-16T13:50:42.718+0100 INFO Detected config files: 3\n\nDockerfile (dockerfile)\n=======================\nTests: 17 (SUCCESSES: 16, FAILURES: 1)\nFailures: 1 (HIGH: 1, CRITICAL: 0)\n\nHIGH: Last USER command in Dockerfile should not be 'root'\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.\n\nSee https://avd.aquasec.com/misconfig/ds002\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n Dockerfile:3\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 3 [ USER root\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\n\ndeployment.yaml (kubernetes)\n============================\nTests: 8 (SUCCESSES: 8, FAILURES: 0)\nFailures: 0 (HIGH: 0, CRITICAL: 0)\n\n\nmain.tf (terraform)\n===================\nTests: 1 (SUCCESSES: 0, FAILURES: 1)\nFailures: 1 (HIGH: 0, CRITICAL: 1)\n\nCRITICAL: Classic resources should not be used.\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nAWS Classic resources run in a shared environment with infrastructure owned by other AWS customers. You should run\nresources in a VPC instead.\n\nSee https://avd.aquasec.com/misconfig/avd-aws-0081\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n main.tf:2-4\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 2 \u250c resource \"aws_db_security_group\" \"sg\" {\n 3 \u2502\n 4 \u2514 }\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n
"},{"location":"guide/configuration/filtering/#by-status","title":"By Status","text":"Scanner Supported Vulnerability \u2713 Misconfiguration Secret License Trivy supports the following vulnerability statuses:
unknownnot_affected: this package is not affected by this vulnerability on this platformaffected: this package is affected by this vulnerability on this platform, but there is no patch released yetfixed: this vulnerability is fixed on this platformunder_investigation: it is currently unknown whether or not this vulnerability affects this package on this platform, and it is under investigationwill_not_fix: this package is affected by this vulnerability on this platform, but there is currently no intention to fix it (this would primarily be for flaws that are of Low or Moderate impact that pose no significant risk to customers)fix_deferred: this package is affected by this vulnerability on this platform, and may be fixed in the futureend_of_life: this package has been identified to contain the impacted component, but analysis to determine whether it is affected or not by this vulnerability was not performed
Note that vulnerabilities with the unknown, not_affected or under_investigation status are not detected. These are only defined for comprehensiveness, and you will not have the opportunity to specify these statuses.
Some statuses are supported in limited distributions.
OS Fixed Affected Under Investigation Will Not Fix Fix Deferred End of Life Debian \u2713 \u2713 \u2713 \u2713 RHEL \u2713 \u2713 \u2713 \u2713 \u2713 \u2713 Other OSes \u2713 \u2713 To ignore vulnerabilities with specific statuses, use the --ignore-status <list_of_statuses> option.
$ trivy image --ignore-status affected,fixed ruby:2.4.0\n
Result 2019-05-16T12:50:14.786+0900 INFO Detecting Debian vulnerabilities...\n\nruby:2.4.0 (debian 8.7)\n=======================\nTotal: 527 (UNKNOWN: 0, LOW: 276, MEDIUM: 83, HIGH: 158, CRITICAL: 10)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Status \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 binutils \u2502 CVE-2014-9939 \u2502 CRITICAL \u2502 will_not_fix \u2502 2.25-5 \u2502 \u2502 binutils: buffer overflow in ihex.c \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2014-9939 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2017-6969 \u2502 \u2502 \u2502 \u2502 \u2502 binutils: Heap-based buffer over-read in readelf when \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 processing corrupt RL78 binaries \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2017-6969 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n...\n
Tip
To skip all unfixed vulnerabilities, you can use the --ignore-unfixed flag . It is a shorthand of --ignore-status affected,will_not_fix,fix_deferred,end_of_life. It displays \"fixed\" vulnerabilities only.
$ trivy image --ignore-unfixed ruby:2.4.0\n
"},{"location":"guide/configuration/filtering/#suppression","title":"Suppression","text":"You can filter the results by
- Finding IDs
- Rego
- Vulnerability Exploitability Exchange (VEX)
To show the suppressed results, use the --show-suppressed flag.
Note
It's exported as ExperimentalModifiedFindings in the JSON output.
$ trivy image --vex debian11.csaf.vex --ignorefile .trivyignore.yaml --show-suppressed debian:11\n...\n\nSuppressed Vulnerabilities (Total: 9)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Status \u2502 Statement \u2502 Source \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 libdb5.3 \u2502 CVE-2019-8457 \u2502 CRITICAL \u2502 not_affected \u2502 vulnerable_code_not_in_execute_path \u2502 CSAF VEX \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 bsdutils \u2502 CVE-2022-0563 \u2502 LOW \u2502 ignored \u2502 Accept the risk \u2502 .trivyignore.yaml \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 libblkid1 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 libmount1 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 libsmartcols1 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 libuuid1 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 mount \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502\n\u2502 tar \u2502 CVE-2005-2541 \u2502 \u2502 \u2502 The vulnerable configuration is not enabled \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502\n\u2502 util-linux \u2502 CVE-2022-0563 \u2502 \u2502 \u2502 Accept the risk \u2502 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/configuration/filtering/#by-finding-ids","title":"By Finding IDs","text":"Trivy supports the .trivyignore and .trivyignore.yaml ignore files.
"},{"location":"guide/configuration/filtering/#trivyignore","title":".trivyignore","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713 $ cat .trivyignore\n# Accept the risk\nCVE-2018-14618\n\n# Accept the risk until 2023-01-01\nCVE-2019-14697 exp:2023-01-01\n\n# No impact in our settings\nCVE-2019-1543\n\n# Ignore misconfigurations\nAVD-DS-0002\n\n# Ignore secrets\ngeneric-unwanted-rule\naws-account-id\n\n# Ignore licenses\nGPL-3.0\nApache-2.0 WITH LLVM-exception\n
$ trivy image python:3.4-alpine3.9\n
Result 2019-05-16T12:53:10.076+0900 INFO Updating vulnerability database...\n2019-05-16T12:53:28.134+0900 INFO Detecting Alpine vulnerabilities...\n\npython:3.4-alpine3.9 (alpine 3.9.2)\n===================================\nTotal: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n
"},{"location":"guide/configuration/filtering/#trivyignoreyaml","title":".trivyignore.yaml","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713 EXPERIMENTAL
This feature might change without preserving backwards compatibility.
When the extension of the specified ignore file is either .yml or .yaml, Trivy will load the file as YAML. For the .trivyignore.yaml file, you can set ignored IDs separately for vulnerabilities, misconfigurations, secrets, or licenses1.
Available fields:
Field Required Type Description id \u2713 string The identifier of the vulnerability, misconfiguration, secret, or license1. paths2 string array The list of file paths to ignore. If paths is not set, the ignore finding is applied to all files. purls string array The list of PURLs to ignore packages. If purls is not set, the ignore finding is applied to all packages. This field is currently available only for vulnerabilities. expired_at date (yyyy-mm-dd) The expiration date of the ignore finding. If expired_at is not set, the ignore finding is always valid. statement string The reason for ignoring the finding. (This field is not used for filtering.) $ cat .trivyignore.yaml\nvulnerabilities:\n - id: CVE-2022-40897\n paths:\n - \"usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA\"\n statement: Accept the risk\n - id: CVE-2023-2650\n - id: CVE-2023-3446\n - id: CVE-2023-3817\n purls:\n - \"pkg:deb/debian/libssl1.1\"\n - id: CVE-2023-29491\n expired_at: 2023-09-01\n\nmisconfigurations:\n - id: AVD-DS-0001\n - id: AVD-DS-0002\n paths:\n - \"docs/Dockerfile\"\n statement: The image needs root privileges\n\nsecrets:\n - id: aws-access-key-id\n - id: aws-secret-access-key\n paths:\n - \"foo/bar/aws.secret\"\n\nlicenses:\n - id: GPL-3.0 # License name is used as ID\n paths:\n - \"usr/share/gcc/python/libstdcxx/v6/__init__.py\"\n - id: MIT AND GPL-2.0-or-later # Compound license expressions are supported\n - id: Apache-2.0 WITH LLVM-exception # License expressions with exceptions are supported\n - id: LLVM-exception # Individual license components or exceptions can be ignored\n
Enhanced License Expression Support
Trivy supports filtering complex SPDX license expressions including:
- Compound expressions with AND/OR operators:
MIT AND GPL-2.0-or-later - License exceptions with WITH operator:
Apache-2.0 WITH LLVM-exception - Individual components: You can ignore specific license components or exceptions from compound expressions
When filtering compound expressions:
- AND/OR expressions: All individual license components must be explicitly ignored for the entire expression to be ignored
- WITH expressions: License expressions with exceptions are treated as single entities and can be ignored as a whole
- Component matching: You can also ignore individual license names or exception names to filter specific parts of compound expressions
Since this feature is experimental, you must explicitly specify the YAML file path using the --ignorefile flag. Once this functionality is stable, the YAML file will be loaded automatically.
$ trivy image --ignorefile ./.trivyignore.yaml python:3.9.16-alpine3.16\n
Result 2023-08-31T11:10:27.155+0600 INFO Vulnerability scanning is enabled\n2023-08-31T11:10:27.155+0600 INFO Secret scanning is enabled\n2023-08-31T11:10:27.155+0600 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning\n2023-08-31T11:10:27.155+0600 INFO Please see also https://trivy.dev/dev/docs/scanner/secret/#recommendation for faster secret detection\n2023-08-31T11:10:29.164+0600 INFO Detected OS: alpine\n2023-08-31T11:10:29.164+0600 INFO Detecting Alpine vulnerabilities...\n2023-08-31T11:10:29.169+0600 INFO Number of language-specific files: 1\n2023-08-31T11:10:29.170+0600 INFO Detecting python-pkg vulnerabilities...\n\npython:3.9.16-alpine3.16 (alpine 3.16.5)\n========================================\nTotal: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n
"},{"location":"guide/configuration/filtering/#by-rego","title":"By Rego","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713 EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Rego is a policy language that allows you to express decision logic in a concise syntax. Rego is part of the popular Open Policy Agent (OPA) CNCF project. For advanced filtering, Trivy allows you to use Rego language to filter vulnerabilities.
Use the --ignore-policy flag which takes a path to a Rego file that defines the filtering policy. The Rego package name must be trivy and it must include a \"rule\" named ignore which determines if each individual scan result should be excluded (ignore=true) or not (ignore=false). The input for the evaluation is each DetectedVulnerability and DetectedMisconfiguration.
A practical way to observe the filtering policy input in your case, is to run a scan with the --format json option and look at the resulting structure:
trivy image -f json centos:7\n\n...\n \"Results\": [\n {\n \"Target\": \"centos:7 (centos 7.9.2009)\",\n \"Class\": \"os-pkgs\",\n \"Type\": \"centos\",\n \"Vulnerabilities\": [\n {\n \"VulnerabilityID\": \"CVE-2015-5186\",\n \"PkgID\": \"audit-libs@2.8.5-4.el7.x86_64\",\n \"PkgName\": \"audit-libs\",\n \"InstalledVersion\": \"2.8.5-4.el7\",\n \"Layer\": {\n \"Digest\": \"sha256:2d473b07cdd5f0912cd6f1a703352c82b512407db6b05b43f2553732b55df3bc\",\n \"DiffID\": \"sha256:174f5685490326fc0a1c0f5570b8663732189b327007e47ff13d2ca59673db02\"\n },\n \"SeveritySource\": \"redhat\",\n \"PrimaryURL\": \"https://avd.aquasec.com/nvd/cve-2015-5186\",\n \"Title\": \"log terminal emulator escape sequences handling\",\n \"Description\": \"Audit before 2.4.4 in Linux does not sanitize escape characters in filenames.\",\n \"Severity\": \"MEDIUM\",\n \"CweIDs\": [\n \"CWE-20\"\n ],\n...\n
Each individual Vulnerability, Misconfiguration, License and Secret (under Results.Vulnerabilities, Results.Misconfigurations, Results.Licenses, Results.Secrets) is evaluated for exclusion or inclusion by the ignore rule.
The following is a Rego ignore policy that filters out every vulnerability with a specific CWE ID (as seen in the JSON example above):
package trivy\n\ndefault ignore = false\n\nignore {\n input.CweIDs[_] == \"CWE-20\"\n}\n
trivy image --ignore-policy examples/ignore-policies/basic.rego centos:7\n
To filter findings of a specific type based on a field that may exist in multiple structures (for example, PkgName in both DetectedVulnerability and DetectedLicense), you can use the Type field. This field is automatically added when exporting findings to Rego and indicates the kind of finding. Possible values are: vulnerability, misconfiguration, secret, and license.
For example, the following policy ignores vulnerabilities with a specific package name without affecting other finding types:
package trivy\n\nignore {\n input.Type == \"vulnerability\"\n input.PkgName == \"foo\"\n}\n
For more advanced use cases, there is a built-in Rego library with helper functions that you can import into your policy using: import data.lib.trivy. More info about the helper functions are in the library here.
You can create a whitelist of checks using Rego, see the detailed example. Additional examples are available here.
"},{"location":"guide/configuration/filtering/#by-vulnerability-exploitability-exchange-vex","title":"By Vulnerability Exploitability Exchange (VEX)","text":"Scanner Supported Vulnerability \u2713 Misconfiguration Secret License Please refer to the VEX documentation for the details.
-
license name is used as id for .trivyignore.yaml files.\u00a0\u21a9\u21a9
-
This doesn't work for os package licenses (e.g. apk, dpkg, rpm). For projects which manage dependencies through a dependency file (e.g. go.mod, yarn.lock) path should point to that particular file.\u00a0\u21a9
"},{"location":"guide/configuration/others/","title":"Others","text":""},{"location":"guide/configuration/others/#enabledisable-scanners","title":"Enable/Disable Scanners","text":"You can enable/disable scanners with the --scanners flag.
Supported values:
- vuln
- misconfig
- secret
- license
For example, container image scanning enables vulnerability and secret scanners by default. If you don't need secret scanning, it can be disabled.
$ trivy image --scanners vuln alpine:3.15\n
"},{"location":"guide/configuration/others/#exit-code","title":"Exit Code","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713 By default, Trivy exits with code 0 even when security issues are detected. Use the --exit-code option if you want to exit with a non-zero exit code.
$ trivy image --exit-code 1 python:3.4-alpine3.9\n
Result 2019-05-16T12:51:43.500+0900 INFO Updating vulnerability database...\n2019-05-16T12:52:00.387+0900 INFO Detecting Alpine vulnerabilities...\n\npython:3.4-alpine3.9 (alpine 3.9.2)\n===================================\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n\n+---------+------------------+----------+-------------------+---------------+--------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+---------+------------------+----------+-------------------+---------------+--------------------------------+\n| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |\n| | | | | | with long nonces |\n+---------+------------------+----------+-------------------+---------------+--------------------------------+\n
This option is useful for CI/CD. In the following example, the test will fail only when a critical vulnerability is found.
$ trivy image --exit-code 0 --severity MEDIUM,HIGH ruby:2.4.0\n$ trivy image --exit-code 1 --severity CRITICAL ruby:2.4.0\n
"},{"location":"guide/configuration/others/#exit-on-eol","title":"Exit on EOL","text":"Scanner Supported Vulnerability \u2713 Misconfiguration Secret License Sometimes you may surprisingly get 0 vulnerabilities in an old image:
- Enabling
--ignore-unfixed option while all packages have no fixed versions. - Scanning a rather outdated OS (e.g. Ubuntu 10.04).
An OS at the end of service/life (EOL) usually gets into this situation, which is definitely full of vulnerabilities. --exit-on-eol can fail scanning on EOL OS with a non-zero code. This flag is available with the following targets.
- Container images (
trivy image) - Virtual machine images (
trivy vm) - SBOM (
trivy sbom) - Root filesystem (
trivy rootfs)
$ trivy image --exit-on-eol 1 alpine:3.10\n
Result 2023-03-01T11:07:15.455+0200 INFO Vulnerability scanning is enabled\n...\n2023-03-01T11:07:17.938+0200 WARN This OS version is no longer supported by the distribution: alpine 3.10.9\n2023-03-01T11:07:17.938+0200 WARN The vulnerability detection may be insufficient because security updates are not provided\n\nalpine:3.10 (alpine 3.10.9)\n===========================\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 apk-tools \u2502 CVE-2021-36159 \u2502 CRITICAL \u2502 2.10.6-r0 \u2502 2.10.7-r0 \u2502 libfetch before 2021-07-26, as used in apk-tools, xbps, and \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 other products, mishandles... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-36159 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n2023-03-01T11:07:17.941+0200 ERROR Detected EOL OS: alpine 3.10.9\n
This option is useful for CI/CD. The following example will fail when a critical vulnerability is found or the OS is EOSL:
$ trivy image --exit-code 1 --exit-on-eol 1 --severity CRITICAL alpine:3.16.3\n
"},{"location":"guide/configuration/others/#mirror-registries","title":"Mirror Registries","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy supports mirrors for remote container images and databases.
To configure them, add a list of mirrors along with the host to the trivy config file.
Note
Use the index.docker.io host for images from Docker Hub, even if you don't use that prefix.
Example for index.docker.io:
registry:\n mirrors:\n index.docker.io:\n - mirror.gcr.io\n
"},{"location":"guide/configuration/others/#registry-check-procedure","title":"Registry check procedure","text":"Trivy uses the following registry order to get the image:
- mirrors in the same order as they are specified in the configuration file
- source registry
In cases where we can't get the image from the mirror registry (e.g. when authentication fails, image doesn't exist, etc.) - Trivy will check other mirrors (or the source registry if all mirrors have already been checked).
Example:
registry:\n mirrors:\n index.docker.io:\n - mirror.with.bad.auth // We don't have credentials for this registry\n - mirror.without.image // Registry doesn't have this image\n
When we want to get the image alpine with the settings above. The logic will be as follows:
- Try to get the image from
mirror.with.bad.auth/library/alpine, but we get an error because there are no credentials for this registry. - Try to get the image from
mirror.without.image/library/alpine, but we get an error because this registry doesn't have this image (but most likely it will be an error about authorization). - Get the image from
index.docker.io (the original registry).
"},{"location":"guide/configuration/others/#check-for-updates","title":"Check for updates","text":"Trivy periodically checks for updates and notices, and displays a message to the user with recommendations. Updates checking is non-blocking and has no impact on scanning time, performance, results, or any user experience aspect besides displaying the message. You can disable updates checking by specifying the --skip-version-check flag.
"},{"location":"guide/configuration/others/#telemetry","title":"Telemetry","text":"Trivy collected usage data for product improvement. More details in the Telemetry document. You can disable telemetry collection using the --disable-telemetry flag.
"},{"location":"guide/configuration/reporting/","title":"Reporting","text":""},{"location":"guide/configuration/reporting/#format","title":"Format","text":"Trivy supports the following formats:
- Table
- JSON
- SARIF
- Template
- SBOM
- GitHub dependency snapshot
"},{"location":"guide/configuration/reporting/#table-default","title":"Table (Default)","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713 $ trivy image -f table golang:1.22.11-alpine3.20\n
Result ...\n\nReport Summary\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Target \u2502 Type \u2502 Vulnerabilities \u2502 Secrets \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 golang:1.22.11-alpine3.20 (alpine 3.20.5) \u2502 alpine \u2502 6 \u2502 - \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 usr/local/go/bin/go \u2502 gobinary \u2502 1 \u2502 - \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n...\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 usr/local/go/pkg/tool/linux_amd64/vet \u2502 gobinary \u2502 1 \u2502 - \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\nLegend:\n- '-': Not scanned\n- '0': Clean (no security findings detected)\n\n\ngolang:1.22.11-alpine3.20 (alpine 3.20.5)\n\nTotal: 6 (UNKNOWN: 2, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Status \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 libcrypto3 \u2502 CVE-2024-12797 \u2502 HIGH \u2502 fixed \u2502 3.3.2-r1 \u2502 3.3.3-r0 \u2502 openssl: RFC7250 handshakes with unauthenticated servers \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 don't abort as expected \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2024-12797 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2024-13176 \u2502 MEDIUM \u2502 \u2502 \u2502 3.3.2-r2 \u2502 openssl: Timing side-channel in ECDSA signature computation \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2024-13176 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 libssl3 \u2502 CVE-2024-12797 \u2502 HIGH \u2502 \u2502 \u2502 3.3.3-r0 \u2502 openssl: RFC7250 handshakes with unauthenticated servers \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 don't abort as expected \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2024-12797 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2024-13176 \u2502 MEDIUM \u2502 \u2502 \u2502 3.3.2-r2 \u2502 openssl: Timing side-channel in ECDSA signature computation \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2024-13176 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 musl \u2502 CVE-2025-26519 \u2502 UNKNOWN \u2502 \u2502 1.2.5-r0 \u2502 1.2.5-r1 \u2502 musl libc 0.9.13 through 1.2.5 before 1.2.6 has an \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 out-of-bounds write ...... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2025-26519 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 musl-utils \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n\nusr/local/go/bin/go (gobinary)\n\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Status \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 stdlib \u2502 CVE-2025-22866 \u2502 MEDIUM \u2502 fixed \u2502 v1.22.11 \u2502 1.22.12, 1.23.6, 1.24.0-rc.3 \u2502 crypto/internal/nistec: golang: Timing sidechannel for P-256 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 on ppc64le in crypto/internal/nistec \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2025-22866 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n\n...\n
"},{"location":"guide/configuration/reporting/#table-mode","title":"Table mode","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy supports the following modes for table format:
Mode Enabled by default summary \u27131 detailed \u2713 You can use --table-mode flag to enable/disable table mode(s).
"},{"location":"guide/configuration/reporting/#summary-table","title":"Summary table","text":"Summary table contains general information about the scan performed.
Nuances of table contents:
- Table includes columns for enabled scanners only. Use
--scanners flag to enable/disable scanners. - Table includes separate lines for the same targets but different scanners.
- means that the scanner didn't scan this target.0 means that the scanner scanned this target, but found no security issues.
Note
For the secret/license scanner, the Trivy report contains only findings. Therefore, we can\u2019t say for sure whether Trivy scanned at least one file or simply didn\u2019t find any findings. That\u2019s why, for these scanners, the summary table uses \u201c-\u201d if no findings are found.
Report Summary \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Target \u2502 Type \u2502 Vulnerabilities \u2502 Misconfigurations \u2502 Secrets \u2502 Licenses \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 test (alpine 3.20.3) \u2502 alpine \u2502 2 \u2502 - \u2502 - \u2502 - \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 Java \u2502 jar \u2502 2 \u2502 - \u2502 - \u2502 - \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 app/Dockerfile \u2502 dockerfile \u2502 - \u2502 2 \u2502 - \u2502 - \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 requirements.txt \u2502 text \u2502 0 \u2502 - \u2502 - \u2502 - \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 requirements.txt \u2502 text \u2502 - \u2502 - \u2502 1 \u2502 - \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 OS Packages \u2502 - \u2502 - \u2502 - \u2502 - \u2502 1 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 Java \u2502 - \u2502 - \u2502 - \u2502 - \u2502 0 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/configuration/reporting/#detailed-tables","title":"Detailed tables","text":"Detailed tables contain information about found security issues for each target with more detailed information (CVE-ID, severity, version, etc.).
Detailed tables usr/local/go/bin/go (gobinary)\n\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Status \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 stdlib \u2502 CVE-2025-22866 \u2502 MEDIUM \u2502 fixed \u2502 v1.22.11 \u2502 1.22.12, 1.23.6, 1.24.0-rc.3 \u2502 crypto/internal/nistec: golang: Timing sidechannel for P-256 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 on ppc64le in crypto/internal/nistec \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2025-22866 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/configuration/reporting/#show-origins-of-vulnerable-dependencies","title":"Show origins of vulnerable dependencies","text":"Scanner Supported Vulnerability \u2713 Misconfiguration Secret License EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Modern software development relies on the use of third-party libraries. Third-party dependencies also depend on others so a list of dependencies can be represented as a dependency graph. In some cases, vulnerable dependencies are not linked directly, and it requires analyses of the tree. To make this task simpler Trivy can show a dependency origin tree with the --dependency-tree flag. This flag is only available with the --format table flag.
The following OS package managers are currently supported:
OS Package Managers apk dpkg rpm The following languages are currently supported:
Language File Node.js package-lock.json pnpm-lock.yaml yarn.lock .NET packages.lock.json Python poetry.lock uv.lock Ruby Gemfile.lock Rust cargo-auditable binaries Go go.mod PHP composer.lock Java pom.xml *gradle.lockfile *.sbt.lock Dart pubspec.lock This tree is the reverse of the dependency graph. However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.
In table output, it looks like:
$ trivy fs --severity HIGH,CRITICAL --dependency-tree /path/to/your_node_project\n\npackage-lock.json (npm)\n=======================\nTotal: 2 (HIGH: 1, CRITICAL: 1)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 follow-redirects \u2502 CVE-2022-0155 \u2502 HIGH \u2502 1.14.6 \u2502 1.14.7 \u2502 follow-redirects: Exposure of Private Personal Information \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 to an Unauthorized Actor \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2022-0155 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 glob-parent \u2502 CVE-2020-28469 \u2502 CRITICAL \u2502 3.1.0 \u2502 5.1.2 \u2502 nodejs-glob-parent: Regular expression denial of service \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2020-28469 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n\nDependency Origin Tree (Reversed)\n=================================\npackage-lock.json\n\u251c\u2500\u2500 follow-redirects@1.14.6, (HIGH: 1, CRITICAL: 0)\n\u2502 \u2514\u2500\u2500 axios@0.21.4\n\u2514\u2500\u2500 glob-parent@3.1.0, (HIGH: 0, CRITICAL: 1)\n \u2514\u2500\u2500 chokidar@2.1.8\n \u2514\u2500\u2500 watchpack-chokidar2@2.0.1\n \u2514\u2500\u2500 watchpack@1.7.5\n \u2514\u2500\u2500 webpack@4.46.0\n \u2514\u2500\u2500 cra-append-sw@2.7.0\n
Vulnerable dependencies are shown in the top level of the tree. Lower levels show how those vulnerabilities are introduced. In the example above axios@0.21.4 included in the project directly depends on the vulnerable follow-redirects@1.14.6. Also, glob-parent@3.1.0 with some vulnerabilities is included through chain of dependencies that is added by cra-append-sw@2.7.0.
Then, you can try to update axios@0.21.4 and cra-append-sw@2.7.0 to resolve vulnerabilities in follow-redirects@1.14.6 and glob-parent@3.1.0.
"},{"location":"guide/configuration/reporting/#json","title":"JSON","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713 $ trivy image -f json -o results.json alpine:latest\n
JSON {\n \"SchemaVersion\": 2,\n \"CreatedAt\": \"2024-12-26T21:58:15.943876+05:30\",\n \"ArtifactName\": \"alpine:latest\",\n \"ArtifactType\": \"container_image\",\n \"Metadata\": {\n \"OS\": {\n \"Family\": \"alpine\",\n \"Name\": \"3.20.3\"\n },\n \"ImageID\": \"sha256:511a44083d3a23416fadc62847c45d14c25cbace86e7a72b2b350436978a0450\",\n \"DiffIDs\": [\n \"sha256:651d9022c23486dfbd396c13db293af6845731cbd098a5f5606db4bc9f5573e8\"\n ],\n \"RepoTags\": [\n \"alpine:latest\"\n ],\n \"RepoDigests\": [\n \"alpine@sha256:1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a\"\n ],\n \"ImageConfig\": {\n \"architecture\": \"arm64\",\n \"created\": \"2024-09-06T12:05:36Z\",\n \"history\": [\n {\n \"created\": \"2024-09-06T12:05:36Z\",\n \"created_by\": \"ADD alpine-minirootfs-3.20.3-aarch64.tar.gz / # buildkit\",\n \"comment\": \"buildkit.dockerfile.v0\"\n },\n {\n \"created\": \"2024-09-06T12:05:36Z\",\n \"created_by\": \"CMD [\\\"/bin/sh\\\"]\",\n \"comment\": \"buildkit.dockerfile.v0\",\n \"empty_layer\": true\n }\n ],\n \"os\": \"linux\",\n \"rootfs\": {\n \"type\": \"layers\",\n \"diff_ids\": [\n \"sha256:651d9022c23486dfbd396c13db293af6845731cbd098a5f5606db4bc9f5573e8\"\n ]\n },\n \"config\": {\n \"Cmd\": [\n \"/bin/sh\"\n ],\n \"Env\": [\n \"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"\n ],\n \"WorkingDir\": \"/\",\n \"ArgsEscaped\": true\n }\n }\n },\n \"Results\": [\n {\n \"Target\": \"alpine:latest (alpine 3.20.3)\",\n \"Class\": \"os-pkgs\",\n \"Type\": \"alpine\",\n \"Vulnerabilities\": [\n {\n \"VulnerabilityID\": \"CVE-2024-9143\",\n \"PkgID\": \"libcrypto3@3.3.2-r0\",\n \"PkgName\": \"libcrypto3\",\n \"PkgIdentifier\": {\n \"PURL\": \"pkg:apk/alpine/libcrypto3@3.3.2-r0?arch=aarch64\\u0026distro=3.20.3\",\n \"UID\": \"f705555b49cd2259\"\n },\n \"InstalledVersion\": \"3.3.2-r0\",\n \"FixedVersion\": \"3.3.2-r1\",\n \"Status\": \"fixed\",\n \"Layer\": {\n \"DiffID\": \"sha256:651d9022c23486dfbd396c13db293af6845731cbd098a5f5606db4bc9f5573e8\"\n },\n \"PrimaryURL\": \"https://avd.aquasec.com/nvd/cve-2024-9143\",\n \"DataSource\": {\n \"ID\": \"alpine\",\n \"Name\": \"Alpine Secdb\",\n \"URL\": \"https://secdb.alpinelinux.org/\"\n },\n \"Title\": \"openssl: Low-level invalid GF(2^m) parameters lead to OOB memory access\",\n \"Description\": \"Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\\nor writes.\\n\\nImpact summary: Out of bound memory writes can lead to an application crash or\\neven a possibility of a remote code execution, however, in all the protocols\\ninvolving Elliptic Curve Cryptography that we're aware of, either only \\\"named\\ncurves\\\" are supported, or, if explicit curve parameters are supported, they\\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can't represent\\nproblematic input values. Thus the likelihood of existence of a vulnerable\\napplication is low.\\n\\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\\nso problematic inputs cannot occur in the context of processing X.509\\ncertificates. Any problematic use-cases would have to be using an \\\"exotic\\\"\\ncurve encoding.\\n\\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\\nand various supporting BN_GF2m_*() functions.\\n\\nApplications working with \\\"exotic\\\" explicit binary (GF(2^m)) curve parameters,\\nthat make it possible to represent invalid field polynomials with a zero\\nconstant term, via the above or similar APIs, may terminate abruptly as a\\nresult of reading or writing outside of array bounds. Remote code execution\\ncannot easily be ruled out.\\n\\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\",\n \"Severity\": \"LOW\",\n \"CweIDs\": [\n \"CWE-787\"\n ],\n \"VendorSeverity\": {\n \"amazon\": 3,\n \"redhat\": 1,\n \"ubuntu\": 1\n },\n \"CVSS\": {\n \"redhat\": {\n \"V3Vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\",\n \"V3Score\": 3.7\n }\n },\n \"References\": [\n \"https://access.redhat.com/security/cve/CVE-2024-9143\",\n \"https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712\",\n \"https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700\",\n \"https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4\",\n \"https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154\",\n \"https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a\",\n \"https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41\",\n \"https://nvd.nist.gov/vuln/detail/CVE-2024-9143\",\n \"https://openssl-library.org/news/secadv/20241016.txt\",\n \"https://www.cve.org/CVERecord?id=CVE-2024-9143\"\n ],\n \"PublishedDate\": \"2024-10-16T17:15:18.13Z\",\n \"LastModifiedDate\": \"2024-11-08T16:35:21.58Z\"\n },\n {\n \"VulnerabilityID\": \"CVE-2024-9143\",\n \"PkgID\": \"libssl3@3.3.2-r0\",\n \"PkgName\": \"libssl3\",\n \"PkgIdentifier\": {\n \"PURL\": \"pkg:apk/alpine/libssl3@3.3.2-r0?arch=aarch64\\u0026distro=3.20.3\",\n \"UID\": \"c4a39ef718e71832\"\n },\n \"InstalledVersion\": \"3.3.2-r0\",\n \"FixedVersion\": \"3.3.2-r1\",\n \"Status\": \"fixed\",\n \"Layer\": {\n \"DiffID\": \"sha256:651d9022c23486dfbd396c13db293af6845731cbd098a5f5606db4bc9f5573e8\"\n },\n \"PrimaryURL\": \"https://avd.aquasec.com/nvd/cve-2024-9143\",\n \"DataSource\": {\n \"ID\": \"alpine\",\n \"Name\": \"Alpine Secdb\",\n \"URL\": \"https://secdb.alpinelinux.org/\"\n },\n \"Title\": \"openssl: Low-level invalid GF(2^m) parameters lead to OOB memory access\",\n \"Description\": \"Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\\nor writes.\\n\\nImpact summary: Out of bound memory writes can lead to an application crash or\\neven a possibility of a remote code execution, however, in all the protocols\\ninvolving Elliptic Curve Cryptography that we're aware of, either only \\\"named\\ncurves\\\" are supported, or, if explicit curve parameters are supported, they\\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can't represent\\nproblematic input values. Thus the likelihood of existence of a vulnerable\\napplication is low.\\n\\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\\nso problematic inputs cannot occur in the context of processing X.509\\ncertificates. Any problematic use-cases would have to be using an \\\"exotic\\\"\\ncurve encoding.\\n\\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\\nand various supporting BN_GF2m_*() functions.\\n\\nApplications working with \\\"exotic\\\" explicit binary (GF(2^m)) curve parameters,\\nthat make it possible to represent invalid field polynomials with a zero\\nconstant term, via the above or similar APIs, may terminate abruptly as a\\nresult of reading or writing outside of array bounds. Remote code execution\\ncannot easily be ruled out.\\n\\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\",\n \"Severity\": \"LOW\",\n \"CweIDs\": [\n \"CWE-787\"\n ],\n \"VendorSeverity\": {\n \"amazon\": 3,\n \"redhat\": 1,\n \"ubuntu\": 1\n },\n \"CVSS\": {\n \"redhat\": {\n \"V3Vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\",\n \"V3Score\": 3.7\n }\n },\n \"References\": [\n \"https://access.redhat.com/security/cve/CVE-2024-9143\",\n \"https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712\",\n \"https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700\",\n \"https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4\",\n \"https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154\",\n \"https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a\",\n \"https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41\",\n \"https://nvd.nist.gov/vuln/detail/CVE-2024-9143\",\n \"https://openssl-library.org/news/secadv/20241016.txt\",\n \"https://www.cve.org/CVERecord?id=CVE-2024-9143\"\n ],\n \"PublishedDate\": \"2024-10-16T17:15:18.13Z\",\n \"LastModifiedDate\": \"2024-11-08T16:35:21.58Z\"\n }\n ]\n }\n ]\n}\n
VulnerabilityID, PkgName, InstalledVersion, and Severity in Vulnerabilities are always filled with values, but other fields might be empty.
"},{"location":"guide/configuration/reporting/#sarif","title":"SARIF","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713 SARIF (Static Analysis Results Interchange Format) complying with SARIF 2.1.0 OASIS standard can be generated with the --format sarif flag.
$ trivy image --format sarif -o report.sarif golang:1.12-alpine\n
This SARIF file can be uploaded to several platforms, including:
- GitHub code scanning results, and there is a Trivy GitHub Action for automating this process
- SonarQube
"},{"location":"guide/configuration/reporting/#github-dependency-snapshot","title":"GitHub dependency snapshot","text":"Trivy supports the following packages:
- OS packages
- Language-specific packages
GitHub dependency snapshots can be generated with the --format github flag.
$ trivy image --format github -o report.gsbom alpine\n
This snapshot file can be submitted to your GitHub repository.
"},{"location":"guide/configuration/reporting/#template","title":"Template","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713"},{"location":"guide/configuration/reporting/#custom-template","title":"Custom Template","text":"$ trivy image --format template --template \"{{ range . }} {{ .Target }} {{ end }}\" golang:1.12-alpine\n
Result 2020-01-02T18:02:32.856+0100 INFO Detecting Alpine vulnerabilities...\n golang:1.12-alpine (alpine 3.10.2)\n
You can compute different figures within the template using sprig functions. As an example you can summarize the different classes of issues:
$ trivy image --format template --template '{{- $critical := 0 }}{{- $high := 0 }}{{- range . }}{{- range .Vulnerabilities }}{{- if eq .Severity \"CRITICAL\" }}{{- $critical = add $critical 1 }}{{- end }}{{- if eq .Severity \"HIGH\" }}{{- $high = add $high 1 }}{{- end }}{{- end }}{{- end }}Critical: {{ $critical }}, High: {{ $high }}' golang:1.12-alpine\n
Result Critical: 0, High: 2\n
For other features of sprig, see the official sprig documentation.
"},{"location":"guide/configuration/reporting/#load-templates-from-a-file","title":"Load templates from a file","text":"You can load templates from a file prefixing the template path with an @.
$ trivy image --format template --template \"@/path/to/template\" golang:1.12-alpine\n
"},{"location":"guide/configuration/reporting/#default-templates","title":"Default Templates","text":"If Trivy is installed using rpm then default templates can be found at /usr/local/share/trivy/templates.
"},{"location":"guide/configuration/reporting/#junit","title":"JUnit","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713 In the following example using the template junit.tpl XML can be generated.
$ trivy image --format template --template \"@contrib/junit.tpl\" -o junit-report.xml golang:1.12-alpine\n
"},{"location":"guide/configuration/reporting/#asff","title":"ASFF","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License Trivy also supports an ASFF template for reporting findings to AWS Security Hub
"},{"location":"guide/configuration/reporting/#html","title":"HTML","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret License $ trivy image --format template --template \"@contrib/html.tpl\" -o report.html golang:1.12-alpine\n
The following example shows use of default HTML template when Trivy is installed using rpm.
$ trivy image --format template --template \"@/usr/local/share/trivy/templates/html.tpl\" -o report.html golang:1.12-alpine\n
"},{"location":"guide/configuration/reporting/#sbom","title":"SBOM","text":"See here for details.
"},{"location":"guide/configuration/reporting/#output","title":"Output","text":"Trivy supports the following output destinations:
- File
- Plugin
"},{"location":"guide/configuration/reporting/#file","title":"File","text":"By specifying --output <file_path>, you can output the results to a file. Here is an example:
$ trivy image --format json --output result.json debian:12\n
"},{"location":"guide/configuration/reporting/#plugin","title":"Plugin","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Plugins capable of receiving Trivy's results via standard input, called \"output plugin\", can be seamlessly invoked using the --output flag.
$ trivy <target> [--format <format>] --output plugin=<plugin_name> [--output-plugin-arg <plugin_flags>] <target_name>\n
This is useful for cases where you want to convert the output into a custom format, or when you want to send the output somewhere. For more details, please check here.
"},{"location":"guide/configuration/reporting/#converting","title":"Converting","text":"To generate multiple reports, you can generate the JSON report first and convert it to other formats with the convert subcommand.
$ trivy image --format json -o result.json debian:11\n$ trivy convert --format cyclonedx --output result.cdx result.json\n
Filtering options such as --severity are also available with convert.
# Output all severities in JSON\n$ trivy image --format json -o result.json debian:11\n\n# Output only critical issues in table format\n$ trivy convert --format table --severity CRITICAL result.json\n
Note
JSON reports from \"trivy k8s\" are not yet supported.
-
To show summary table in convert mode - you need to enable the scanners used during JSON report generation.\u00a0\u21a9
"},{"location":"guide/configuration/skipping/","title":"Selecting files for scanning","text":"When scanning a target (image, code repository, etc), Trivy traverses all directories and files in that target and looks for known files to scan. For example, vulnerability scanner might look for /lib/apk/db/installed for Alpine APK scanning or requirements.txt file for Python pip scanning, and misconfiguration scanner might look for Dockerfile for Dockerfile scanning. This document explains how to control which files Trivy looks (including skipping files) for and how it should process them.
Note
Selecting/skipping files is different from filtering/ignoring results, which is covered in the Filtering document
"},{"location":"guide/configuration/skipping/#skip-files-and-directories","title":"Skip Files and Directories","text":"You can skip specific files and directories using the --skip-files and --skip-dirs flags.
For example:
trivy image --skip-files \"/Gemfile.lock\" --skip-dirs \"/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0\" quay.io/fluentd_elasticsearch/fluentd:v2.9.0\n
This feature is relevant for the following scanners:
Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713 It's possible to specify glob patterns when referring to a file or directory. The glob expression follows the \"doublestar\" library syntax.
Examples:
# skip any file named `bar` in the subdirectories of testdata\ntrivy image --skip-files \"./testdata/*/bar\" .\n
# skip any files with the extension `.tf` in subdirectories of foo at any depth\ntrivy config --skip-files \"./foo/**/*.tf\" .\n
# skip all subdirectories of the testdata directory.\ntrivy image --skip-dirs \"./testdata/*\" .\n
# skip subdirectories at any depth named `.terraform/`. \n# this will match `./foo/.terraform` or `./foo/bar/.terraform`, but not `./.terraform`\ntrivy config --skip-dirs \"**/.terraform\" .\n
Like any other flag, this is available as Trivy YAML configuration.
For example:
image:\n skip-files:\n - foo\n - \"testdata/*/bar\"\n skip-dirs:\n - foo/bar/\n - \"**/.terraform\"\n
"},{"location":"guide/configuration/skipping/#customizing-file-handling","title":"Customizing file handling","text":"You can customize which files Trivy scans and how it interprets them with the --file-patterns flag. A file pattern configuration takes the following form: <analyzer>:<path>, such that files matching the <path> will be processed with the respective <analyzer>.
For example:
trivy fs --file-patterns \"pip:.requirements-test.txt .\"\n
This feature is relevant for the following scanners:
Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret License \u27131 The list of analyzers can be found here. Note that this flag is not applicable for parsers that accepts files of different extensions, for example the Terraform file parser which handles .tf and .tf.json files.
The file path can use a regular expression. For example:
# interpret any file with .txt extension as a python pip requirements file\ntrivy fs --file-patterns \"pip:requirements-.*\\.txt .\n
The flag can be repeated for specifying multiple file patterns. For example:
# look for Dockerfile called production.docker and a python pip requirements file called requirements-test.txt\ntrivy fs --scanners misconfig,vuln --file-patterns \"dockerfile:.production.docker\" --file-patterns \"pip:.requirements-test.txt .\"\n
"},{"location":"guide/configuration/skipping/#avoid-full-filesystem-traversal","title":"Avoid full filesystem traversal","text":"In specific scenarios Trivy can avoid traversing the entire filesystem, which makes scanning faster and more efficient. For more information see here
-
Only work with the license-full flag\u00a0\u21a9
"},{"location":"guide/coverage/","title":"Scanning Coverage","text":"Trivy can detect security issues in many different platforms, languages and configuration files. This section gives a general overview of that coverage, and can help answer the frequently asked question \"Does Trivy support X?\". For more detailed information about the specific platforms and languages, check the relevant documentation.
- OS Packages
- Language-specific Packages
- IaC files
- Kubernetes clusters
"},{"location":"guide/coverage/kubernetes/","title":"Kubernetes","text":"When scanning a Kubernetes cluster, Trivy differentiates between the following:
- Cluster infrastructure (e.g api-server, kubelet, addons)
- Cluster configuration (e.g Roles, ClusterRoles).
- Application workloads (e.g nginx, postgresql).
Whenever Trivy scans either of these Kubernetes resources, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource. When scanning any of the above, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
Container image is scanned for:
- Vulnerabilities
- Misconfigurations
- Exposed secrets
Kubernetes resource definition is scanned for:
- Vulnerabilities - partially supported through KBOM scanning
- Misconfigurations
- Exposed secrets
To learn more, please see the documentation for Kubernetes scanning.
"},{"location":"guide/coverage/iac/","title":"Infrastructure as Code","text":""},{"location":"guide/coverage/iac/#scanner","title":"Scanner","text":"Trivy scans Infrastructure as Code (IaC) files for
- Misconfigurations
- Secrets
"},{"location":"guide/coverage/iac/#supported-configurations","title":"Supported configurations","text":"Config type File patterns Kubernetes *.yml, *.yaml, *.json Docker Dockerfile, Containerfile Terraform *.tf, *.tf.json, *.tfvars Terraform Plan tfplan, *.tfplan, *.json CloudFormation *.yml, *.yaml, *.json Azure ARM Template *.json Helm *.yaml, *.tpl, *.tar.gz, etc. YAML *.yaml, *.yml JSON *.json"},{"location":"guide/coverage/iac/azure-arm/","title":"Azure ARM Template","text":"Trivy supports the scanners listed in the table below.
Scanner Supported Misconfiguration \u2713 Secret \u2713 It supports the following configurations:
Format Supported ARM template \u2713 Bicep \u27131 To scan Bicep codes, you need to convert them into ARM templates first.
az bicep build -f main.bicep\nor\nbicep build main.bicep\n
"},{"location":"guide/coverage/iac/azure-arm/#misconfiguration","title":"Misconfiguration","text":"Trivy recursively searches directories and scans all found Azure ARM templates.
"},{"location":"guide/coverage/iac/azure-arm/#secret","title":"Secret","text":"The secret scan is performed on plain text files, with no special treatment for Azure ARM templates.
-
Bicep is not natively supported. It needs to be converted into Azure ARM templates.\u00a0\u21a9
"},{"location":"guide/coverage/iac/cloudformation/","title":"CloudFormation","text":"Trivy supports the scanners listed in the table below.
Scanner Supported Misconfiguration \u2713 Secret \u2713 It supports the following formats.
Format Supported JSON \u2713 YAML \u2713"},{"location":"guide/coverage/iac/cloudformation/#misconfiguration","title":"Misconfiguration","text":"Trivy recursively searches directories and scans all found CloudFormation files. It evaluates properties, functions, and other elements within CloudFormation files to detect misconfigurations.
"},{"location":"guide/coverage/iac/cloudformation/#value-overrides","title":"Value Overrides","text":"You can provide cf-params with path to CloudFormation Parameters file to Trivy to scan your CloudFormation code with parameters.
trivy config --cf-params params.json ./infrastructure/cf\n
You can check a CloudFormation Parameters Example
"},{"location":"guide/coverage/iac/cloudformation/#secret","title":"Secret","text":"The secret scan is performed on plain text files, with no special treatment for CloudFormation.
"},{"location":"guide/coverage/iac/docker/","title":"Docker","text":"Trivy supports the scanners listed in the table below.
Scanner Supported Misconfiguration \u2713 Secret \u2713 It supports the following configurations.
Config Supported Dockerfile \u2713 Containerfile \u2713 Compose -"},{"location":"guide/coverage/iac/docker/#misconfiguration","title":"Misconfiguration","text":"Trivy recursively searches directories and scans all found Docker files.
"},{"location":"guide/coverage/iac/docker/#secret","title":"Secret","text":"The secret scan is performed on plain text files, with no special treatment for Dockerfile.
"},{"location":"guide/coverage/iac/helm/","title":"Helm","text":"Trivy supports two types of Helm scanning, templates and packaged charts. The following scanners are supported.
Format Misconfiguration Secret Template \u2713 \u2713 Chart \u2713 -"},{"location":"guide/coverage/iac/helm/#misconfiguration","title":"Misconfiguration","text":"Trivy recursively searches directories and scans all found Helm files.
It evaluates variables, functions, and other elements within Helm templates and resolve the chart to Kubernetes manifests then run the Kubernetes checks. See here for more details on the built-in checks.
"},{"location":"guide/coverage/iac/helm/#value-overrides","title":"Value overrides","text":"There are a number of options for overriding values in Helm charts. When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact.
"},{"location":"guide/coverage/iac/helm/#setting-inline-value-overrides","title":"Setting inline value overrides","text":"Overrides can be set inline on the command line
trivy config --helm-set securityContext.runAsUser=0 ./charts/mySql\n
"},{"location":"guide/coverage/iac/helm/#setting-value-file-overrides","title":"Setting value file overrides","text":"Overrides can be in a file that has the key=value set.
# Example override file (overrides.yaml)\n\nsecurityContext:\n runAsUser: 0\n
trivy config --helm-values overrides.yaml ./charts/mySql\n
"},{"location":"guide/coverage/iac/helm/#setting-value-as-explicit-string","title":"Setting value as explicit string","text":"the --helm-set-string is the same as --helm-set but explicitly retains the value as a string
trivy config --helm-set-string name=false ./infrastructure/tf\n
"},{"location":"guide/coverage/iac/helm/#setting-specific-values-from-files","title":"Setting specific values from files","text":"Specific override values can come from specific files
trivy config --helm-set-file environment=dev.values.yaml ./charts/mySql\n
"},{"location":"guide/coverage/iac/helm/#secret","title":"Secret","text":"The secret scan is performed on plain text files, with no special treatment for Helm. Secret scanning is not conducted on the contents of packaged Charts, such as tar or tar.gz.
"},{"location":"guide/coverage/iac/kubernetes/","title":"Kubernetes","text":"Trivy supports the scanners listed in the table below.
Scanner Supported Misconfiguration \u2713 Secret \u2713 In addition to raw YAML and JSON, it supports the following templates:
Template Supported Helm \u2713 Kustomize \u27131 Note
Trivy does not support Kustomize overlays, so it scans files defined in the base. Or, you can scan the output of kustomize build.
"},{"location":"guide/coverage/iac/kubernetes/#misconfiguration","title":"Misconfiguration","text":"Trivy recursively searches directories and scans all found Kubernetes files.
"},{"location":"guide/coverage/iac/kubernetes/#secret","title":"Secret","text":"The secret scan is performed on plain text files, with no special treatment for Kubernetes. This means that Base64 encoded secrets are not scanned, and only secrets written in plain text are detected.
-
Kustomize is not natively supported.\u00a0\u21a9
"},{"location":"guide/coverage/iac/terraform/","title":"Terraform","text":"Trivy supports the scanners listed in the table below.
Scanner Supported Misconfiguration \u2713 Secret \u2713 It supports the following formats:
Format Supported JSON \u2713 HCL \u2713 Plan Snapshot \u2713 Plan JSON \u2713 Trivy can scan Terraform Plan files (snapshots) or their JSON representations. To create a Terraform Plan and scan it, run the following command:
terraform plan --out tfplan\ntrivy config tfplan\n
To scan a Terraform Plan representation in JSON format, run the following command:
terraform show -json tfplan > tfplan.json\ntrivy config tfplan.json\n
"},{"location":"guide/coverage/iac/terraform/#misconfiguration","title":"Misconfiguration","text":"Trivy recursively searches directories and scans all found Terraform files. It also evaluates variables, imports, and other elements within Terraform files to detect misconfigurations.
"},{"location":"guide/coverage/iac/terraform/#value-overrides","title":"Value Overrides","text":"You can provide tf-vars files to Trivy to override default values specified in the Terraform HCL code.
trivy config --tf-vars dev.terraform.tfvars ./infrastructure/tf\n
"},{"location":"guide/coverage/iac/terraform/#exclude-downloaded-terraform-modules","title":"Exclude Downloaded Terraform Modules","text":"By default, downloaded modules are also scanned. If you don't want to scan them, you can use the --tf-exclude-downloaded-modules flag.
trivy config --tf-exclude-downloaded-modules ./configs\n
"},{"location":"guide/coverage/iac/terraform/#secret","title":"Secret","text":"The secret scan is performed on plain text files, with no special treatment for Terraform.
"},{"location":"guide/coverage/iac/terraform/#limitations","title":"Limitations","text":""},{"location":"guide/coverage/iac/terraform/#terraform-plan-json","title":"Terraform Plan JSON","text":""},{"location":"guide/coverage/iac/terraform/#for-each-and-count-objects-in-expression","title":"For each and count objects in expression","text":"The plan created by Terraform does not provide complete information about references in expressions that use each or count objects. For this reason, in some situations it is not possible to establish references between resources that are needed for checks when detecting misconfigurations. An example of such a configuration is:
locals {\n buckets = toset([\"test\"])\n}\n\nresource \"aws_s3_bucket\" \"this\" {\n for_each = local.buckets\n bucket = each.key\n}\n\nresource \"aws_s3_bucket_acl\" \"this\" {\n for_each = local.buckets\n bucket = aws_s3_bucket.this[each.key].id\n acl = \"private\"\n}\n
With this configuration, the plan will not contain information about which attribute of the aws_s3_bucket resource is referenced by the aws_s3_bucket_acl resource.
See more here.
"},{"location":"guide/coverage/language/","title":"Programming Language","text":"Trivy supports programming languages for
- SBOM
- Vulnerabilities
- Licenses
"},{"location":"guide/coverage/language/#supported-languages","title":"Supported languages","text":"The files analyzed vary depending on the target. This is because Trivy primarily categorizes targets into two groups:
- Pre-build
- Post-build
If the target is a pre-build project, like a code repository, Trivy will analyze files used for building, such as lock files. On the other hand, when the target is a post-build artifact, like a container image, Trivy will analyze installed package metadata like .gemspec, binary files, and so on.
Language File Image4 Rootfs5 Filesystem6 Repository7 Ruby Gemfile.lock - - \u2705 \u2705 gemspec \u2705 \u2705 - - Python Pipfile.lock - - \u2705 \u2705 poetry.lock - - \u2705 \u2705 uv.lock - - \u2705 \u2705 requirements.txt - - \u2705 \u2705 egg package1 \u2705 \u2705 - - wheel package2 \u2705 \u2705 - - PHP composer.lock - - \u2705 \u2705 installed.json \u2705 \u2705 - - Node.js package-lock.json - - \u2705 \u2705 yarn.lock - - \u2705 \u2705 pnpm-lock.yaml - - \u2705 \u2705 bun.lock - - \u2705 \u2705 package.json \u2705 \u2705 - - .NET packages.lock.json \u2705 \u2705 \u2705 \u2705 packages.config \u2705 \u2705 \u2705 \u2705 .deps.json \u2705 \u2705 \u2705 \u2705 *Packages.props9 \u2705 \u2705 \u2705 \u2705 Java JAR/WAR/PAR/EAR3 \u2705 \u2705 - - pom.xml - - \u2705 \u2705 *gradle.lockfile - - \u2705 \u2705 *.sbt.lock - - \u2705 \u2705 Go Binaries built by Go \u2705 \u2705 - - go.mod - - \u2705 \u2705 Rust Cargo.lock \u2705 \u2705 \u2705 \u2705 Binaries built with cargo-auditable \u2705 \u2705 - - C/C++ conan.lock - - \u2705 \u2705 Elixir mix.lock8 - - \u2705 \u2705 Dart pubspec.lock - - \u2705 \u2705 Swift Podfile.lock - - \u2705 \u2705 Package.resolved - - \u2705 \u2705 Julia Manifest.toml \u2705 \u2705 \u2705 \u2705 The path of these files does not matter.
Example: Dockerfile
-
*.egg-info, *.egg-info/PKG-INFO, *.egg and EGG-INFO/PKG-INFO \u21a9
-
.dist-info/METADATA \u21a9
-
*.jar, *.war, *.par and *.ear \u21a9
-
\u2705 means \"enabled\" and - means \"disabled\" in the image scanning\u00a0\u21a9
-
\u2705 means \"enabled\" and - means \"disabled\" in the rootfs scanning\u00a0\u21a9
-
\u2705 means \"enabled\" and - means \"disabled\" in the filesystem scanning\u00a0\u21a9
-
\u2705 means \"enabled\" and - means \"disabled\" in the git repository scanning\u00a0\u21a9
-
To scan a filename other than the default filename use file-patterns \u21a9
-
Directory.Packages.props and legacy Packages.props file names are supported\u00a0\u21a9
"},{"location":"guide/coverage/language/c/","title":"C/C++","text":"Trivy supports Conan C/C++ Package Manager (v1 and v2 with limitations).
The following scanners are supported.
Package manager SBOM Vulnerability License Conan \u2713 \u2713 \u27131 The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies Dependency graph Position Conan (lockfile v1) conan.lock2 \u2713 Excluded \u2713 \u2713 Conan (lockfile v2) conan.lock2 \u2713 3 Excluded - \u2713"},{"location":"guide/coverage/language/c/#conan","title":"Conan","text":"In order to detect dependencies, Trivy searches for conan.lock1.
"},{"location":"guide/coverage/language/c/#licenses","title":"Licenses","text":"The Conan lock file doesn't contain any license information. To obtain licenses we parse the conanfile.py files from the conan v1 cache directory and conan v2 cache directory. To correctly detection licenses, ensure that the cache directory contains all dependencies used.
-
The local cache should contain the dependencies used. See licenses.\u00a0\u21a9\u21a9
-
conan.lock is default name. To scan a custom filename use file-patterns.\u00a0\u21a9\u21a9
-
For conan.lock in version 2, indirect dependencies are included in analysis but not flagged explicitly in dependency tree\u00a0\u21a9
"},{"location":"guide/coverage/language/dart/","title":"Dart","text":"Trivy supports Dart.
The following scanners are supported.
Package manager SBOM Vulnerability License Dart \u2713 \u2713 - The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies Dependency graph Position Detection Priority Dart pubspec.lock \u2713 Included \u2713 - \u2713"},{"location":"guide/coverage/language/dart/#dart_1","title":"Dart","text":"In order to detect dependencies, Trivy searches for pubspec.lock.
Trivy marks indirect dependencies, but pubspec.lock file doesn't have options to separate root and dev transitive dependencies. So Trivy includes all dependencies in report.
"},{"location":"guide/coverage/language/dart/#sdk-dependencies","title":"SDK dependencies","text":"Dart uses version 0.0.0 for SDK dependencies (e.g. Flutter). It is not possible to accurately determine the versions of these dependencies. Trivy just treats them as 0.0.0.
If --detection-priority comprehensive is passed, Trivy uses the minimum version of the constraint for the SDK. For example, in the following case, the version of flutter would be 3.3.0:
flutter:\n dependency: \"direct main\"\n description: flutter\n source: sdk\n version: \"0.0.0\"\nsdks:\n dart: \">=2.18.0 <3.0.0\"\n flutter: \"^3.3.0\"\n
"},{"location":"guide/coverage/language/dart/#dependency-tree","title":"Dependency tree","text":"To build dependency tree Trivy parses cache directory. Currently supported default directories and PUB_CACHE environment (absolute path only).
Note
Make sure the cache directory contains all the dependencies installed in your application. To download missing dependencies, use dart pub get command.
"},{"location":"guide/coverage/language/dotnet/","title":".NET","text":"Trivy supports .NET core and NuGet package managers.
The following scanners are supported.
Artifact SBOM Vulnerability License .Net Core \u2713 \u2713 - NuGet \u2713 \u2713 \u2713 The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies Dependency graph Position .Net Core *.deps.json \u2713 Excluded \u2713 \u2713 NuGet packages.config \u2713 Excluded - - NuGet *Packages.props - Excluded - - NuGet packages.lock.json \u2713 Included \u2713 \u2713"},{"location":"guide/coverage/language/dotnet/#depsjson","title":"*.deps.json","text":"Trivy parses *.deps.json files. Trivy currently excludes dev dependencies from the report.
Note
Trivy only includes runtime dependencies in the report.
"},{"location":"guide/coverage/language/dotnet/#packagesconfig","title":"packages.config","text":"Trivy only finds dependency names and versions from packages.config files. To build dependency graph, it is better to use packages.lock.json files.
"},{"location":"guide/coverage/language/dotnet/#packagesprops","title":"*Packages.props","text":"Trivy parses *Packages.props files. Both legacy Packages.props and modern Directory.Packages.props are supported.
"},{"location":"guide/coverage/language/dotnet/#license-detection","title":"license detection","text":"packages.config files don't have information about the licenses used. Trivy uses *.nuspec files from global packages folder to detect licenses.
Note
The licenseUrl field is deprecated. Trivy doesn't parse this field and only checks the license field (license expression type only).
Currently only the default path and NUGET_PACKAGES environment variable are supported.
"},{"location":"guide/coverage/language/dotnet/#packageslockjson","title":"packages.lock.json","text":"Don't forgot to enable lock files in your project.
Tip
Please make sure your lock file is up-to-date after modifying dependencies.
"},{"location":"guide/coverage/language/dotnet/#license-detection_1","title":"license detection","text":"Same as packages.config
"},{"location":"guide/coverage/language/elixir/","title":"Elixir","text":"Trivy supports Hex repository for Elixir.
The following scanners are supported.
Package manager SBOM Vulnerability License hex \u2713 \u2713 - The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies Dependency graph Position hex mix.lock1 \u2713 Excluded - \u2713"},{"location":"guide/coverage/language/elixir/#hex","title":"Hex","text":"In order to detect dependencies, Trivy searches for mix.lock1.
Configure your project to use mix.lock1 file.
-
mix.lock is default name. To scan a custom filename use file-patterns \u21a9\u21a9\u21a9
"},{"location":"guide/coverage/language/golang/","title":"Go","text":""},{"location":"guide/coverage/language/golang/#overview","title":"Overview","text":"Trivy supports two types of Go scanning, Go Modules and binaries built by Go.
The following scanners are supported.
Artifact SBOM Vulnerability License Modules \u2713 \u2713 \u2713 Binaries \u2713 \u2713 - The table below provides an outline of the features Trivy offers.
Artifact Offline1 Dev dependencies Dependency graph Stdlib Detection Priority Modules \u2705 Include \u2705 \u2705 \u2705 Binaries \u2705 Exclude - \u2705 Not needed Note
When scanning Go projects (go.mod or binaries built with Go), Trivy scans only dependencies of the project, and does not detect vulnerabilities of application itself. For example, when scanning the Docker project (Docker's source code with go.mod or the Docker binary), Trivy might find vulnerabilities in Go modules that Docker depends on, but won't find vulnerabilities of Docker itself. Moreover, when scanning the Trivy project, which happens to use Docker, Docker's vulnerabilities might be detected as dependencies of Trivy.
"},{"location":"guide/coverage/language/golang/#data-sources","title":"Data Sources","text":"The data sources are listed here. Trivy uses Go Vulnerability Database for standard library and uses GitHub Advisory Database for other Go modules.
"},{"location":"guide/coverage/language/golang/#go-module","title":"Go Module","text":"Depending on Go versions, the required files are different.
Version Required files Offline >=1.17 go.mod \u2705 <1.17 go.mod, go.sum \u2705 In Go 1.17+ projects, Trivy uses go.mod for direct/indirect dependencies. On the other hand, it uses go.mod for direct dependencies and go.sum for indirect dependencies in Go 1.16 or less.
Go 1.17+ holds actually needed indirect dependencies in go.mod, and it reduces false detection. go.sum in Go 1.16 or less contains all indirect dependencies that are even not needed for compiling. If you want to have better detection, please consider updating the Go version in your project.
Note
The Go version doesn't mean your Go tool version, but the Go version in your go.mod.
module github.com/aquasecurity/trivy\n\ngo 1.18\n\nrequire (\n github.com/CycloneDX/cyclonedx-go v0.5.0\n ...\n)\n
To update the Go version in your project, you need to run the following command.
$ go mod tidy -go=1.18\n
"},{"location":"guide/coverage/language/golang/#gomod-main","title":"Main Module","text":"Trivy scans only dependencies of the project, and does not detect vulnerabilities of the main module. For example, when scanning the Docker project (Docker's source code with go.mod), Trivy might find vulnerabilities in Go modules that Docker depends on, but won't find vulnerabilities of Docker itself. Moreover, when scanning the Trivy project, which happens to use Docker, Docker's vulnerabilities might be detected as dependencies of Trivy.
"},{"location":"guide/coverage/language/golang/#gomod-stdlib","title":"Standard Library","text":"Detecting the version of Go used in the project can be tricky. The go.mod file include hints that allows Trivy to guess the Go version but it eventually depends on the Go tool version in the build environment. Since this strategy is not fully deterministic and accurate, it is enabled only in --detection-priority comprehensive mode. When enabled, Trivy detects stdlib version as the minimum between the go and the toolchain directives in the go.mod file. To obtain reproducible scan results Trivy doesn't check the locally installed version of Go.
Note
Trivy detects stdlib only for Go 1.21 or higher.
The version from the go line (for Go 1.20 or early) is not a minimum required version. For details, see this.
It possibly produces false positives. See the caveat for details.
"},{"location":"guide/coverage/language/golang/#license","title":"License","text":"To identify licenses, you need to download modules to local cache beforehand, such as go mod download, go mod tidy, go mod vendor, etc. If the vendor directory exists, Trivy uses this directory when scanning for license files. For other cases Trivy traverses $GOPATH/pkg/moddir and collects those extra information.
"},{"location":"guide/coverage/language/golang/#dependency-graph","title":"Dependency Graph","text":"Same as licenses, you need to download modules to local cache beforehand.
"},{"location":"guide/coverage/language/golang/#go-binary","title":"Go Binary","text":"Trivy scans Go binaries when it encounters them during scans such as container images or file systems. When scanning binaries built by Go, Trivy finds dependencies and Go version information as embedded in the binary by Go tool at build time.
$ trivy rootfs ./your_binary\n
Note
It doesn't work with UPX-compressed binaries.
"},{"location":"guide/coverage/language/golang/#main-module","title":"Main Module","text":"Go binaries installed using the go install command contains correct (semver) version for the main module and therefore are detected by Trivy. In other cases, Go uses the (devel) version2. In this case, Trivy will attempt to parse any -ldflags as it's a common practice to pass versions this way. If unsuccessful, the version will be empty3.
"},{"location":"guide/coverage/language/golang/#go-binary-stdlib","title":"Standard Library","text":"Trivy detects the Go version used to compile the binary and detects its vulnerabilities in the standard libraries. It possibly produces false positives. See the caveat for details.
"},{"location":"guide/coverage/language/golang/#caveats","title":"Caveats","text":""},{"location":"guide/coverage/language/golang/#stdlib-vulnerabilities","title":"Stdlib Vulnerabilities","text":"Trivy does not know if or how you use stdlib functions, therefore it is possible that stdlib vulnerabilities are not applicable to your use case. There are a few ways to mitigate this:
- Analyze vulnerability reachability using a tool such as govulncheck. This will ensure that reported vulnerabilities are applicable to your project.
- Suppress non-applicable vulnerabilities using either ignore file for self-use or VEX Hub for public use.
"},{"location":"guide/coverage/language/golang/#empty-version","title":"Empty Version","text":"As described in the Main Module section, the main module of Go binaries might have an empty version. Also, dependencies replaced with local ones will have an empty version.
-
It doesn't require the Internet access.\u00a0\u21a9
-
See https://github.com/aquasecurity/trivy/issues/1837#issuecomment-1832523477 \u21a9
-
See https://github.com/golang/go/issues/63432#issuecomment-1751610604 \u21a9
"},{"location":"guide/coverage/language/java/","title":"Java","text":"Trivy supports four types of Java scanning: JAR/WAR/PAR/EAR, pom.xml, *gradle.lockfile and *.sbt.lock files.
Each artifact supports the following scanners:
Artifact SBOM Vulnerability License JAR/WAR/PAR/EAR \u2713 \u2713 - pom.xml \u2713 \u2713 \u2713 *gradle.lockfile \u2713 \u2713 \u2713 *.sbt.lock \u2713 \u2713 - The following table provides an outline of the features Trivy offers.
Artifact Internet access Dev dependencies Dependency graph Position Detection Priority JAR/WAR/PAR/EAR Trivy Java DB Include - - Not needed pom.xml Maven repository 1 Exclude \u2713 \u27137 - *gradle.lockfile - Exclude \u2713 \u2713 Not needed *.sbt.lock - Exclude - \u2713 Not needed These may be enabled or disabled depending on the target. See here for the detail.
"},{"location":"guide/coverage/language/java/#jarwarparear","title":"JAR/WAR/PAR/EAR","text":"To find information about your JAR2 file, Trivy parses pom.properties and MANIFEST.MF files in your JAR2 file and takes required properties3.
If those files don't exist or don't contain enough information - Trivy will try to find this JAR2 file in trivy-java-db. The Java DB will be automatically downloaded/updated when any JAR2 file is found. It is stored in the cache directory.
EXPERIMENTAL
Finding JARs in trivy-java-db is an experimental function.
Base JAR2 may contain inner JARs2 within itself. To find information about these JARs2, the same logic is used as for the base JAR2.
table format only contains the name of root JAR2 . To get the full path to inner JARs2 use the json format.
"},{"location":"guide/coverage/language/java/#pomxml","title":"pom.xml","text":"Trivy parses your pom.xml file and tries to find files with dependencies from these local locations.
- project directory4
- relativePath field5
- local repository directory6.
"},{"location":"guide/coverage/language/java/#remote-repositories","title":"remote repositories","text":"If your machine doesn't have the necessary files - Trivy tries to find the information about these dependencies in the remote repositories:
- repositories from pom files
- maven central repository
Trivy reproduces Maven's repository selection and priority:
- for snapshot artifacts:
- check only snapshot repositories from pom files (if exists)
- for other artifacts:
- check release repositories from pom files (if exists)
- check maven central
Note
Trivy only takes information about packages. We don't take a list of vulnerabilities for packages from the maven repository. Information about data sources for Java you can see here.
You can disable connecting to the maven repository with the --offline-scan flag. The --offline-scan flag does not affect the Trivy database. The vulnerability database will be downloaded anyway.
Warning
Trivy may skip some dependencies (that were not found on your local machine) when the --offline-scan flag is passed.
"},{"location":"guide/coverage/language/java/#supported-scopes","title":"supported scopes","text":"Trivy only scans import, compile, runtime and empty maven scopes. Other scopes and Optional dependencies are not currently being analyzed.
"},{"location":"guide/coverage/language/java/#empty-dependency-version","title":"empty dependency version","text":"There are cases when Trivy cannot determine the version of dependencies:
- Unable to determine the version from the parent because the parent is not reachable;
- The dependency uses a hard requirement with more than one version.
In these cases, Trivy uses an empty version for the dependency.
Warning
Trivy doesn't detect child dependencies for dependencies without a version.
"},{"location":"guide/coverage/language/java/#maven-invoker-plugin","title":"maven-invoker-plugin","text":"Typically, the integration tests directory (**/[src|target]/it/*/pom.xml) of maven-invoker-plugin doesn't contain actual pom.xml files and should be skipped to avoid noise.
Trivy marks dependencies from these files as the development dependencies and skip them by default. If you need to show them, use the --include-dev-deps flag.
"},{"location":"guide/coverage/language/java/#gradlelock","title":"Gradle.lock","text":"gradle.lock files only contain information about used dependencies.
Note
All necessary files are checked locally. Gradle file scanning doesn't require internet access.
By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them in the results.
"},{"location":"guide/coverage/language/java/#dependency-tree","title":"Dependency-tree","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy finds child dependencies from *.pom files in the cache8 directory.
But there is no reliable way to determine direct dependencies (even using other files). Therefore, we mark all dependencies as indirect to use logic to guess direct dependencies and build a dependency tree.
"},{"location":"guide/coverage/language/java/#licenses","title":"Licenses","text":"Trivy also can detect licenses for dependencies.
Make sure that you have cache8 directory to find licenses from *.pom dependency files.
"},{"location":"guide/coverage/language/java/#sbt","title":"SBT","text":"build.sbt.lock files only contain information about used dependencies. This requires a lockfile generated using the sbt-dependency-lock plugin.
Note
All necessary files are checked locally. SBT file scanning doesn't require internet access.
-
Uses maven repository to get information about dependencies. Internet access required.\u00a0\u21a9
-
It means *.jar, *.war, *.par and *.ear file\u00a0\u21a9\u21a9\u21a9\u21a9\u21a9\u21a9\u21a9\u21a9\u21a9\u21a9
-
ArtifactID, GroupID and Version \u21a9
-
e.g. when parent pom.xml file has ../pom.xml path\u00a0\u21a9
-
When you use dependency path in relativePath field in pom.xml file\u00a0\u21a9
-
/Users/<username>/.m2/repository (for Linux and Mac) and C:/Users/<username>/.m2/repository (for Windows) by default\u00a0\u21a9
-
To avoid confusion, Trivy only finds locations for direct dependencies from the base pom.xml file.\u00a0\u21a9
-
The supported directories are $GRADLE_USER_HOME/caches and $HOME/.gradle/caches (%HOMEPATH%\\.gradle\\caches for Windows).\u00a0\u21a9\u21a9
"},{"location":"guide/coverage/language/julia/","title":"Julia","text":""},{"location":"guide/coverage/language/julia/#features","title":"Features","text":"Trivy supports Pkg.jl, which is the Julia package manager. The following scanners are supported.
Package manager SBOM Vulnerability License Pkg.jl \u2713 - - The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies License Dependency graph Position Pkg.jl Manifest.toml \u2705 Excluded1 - \u2705 \u2705"},{"location":"guide/coverage/language/julia/#pkgjl","title":"Pkg.jl","text":"Trivy searches for Manifest.toml to detect dependencies.
Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project. Since this information is not included in Manifest.toml, Trivy parses Project.toml, which should be located next to Project.toml. If you want to see the dependency tree, please ensure that Project.toml is present.
Scanning Manifest.toml and Project.toml together also removes developer dependencies.
Dependency extensions are currently ignored.
-
When you scan Manifest.toml and Project.toml together.\u00a0\u21a9
"},{"location":"guide/coverage/language/nodejs/","title":"Node.js","text":"Trivy supports four types of Node.js package managers: npm, Yarn, pnpm and Bun1.
The following scanners are supported.
Artifact SBOM Vulnerability License npm \u2713 \u2713 \u2713 Yarn \u2713 \u2713 \u2713 pnpm \u2713 \u2713 \u2713 Bun \u2713 \u2713 \u2713 The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies Dependency graph Position npm package-lock.json \u2713 Excluded \u2713 \u2713 Yarn yarn.lock \u2713 Excluded \u2713 \u2713 pnpm pnpm-lock.yaml \u2713 Excluded \u2713 - Bun bun.lock \u2713 Excluded \u2713 \u2713 In addition, Trivy scans installed packages with package.json.
File Dependency graph Position License package.json - - \u2705 These may be enabled or disabled depending on the target. See here for the detail.
"},{"location":"guide/coverage/language/nodejs/#package-managers","title":"Package managers","text":"Trivy parses your files generated by package managers in filesystem/repository scanning.
Tip
Please make sure your lock file is up-to-date after modifying package.json.
"},{"location":"guide/coverage/language/nodejs/#npm","title":"npm","text":"Trivy parses package-lock.json. To identify licenses, you need to download dependencies to node_modules beforehand. Trivy analyzes node_modules for licenses.
By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them.
"},{"location":"guide/coverage/language/nodejs/#yarn","title":"Yarn","text":"Trivy parses yarn.lock.
Trivy also analyzes additional files to gather more information about the detected dependencies.
- package.json
- node_modules/**
"},{"location":"guide/coverage/language/nodejs/#package-relationships","title":"Package relationships","text":"yarn.lock files don't contain information about package relationships, such as direct or indirect dependencies. To enrich this information, Trivy parses the package.json file located next to the yarn.lock file as well as workspace package.json files.
By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them in the results.
"},{"location":"guide/coverage/language/nodejs/#development-dependencies","title":"Development dependencies","text":"yarn.lock files don't contain information about package groups, such as production and development dependencies. To identify dev dependencies and support aliases, Trivy parses the package.json file located next to the yarn.lock file as well as workspace package.json files.
"},{"location":"guide/coverage/language/nodejs/#licenses","title":"Licenses","text":"Trivy analyzes the .yarn directory (for Yarn 2+) or the node_modules directory (for Yarn Classic) located next to the yarn.lock file to detect licenses.
"},{"location":"guide/coverage/language/nodejs/#pnpm","title":"pnpm","text":"Trivy parses pnpm-lock.yaml, then finds production dependencies and builds a tree of dependencies with vulnerabilities. To identify licenses, you need to download dependencies to node_modules beforehand. Trivy analyzes node_modules for licenses.
"},{"location":"guide/coverage/language/nodejs/#lock-file-v9-version","title":"lock file v9 version","text":"Trivy supports Dev field for pnpm-lock.yaml v9 or later. Use the --include-dev-deps flag to include the developer's dependencies in the result.
"},{"location":"guide/coverage/language/nodejs/#bun","title":"Bun","text":"Trivy also supports scanning bun.lock file generated by Bun. You can use Bun v1.2 which uses this file as default or use bun install --save-text-lockfile in Bun v1.1.39 to generate it.
For previous Bun versions you can use the command bun install -y to generate a Yarn-compatible yarn.lock and then scan it with Trivy.
"},{"location":"guide/coverage/language/nodejs/#development-dependencies_1","title":"Development dependencies","text":"bun.lock contains information about package groups, such as production and development dependencies. By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them.
Note
bun.lockb is not supported.
"},{"location":"guide/coverage/language/nodejs/#packages","title":"Packages","text":"Trivy parses the manifest files of installed packages in container image scanning and so on.
"},{"location":"guide/coverage/language/nodejs/#packagejson","title":"package.json","text":"Trivy searches for package.json files under node_modules and identifies installed packages. It only extracts package names, versions and licenses for those packages.
-
yarn.lock must be generated\u00a0\u21a9
"},{"location":"guide/coverage/language/php/","title":"PHP","text":"Trivy supports Composer, which is a tool for dependency management in PHP.
The following scanners are supported.
Package manager SBOM Vulnerability License Composer \u2713 \u2713 \u2713 The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies Dependency graph Position Composer composer.lock \u2713 Excluded \u2713 \u2713 Composer installed.json \u2713 Excluded - \u2713"},{"location":"guide/coverage/language/php/#composerlock","title":"composer.lock","text":"In order to detect dependencies, Trivy searches for composer.lock.
Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project. Since this information is not included in composer.lock, Trivy parses composer.json, which should be located next to composer.lock. If you want to see the dependency tree, please ensure that composer.json is present.
"},{"location":"guide/coverage/language/php/#installedjson","title":"installed.json","text":"Trivy also supports dependency detection for installed.json files. By default, you can find this file at path_to_app/vendor/composer/installed.json.
"},{"location":"guide/coverage/language/python/","title":"Python","text":"Trivy supports three types of Python package managers: pip, Pipenv and Poetry. The following scanners are supported for package managers.
Package manager SBOM Vulnerability License pip \u2713 \u2713 \u2713 Pipenv \u2713 \u2713 - Poetry \u2713 \u2713 - uv \u2713 \u2713 - In addition, Trivy supports three formats of Python packages: egg, wheel and conda. The following scanners are supported for Python packages.
Packaging SBOM Vulnerability License Egg \u2713 \u2713 \u2713 Wheel \u2713 \u2713 \u2713 Conda \u2713 - - The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies Dependency graph Position Detection Priority pip requirements.txt - Include - \u2713 \u2713 Pipenv Pipfile.lock \u2713 Include - \u2713 Not needed Poetry poetry.lock \u2713 Exclude \u2713 - Not needed uv uv.lock \u2713 Exclude \u2713 - Not needed Packaging Dependency graph Egg \u2713 Wheel \u2713 These may be enabled or disabled depending on the target. See here for the detail.
"},{"location":"guide/coverage/language/python/#package-managers","title":"Package managers","text":"Trivy parses your files generated by package managers in filesystem/repository scanning.
"},{"location":"guide/coverage/language/python/#pip","title":"pip","text":""},{"location":"guide/coverage/language/python/#dependency-detection","title":"Dependency detection","text":"By default, Trivy only parses version specifiers with == comparison operator and without .*.
Using the --detection-priority comprehensive option ensures that the tool establishes a minimum version, which is particularly useful in scenarios where identifying the exact version is challenging. In such case Trivy parses specifiers >=,~= and a trailing .*.
keyring >= 4.1.1 # Minimum version 4.1.1\nMopidy-Dirble ~= 1.1 # Minimum version 1.1\npython-gitlab==2.0.* # Minimum version 2.0.0\n
Also, there is a way to convert unsupported version specifiers - use either the pip-compile tool (which doesn't install the packages) or call pip freeze from the virtual environment where the requirements are already installed. $ cat requirements.txt \nboto3~=1.24.60\nclick>=8.0\njson-fix==0.5.*\n$ pip install -r requirements.txt\n...\n$ pip freeze > requirements.txt \n$ cat requirements.txt \nboto3==1.24.96\nbotocore==1.27.96\nclick==8.1.7\njmespath==1.0.1\njson-fix==0.5.2\npython-dateutil==2.8.2\ns3transfer==0.6.2\nsetuptools==69.0.2\nsix==1.16.0\nurllib3==1.26.18\nwheel==0.42.0\n
requirements.txt files usually contain only the direct dependencies and not contain the transitive dependencies. Therefore, Trivy scans only for the direct dependencies with requirements.txt.
To detect transitive dependencies as well, you need to generate requirements.txt that contains them. Like described above, tou can do it with pip freeze or pip-compile.
$ cat requirements.txt # it will only find `requests@2.28.2`.\nrequests==2.28.2 \n$ pip install -r requirements.txt\n...\n\n$ pip freeze > requirements.txt \n$ cat requirements.txt # it will also find the transitive dependencies of `requests@2.28.2`.\ncertifi==2022.12.7\ncharset-normalizer==3.1.0\nidna==3.4\nPyJWT==2.1.0\nrequests==2.28.2\nurllib3==1.26.15\n
pip freeze also helps to resolve extras(optional) dependencies (like package[extras]=0.0.0).
requirements.txt files don't contain information about dependencies used for development. Trivy could detect vulnerabilities on the development packages, which not affect your production environment.
"},{"location":"guide/coverage/language/python/#license-detection","title":"License detection","text":"requirements.txt files don't contain information about licenses. Therefore, Trivy checks METADATA files from lib/site-packages directory.
Trivy uses 3 ways to detect site-packages directory:
- Checks
VIRTUAL_ENV environment variable. - Detects path to
python1 binary and checks ../lib/pythonX.Y/site-packages directory. - Detects path to
python1 binary and checks ../../lib/site-packages directory.
"},{"location":"guide/coverage/language/python/#pipenv","title":"Pipenv","text":"Trivy parses Pipfile.lock. Pipfile.lock files don't contain information about dependencies used for development. Trivy could detect vulnerabilities on the development packages, which not affect your production environment.
License detection is not supported for Pipenv.
"},{"location":"guide/coverage/language/python/#poetry","title":"Poetry","text":"Trivy uses poetry.lock to identify dependencies and find vulnerabilities. To build the correct dependency graph, pyproject.toml also needs to be present next to poetry.lock.
License detection is not supported for Poetry.
By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them.
"},{"location":"guide/coverage/language/python/#uv","title":"uv","text":"Trivy uses uv.lock to identify dependencies and find vulnerabilities.
License detection is not supported for uv.
By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them.
"},{"location":"guide/coverage/language/python/#packaging","title":"Packaging","text":"Trivy parses the manifest files of installed packages in container image scanning and so on. See here for the detail.
"},{"location":"guide/coverage/language/python/#egg","title":"Egg","text":"Trivy looks for *.egg-info, *.egg-info/METADATA, *.egg-info/PKG-INFO, *.egg and EGG-INFO/PKG-INFO to identify Python packages.
"},{"location":"guide/coverage/language/python/#wheel","title":"Wheel","text":"Trivy looks for .dist-info/METADATA to identify Python packages.
-
Trivy checks python, python3, python2 and python.exe file names.\u00a0\u21a9\u21a9
"},{"location":"guide/coverage/language/ruby/","title":"Ruby","text":"Trivy supports Bundler and RubyGems. The following scanners are supported for Bundler and RubyGems.
Package manager SBOM Vulnerability License Bundler \u2713 \u2713 - RubyGems \u2713 \u2713 \u2713 The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies Dependency graph Position Bundler Gemfile.lock \u2713 Included \u2713 \u2713 RubyGems .gemspec - Included - -"},{"location":"guide/coverage/language/ruby/#bundler","title":"Bundler","text":"Trivy searches for Gemfile.lock to detect dependencies.
"},{"location":"guide/coverage/language/ruby/#rubygems","title":"RubyGems","text":".gemspec files doesn't contains transitive dependencies. You need to scan each .gemspec file separately.
"},{"location":"guide/coverage/language/rust/","title":"Rust","text":"Trivy supports Cargo, which is the Rust package manager. The following scanners are supported for Cargo.
Package manager SBOM Vulnerability License Cargo \u2713 \u2713 - In addition, it supports binaries built with cargo-auditable.
Artifact SBOM Vulnerability License Binaries \u2713 \u2713 -"},{"location":"guide/coverage/language/rust/#features","title":"Features","text":"The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies Dependency graph Position Cargo Cargo.lock \u2713 Excluded1 \u2713 \u2713 Artifact Transitive dependencies Dev dependencies Dependency graph Position Binaries \u2713 Excluded - -"},{"location":"guide/coverage/language/rust/#cargo","title":"Cargo","text":"Trivy searches for Cargo.lock to detect dependencies.
Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project. Since this information is not included in Cargo.lock, Trivy parses Cargo.toml, which should be located next to Cargo.lock. If you want to see the dependency tree, please ensure that Cargo.toml is present.
Scan Cargo.lock and Cargo.toml together also removes developer dependencies.
"},{"location":"guide/coverage/language/rust/#binaries","title":"Binaries","text":"Trivy scans binaries built with cargo-auditable. If such a binary exists, Trivy will identify it as being built with cargo-audit and scan it.
-
When you scan Cargo.lock and Cargo.toml together.\u00a0\u21a9
"},{"location":"guide/coverage/language/swift/","title":"Swift","text":"Trivy supports CocoaPods and Swift package managers.
The following scanners are supported.
Package manager SBOM Vulnerability License Swift \u2713 \u2713 - CocoaPods \u2713 \u2713 - The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies Dependency graph Position Swift Package.resolved \u2713 Included - \u2713 CocoaPods Podfile.lock \u2713 Included \u2713 - These may be enabled or disabled depending on the target. See here for the detail.
"},{"location":"guide/coverage/language/swift/#swift_1","title":"Swift","text":"Trivy parses Package.resolved file to find dependencies. Don't forget to update (swift package update command) this file before scanning.
"},{"location":"guide/coverage/language/swift/#cocoapods","title":"CocoaPods","text":"CocoaPods uses package names in PodFile.lock, but GitHub Advisory Database (GHSA) Trivy relies on uses Git URLs. We parse the CocoaPods Specs to match package names and links.
Limitation
Since GHSA holds only Git URLs, such as github.com/apple/swift-nio, Trivy can't identify affected submodules, and detect all submodules maintained by the same URL. For example, SwiftNIOHTTP1 and SwiftNIOWebSocket both are maintained under github.com/apple/swift-nio, and Trivy detect CVE-2022-3215 for both of them, even though only SwiftNIOHTTP1 is actually affected.
"},{"location":"guide/coverage/os/","title":"OS","text":""},{"location":"guide/coverage/os/#scanner","title":"Scanner","text":"Trivy supports operating systems for
- SBOM
- Vulnerabilities
- Licenses
"},{"location":"guide/coverage/os/#supported-os","title":"Supported OS","text":"OS Supported Versions Package Managers Alpine Linux 2.2 - 2.7, 3.0 - 3.22, edge apk Wolfi Linux (n/a) apk Chainguard (n/a) apk MinimOS (n/a) apk Red Hat Enterprise Linux 6, 7, 8, 9 dnf/yum/rpm Red Hat Enterprise Linux 10 (SBOM only) dnf/yum/rpm CentOS1 6, 7, 8 dnf/yum/rpm AlmaLinux 8, 9, 10 dnf/yum/rpm Rocky Linux 8, 9 dnf/yum/rpm Oracle Linux 5, 6, 7, 8 dnf/yum/rpm Azure Linux (CBL-Mariner) 1.0, 2.0, 3.0 tdnf/dnf/yum/rpm Amazon Linux 1, 2, 2023 dnf/yum/rpm openSUSE Leap 42, 15 zypper/rpm openSUSE Tumbleweed (n/a) zypper/rpm SUSE Linux Enterprise 11, 12, 15 zypper/rpm SUSE Linux Enterprise Micro 5, 6 zypper/rpm Photon OS 1.0, 2.0, 3.0, 4.0, 5.0 tndf/yum/rpm CoreOS3 All versions (SBOM only) rpm Echo (n/a) apt/dpkg Debian GNU/Linux 7, 8, 9, 10, 11, 12 apt/dpkg Ubuntu All versions supported by Canonical apt/dpkg Bottlerocket 1.7.0 and upper bottlerocket OSs with installed Conda - conda"},{"location":"guide/coverage/os/#supported-container-images","title":"Supported container images","text":"Container image Supported Versions Package Managers Google Distroless2 Any apt/dpkg Bitnami Any - Each page gives more details.
-
CentOS Stream is not supported\u00a0\u21a9
-
https://github.com/GoogleContainerTools/distroless \u21a9
-
Fedora CoreOS and the deprecated CoreOS Container Linux\u00a0\u21a9
"},{"location":"guide/coverage/os/alma/","title":"AlmaLinux","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities - Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/alma/#sbom","title":"SBOM","text":"Trivy detects packages that have been installed through package managers such as dnf and yum.
"},{"location":"guide/coverage/os/alma/#vulnerability","title":"Vulnerability","text":"AlmaLinux offers its own security advisories, and these are utilized when scanning AlmaLinux for vulnerabilities.
"},{"location":"guide/coverage/os/alma/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/alma/#fixed-version","title":"Fixed Version","text":"When looking at fixed versions, it's crucial to consider the patches supplied by AlmaLinux. For example, for CVE-2023-0464, the fixed version for AlmaLinux 9 is listed as 3.0.7-16.el9_2 in their advisory. Note that this is different from the upstream fixed version, which is 3.0.9, 3.1.1, and son on. Typically, only the upstream information gets listed on NVD, so it's important not to get confused.
"},{"location":"guide/coverage/os/alma/#severity","title":"Severity","text":"Trivy calculates the severity of an issue based on the severity provided by AlmaLinux. If the severity is not provided or defined yet by AlmaLinux, the severity from the NVD is taken into account.
Using CVE-2023-0464 as an example, while it is rated as \"High\" in NVD, AlmaLinux has marked as \"moderate\". As a result, Trivy will display it as \"Medium\".
The table below is the mapping of AlmaLinux's severity to Trivy's severity levels.
AlmaLinux Trivy Low Low Moderate Medium Important High Critical Critical"},{"location":"guide/coverage/os/alma/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for AlmaLinux.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation Will Not Fix Fix Deferred End of Life"},{"location":"guide/coverage/os/alma/#license","title":"License","text":"Trivy identifies licenses by examining the metadata of RPM packages.
"},{"location":"guide/coverage/os/alpine/","title":"Alpine Linux","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities - Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/alpine/#sbom","title":"SBOM","text":"Trivy detects packages that have been installed through apk.
"},{"location":"guide/coverage/os/alpine/#vulnerability","title":"Vulnerability","text":"Alpine Linux offers its own security advisories, and these are utilized when scanning Alpine for vulnerabilities.
"},{"location":"guide/coverage/os/alpine/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/alpine/#fixed-version","title":"Fixed Version","text":"When looking at fixed versions, it's crucial to consider the patches supplied by Alpine. For example, for CVE-2023-0464, the fixed version for Alpine Linux is listed as 3.1.0-r1 in the secfixes. Note that this is different from the upstream fixed version, which is 3.1.1. Typically, only the upstream information gets listed on NVD, so it's important not to get confused.
"},{"location":"guide/coverage/os/alpine/#severity","title":"Severity","text":"For Alpine vulnerabilities, the severity is determined using the values set by NVD.
"},{"location":"guide/coverage/os/alpine/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for Alpine.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation Will Not Fix Fix Deferred End of Life"},{"location":"guide/coverage/os/alpine/#license","title":"License","text":"Trivy identifies licenses by examining the metadata of APK packages.
"},{"location":"guide/coverage/os/amazon/","title":"Amazon Linux","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities - Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/amazon/#sbom","title":"SBOM","text":"Trivy detects packages that have been installed through package managers such as dnf and yum.
"},{"location":"guide/coverage/os/amazon/#vulnerability","title":"Vulnerability","text":"Amazon Linux offers its own security advisories, and these are utilized when scanning Amazon Linux for vulnerabilities.
"},{"location":"guide/coverage/os/amazon/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/amazon/#fixed-version","title":"Fixed Version","text":"When looking at fixed versions, it's crucial to consider the patches supplied by Amazon. For example, for CVE-2023-0464, the fixed version for Amazon Linux 2023 is listed as 3.0.8-1.amzn2023.0.2 in ALAS2023-2023-181. Note that this is different from the upstream fixed version, which is 3.0.9, 3.1.1, and so on. Typically, only the upstream information gets listed on NVD, so it's important not to get confused.
"},{"location":"guide/coverage/os/amazon/#severity","title":"Severity","text":"Trivy determines vulnerability severity based on the severity metric provided by Amazon. For example, the security patch for CVE-2023-0464 in Amazon Linux 2023 is provided as ALAS2023-2023-181. Its severity is rated as \"Medium\". Thus, even though it's evaluated as \"HIGH\" in the NVD, Trivy displays it with a severity of \"MEDIUM\".
The table below is the mapping of Amazon's severity to Trivy's severity levels.
Amazon Trivy Low Low Medium Medium Important High Critical Critical"},{"location":"guide/coverage/os/amazon/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for Amazon Linux.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation Will Not Fix Fix Deferred End of Life"},{"location":"guide/coverage/os/amazon/#license","title":"License","text":"Trivy identifies licenses by examining the metadata of RPM packages.
"},{"location":"guide/coverage/os/azure/","title":"Azure Linux (CBL-Mariner)","text":"CBL-Mariner was rebranded to Azure Linux for version 3.0 onwards.
Trivy supports the following scanners for OS packages.
Version SBOM Vulnerability License 1.0 \u2714 \u2714 \u2714 1.0 (Distroless) \u2714 \u2714 2.0 \u2714 \u2714 \u2714 2.0 (Distroless) \u2714 \u2714 3.0 \u2714 \u2714 \u2714 3.0 (Distroless) \u2714 \u2714 The following table provides an outline of the targets Trivy supports.
Version Container image Virtual machine Arch 1.0 \u2714 \u2714 amd64, arm64 2.0 \u2714 \u2714 amd64, arm64 3.0 \u2714 \u2714 amd64, arm64 The table below outlines the features offered by Trivy.
Feature Supported Detect unfixed vulnerabilities \u2713 Dependency graph \u2713 End of life awareness -"},{"location":"guide/coverage/os/azure/#sbom","title":"SBOM","text":"Trivy detects packages that have been installed through package managers such as tdnf, dnf and yum.
"},{"location":"guide/coverage/os/azure/#vulnerability","title":"Vulnerability","text":"Azure Linux offers its own security advisories, and these are utilized when scanning Azure Linux for vulnerabilities.
"},{"location":"guide/coverage/os/azure/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/azure/#fixed-version","title":"Fixed Version","text":"Trivy takes fixed versions from Azure Linux OVAL.
"},{"location":"guide/coverage/os/azure/#severity","title":"Severity","text":"Trivy calculates the severity of an issue based on the severity provided in Azure Linux OVAL.
"},{"location":"guide/coverage/os/azure/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for Azure Linux.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation Will Not Fix Fix Deferred End of Life"},{"location":"guide/coverage/os/azure/#license","title":"License","text":"Trivy identifies licenses by examining the metadata of RPM packages.
Note
License detection is not supported for Azure Linux Distroless images.
"},{"location":"guide/coverage/os/bottlerocket/","title":"Bottlerocket","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability - License - Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported End of life awareness -"},{"location":"guide/coverage/os/bottlerocket/#sbom","title":"SBOM","text":"Trivy detects packages that are listed in the software inventory.
"},{"location":"guide/coverage/os/centos/","title":"CentOS","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities \u2713 Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/centos/#sbom","title":"SBOM","text":"Same as RHEL.
"},{"location":"guide/coverage/os/centos/#vulnerability","title":"Vulnerability","text":"CentOS does not provide straightforward machine-readable security advisories. As a result, Trivy utilizes the security advisories from Red Hat Enterprise Linux (RHEL) for detecting vulnerabilities in CentOS. This approach might lead to situations where, even though Trivy displays a fixed version, CentOS might not have the patch available yet. Since patches released for RHEL often become available in CentOS after some time, it's usually just a matter of waiting.
Note
The case for CentOS Stream, which is not supported by Trivy, is entirely different from CentOS.
As Trivy relies on Red Hat's advisories, please refer to Red Hat for details regarding vulnerability severity and status.
"},{"location":"guide/coverage/os/centos/#license","title":"License","text":"Same as RHEL.
"},{"location":"guide/coverage/os/chainguard/","title":"Chainguard","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 The table below outlines the features offered by Trivy.
Feature Supported Detect unfixed vulnerabilities - Dependency graph \u2713 End of life awareness -"},{"location":"guide/coverage/os/chainguard/#sbom","title":"SBOM","text":"Same as Alpine Linux.
"},{"location":"guide/coverage/os/chainguard/#vulnerability","title":"Vulnerability","text":"Chainguard offers its own security advisories, and these are utilized when scanning Chainguard for vulnerabilities. Everything else is the same as Alpine Linux.
"},{"location":"guide/coverage/os/chainguard/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/chainguard/#license","title":"License","text":"Same as Alpine Linux.
"},{"location":"guide/coverage/os/coreos/","title":"CoreOS","text":"This page describes the deprecated CoreOS Container Linux (EOL) and its successor, Fedora CoreOS.
Trivy supports the following scanners for OS packages on these systems.
Scanner Supported SBOM \u2713 Vulnerability - License - Please see here for supported versions.
"},{"location":"guide/coverage/os/coreos/#sbom","title":"SBOM","text":"Trivy detects packages that are listed in the RPM database.
"},{"location":"guide/coverage/os/debian/","title":"Debian","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities \u2713 Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/debian/#sbom","title":"SBOM","text":"Trivy detects packages that have been installed through package managers such as apt and dpkg. While there are some exceptions, like Go binaries and JAR files, it's important to note that binaries that have been custom-built using make or tools installed via curl are generally not detected.
"},{"location":"guide/coverage/os/debian/#vulnerability","title":"Vulnerability","text":"Debian offers its own security advisories, and these are utilized when scanning Debian for vulnerabilities.
"},{"location":"guide/coverage/os/debian/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/debian/#fixed-version","title":"Fixed Version","text":"When looking at fixed versions, it's crucial to consider the patches supplied by Debian. For example, for CVE-2023-3269, the fixed version for Debian 12 (bookworm) is listed as 6.1.37-1 in the Security Tracker. This patch is provided in DSA-5448-1. Note that this is different from the upstream fixed version, which is 6.5. Typically, only the upstream information gets listed on NVD, so it's important not to get confused.
"},{"location":"guide/coverage/os/debian/#severity","title":"Severity","text":"Trivy calculates the severity of an issue based on the 'Urgency' metric found in the Security Tracker. If 'Urgency' isn't provided by Debian, the severity from the NVD is taken into account.
Using CVE-2019-15052 as an example, while it is rated as \"Critical\" in NVD, Debian has marked its \"Urgency\" as \"Low\". As a result, Trivy will display it as \"Low\".
"},{"location":"guide/coverage/os/debian/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for Debian.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation Will Not Fix Fix Deferred \u2713 End of Life \u2713"},{"location":"guide/coverage/os/debian/#license","title":"License","text":"To identify the license of a package, Trivy checks the copyright file located at /usr/share/doc/*/copyright.
However, this method has its limitations as the file isn't machine-readable, leading to situations where the license isn't detected. In such scenarios, the --license-full flag can be passed. It compares the contents of known licenses with the copyright file to discern the license in question. Please be aware that using this flag can increase memory usage, so it's disabled by default for efficiency.
"},{"location":"guide/coverage/os/echo/","title":"Echo","text":"Trivy supports these scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities \u2713 Dependency graph \u2713 End of life awareness -"},{"location":"guide/coverage/os/echo/#sbom","title":"SBOM","text":"Same as Debian.
"},{"location":"guide/coverage/os/echo/#vulnerability","title":"Vulnerability","text":"Echo offers its own security advisories, and these are utilized when scanning Echo for vulnerabilities.
"},{"location":"guide/coverage/os/echo/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/echo/#license","title":"License","text":"Same as Debian.
"},{"location":"guide/coverage/os/google-distroless/","title":"Google Distroless Images","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities - Dependency graph \u2713 End of life awareness -"},{"location":"guide/coverage/os/google-distroless/#sbom","title":"SBOM","text":"Trivy detects packages pre-installed in distroless images.
"},{"location":"guide/coverage/os/google-distroless/#vulnerability","title":"Vulnerability","text":"Google Distroless is based on Debian; see there for details.
"},{"location":"guide/coverage/os/google-distroless/#license","title":"License","text":"Google Distroless is based on Debian; see there for details.
"},{"location":"guide/coverage/os/minimos/","title":"MinimOS","text":"Trivy supports these scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 The table below outlines the features offered by Trivy.
Feature Supported Detect unfixed vulnerabilities - Dependency graph \u2713 End of life awareness -"},{"location":"guide/coverage/os/minimos/#sbom","title":"SBOM","text":"Same as Alpine Linux.
"},{"location":"guide/coverage/os/minimos/#vulnerability","title":"Vulnerability","text":"MinimOS offers its own security advisories, and these are utilized when scanning MinimOS for vulnerabilities. Everything else is the same as Alpine Linux.
"},{"location":"guide/coverage/os/minimos/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/minimos/#license","title":"License","text":"Same as Alpine Linux.
"},{"location":"guide/coverage/os/oracle/","title":"Oracle Linux","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities - Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/oracle/#sbom","title":"SBOM","text":"Trivy detects packages that have been installed through package managers such as dnf and yum.
"},{"location":"guide/coverage/os/oracle/#vulnerability","title":"Vulnerability","text":"Oracle Linux offers its own security advisories, and these are utilized when scanning Oracle Linux for vulnerabilities.
"},{"location":"guide/coverage/os/oracle/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/oracle/#fixed-version","title":"Fixed Version","text":"Trivy takes fixed versions from Oracle security advisories.
"},{"location":"guide/coverage/os/oracle/#flavors","title":"Flavors","text":"Trivy detects the flavor for version of the found package and finds vulnerabilities only for that flavor.
Flavor Format Example normal version without fips and ksplice 3.6.16-4.el8 fips *_fips 10:3.6.16-4.0.1.el8_fips ksplice *.ksplice*.* 2:2.34-60.0.3.ksplice1.el9_2.7, 151.0.1.ksplice2.el8 For example Trivy finds CVE-2021-33560 only for the normal and fips flavors. For the ksplice flavor, CVE-2021-33560 will be skipped.
"},{"location":"guide/coverage/os/oracle/#severity","title":"Severity","text":"Trivy determines vulnerability severity based on the severity metric provided in Oracle security advisories. For example, the security patch for CVE-2023-0464 is provided as ELSA-2023-2645. Its severity is rated as \"MODERATE\". Thus, even though it's evaluated as \"HIGH\" in the NVD, Trivy displays it with a severity of \"MEDIUM\".
The table below is the mapping of Oracle's threat to Trivy's severity levels.
Oracle Trivy Low Low Moderate Medium Important High Critical Critical"},{"location":"guide/coverage/os/oracle/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for Oracle Linux.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation Will Not Fix Fix Deferred End of Life"},{"location":"guide/coverage/os/oracle/#license","title":"License","text":"Trivy identifies licenses by examining the metadata of RPM packages.
"},{"location":"guide/coverage/os/photon/","title":"Photon OS","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities - Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/photon/#sbom","title":"SBOM","text":"Trivy detects packages that have been installed through package managers such as tdnf and yum.
"},{"location":"guide/coverage/os/photon/#vulnerability","title":"Vulnerability","text":"Photon OS offers its own security advisories, and these are utilized when scanning Photon OS for vulnerabilities.
"},{"location":"guide/coverage/os/photon/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/photon/#fixed-version","title":"Fixed Version","text":"Trivy takes fixed versions from Photon CVE metadata.
"},{"location":"guide/coverage/os/photon/#severity","title":"Severity","text":"Trivy determines the severity of vulnerabilities based on the CVSSv3 score provided by Photon OS. See here for the conversion table from CVSS score to severity.
"},{"location":"guide/coverage/os/photon/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for Photon OS.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation Will Not Fix Fix Deferred End of Life"},{"location":"guide/coverage/os/photon/#license","title":"License","text":"Trivy identifies licenses by examining the metadata of RPM packages.
"},{"location":"guide/coverage/os/rhel/","title":"Red Hat Enterprise Linux","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities \u2713 Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/rhel/#sbom","title":"SBOM","text":"Trivy detects packages that have been installed through package managers such as dnf and yum.
"},{"location":"guide/coverage/os/rhel/#vulnerability","title":"Vulnerability","text":"Red Hat offers its own security advisories, and these are utilized when scanning Red Hat Enterprise Linux (RHEL) for vulnerabilities.
"},{"location":"guide/coverage/os/rhel/#content-manifests","title":"Content manifests","text":"Red Hat\u2019s security advisories use CPEs to identify product sets. For example, even packages installed in the same container image can have different CPEs. For this reason, Red Hat\u2019s container images include stored content manifests, which we convert to CPEs, and perform vulnerability scanning.
Since this system ties each content manifest to its packages on a per-layer basis, if layers get merged (for instance, by using docker run or docker export) we can no longer determine the correct CPE, which may lead to false detection.
"},{"location":"guide/coverage/os/rhel/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/rhel/#fixed-version","title":"Fixed Version","text":"When looking at fixed versions, it's crucial to consider the patches supplied by Red Hat. For example, for CVE-2023-0464, the fixed version for RHEL 9 is listed as 3.0.7-16.el9_2 in their advisory. This patch is provided in RHSA-2023:3722. Note that this is different from the upstream fixed version, which is 3.0.9, 3.1.1, and so on. Typically, only the upstream information gets listed on NVD, so it's important not to get confused.
"},{"location":"guide/coverage/os/rhel/#severity","title":"Severity","text":"Trivy calculates the severity of a vulnerability based on the 'Impact' metric provided by Red Hat. If the impact is not provided or defined yet by Red Hat, the severity from the NVD is taken into account.
Using CVE-2023-0464 as an example, while it is rated as \"HIGH\" in NVD, Red Hat has marked its 'Impact' as \"Low\". As a result, Trivy will display it as \"Low\".
The table below is the mapping of Red Hat's impact to Trivy's severity levels.
Red Hat Trivy Low Low Moderate Medium Important High Critical Critical"},{"location":"guide/coverage/os/rhel/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for RHEL.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation \u2713 Will Not Fix \u2713 Fix Deferred \u2713 End of Life \u2713 When a vulnerability status is listed as \"End of Life\", it means a vulnerability with the impact level assigned to this CVE is no longer covered by its current support lifecycle phase. The product has been identified to contain the impacted component, but analysis to determine whether it is affected or not by this vulnerability was not performed. Red Hat advises that the product should be assumed to be affected. Therefore, Trivy detects vulnerabilities with this status as \"End of Life\".
On the other hand, for those marked \"Under Investigation,\" the impact is unclear as they are still being examined, so Trivy does not detect them. Once the investigation is completed, the status should be updated.
Abstract
Vulnerabilities with a status of \"End of Life\", where the presence or absence of impact is unclear, are detected by Trivy. However, those with a status of \"Under Investigation\" are not detected.
"},{"location":"guide/coverage/os/rhel/#license","title":"License","text":"Trivy identifies licenses by examining the metadata of RPM packages.
"},{"location":"guide/coverage/os/rocky/","title":"Rocky Linux","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities - Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/rocky/#sbom","title":"SBOM","text":"Trivy detects packages that have been installed through package managers such as dnf and yum.
"},{"location":"guide/coverage/os/rocky/#vulnerability","title":"Vulnerability","text":"Rocky Linux offers its own security advisories, and these are utilized when scanning Rocky Linux for vulnerabilities.
"},{"location":"guide/coverage/os/rocky/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/rocky/#fixed-version","title":"Fixed Version","text":"Trivy takes fixed versions from Rocky Linux Errata, not NVD or somewhere else. See here for more details.
Architectures
There are cases when the vulnerability affects packages of not all architectures. For example, vulnerable packages for CVE-2023-0361 are only aarch64 packages.
Trivy only detects vulnerabilities for packages of your architecture.
"},{"location":"guide/coverage/os/rocky/#severity","title":"Severity","text":"Trivy calculates the severity of an issue based on the severity provided in Rocky Linux Errata.
The table below is the mapping of Rocky Linux's severity to Trivy's severity levels.
Rocky Linux Trivy Low Low Moderate Medium Important High Critical Critical"},{"location":"guide/coverage/os/rocky/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for Rocky Linux.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation Will Not Fix Fix Deferred End of Life"},{"location":"guide/coverage/os/rocky/#license","title":"License","text":"Trivy identifies licenses by examining the metadata of RPM packages.
"},{"location":"guide/coverage/os/suse/","title":"SUSE","text":"Trivy supports the following distributions:
- openSUSE Leap
- openSUSE Tumbleweed
- SUSE Linux Enterprise (SLE)
- SUSE Linux Enterprise Micro
Please see here for supported versions.
Trivy supports these scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities - Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/suse/#sbom","title":"SBOM","text":"Trivy detects packages that have been installed through package managers such as dnf and yum.
"},{"location":"guide/coverage/os/suse/#vulnerability","title":"Vulnerability","text":"SUSE offers its own security advisories, and these are utilized when scanning openSUSE/SLE for vulnerabilities.
"},{"location":"guide/coverage/os/suse/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/suse/#license","title":"License","text":"Trivy identifies licenses by examining the metadata of RPM packages.
"},{"location":"guide/coverage/os/ubuntu/","title":"Ubuntu","text":"Trivy supports these scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The following table provides an outline of the features Trivy offers.
Feature Supported Detect unfixed vulnerabilities \u2713 Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/ubuntu/#sbom","title":"SBOM","text":"Same as Debian.
"},{"location":"guide/coverage/os/ubuntu/#vulnerability","title":"Vulnerability","text":"Ubuntu offers its own security advisories, and these are utilized when scanning Ubuntu for vulnerabilities.
"},{"location":"guide/coverage/os/ubuntu/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/ubuntu/#fixed-version","title":"Fixed Version","text":"When looking at fixed versions, it's crucial to consider the patches supplied by Ubuntu. As an illustration, for CVE-2023-3269, the fixed version for Ubuntu 23.04 (lunar) is listed as 6.2.0-26.26 in the Security Tracker. It's essential to recognize that this differs from the upstream fixed version, which stands at 6.5. Typically, only the upstream information gets listed on NVD, so it's important not to get confused.
"},{"location":"guide/coverage/os/ubuntu/#severity","title":"Severity","text":"Trivy calculates the severity of an issue based on the 'Priority' metric found in the Security Tracker. If 'Priority' isn't provided by Ubuntu, the severity from the NVD is taken into account.
Using CVE-2019-15052 as an example, while it is rated as \"Critical\" in NVD, Ubuntu has marked its \"Priority\" as \"Medium\". As a result, Trivy will display it as \"Medium\".
"},{"location":"guide/coverage/os/ubuntu/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for Ubuntu.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation Will Not Fix Fix Deferred End of Life"},{"location":"guide/coverage/os/ubuntu/#license","title":"License","text":"Same as Debian.
"},{"location":"guide/coverage/os/wolfi/","title":"Wolfi Linux","text":"Trivy supports these scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 The table below outlines the features offered by Trivy.
Feature Supported Detect unfixed vulnerabilities - Dependency graph \u2713 End of life awareness -"},{"location":"guide/coverage/os/wolfi/#sbom","title":"SBOM","text":"Same as Alpine Linux.
"},{"location":"guide/coverage/os/wolfi/#vulnerability","title":"Vulnerability","text":"Wolfi Linux offers its own security advisories, and these are utilized when scanning Wolfi for vulnerabilities. Everything else is the same as Alpine Linux.
"},{"location":"guide/coverage/os/wolfi/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/wolfi/#license","title":"License","text":"Same as Alpine Linux.
"},{"location":"guide/coverage/others/","title":"Others","text":"In this section we have placed images, package managers and files that we can't assign to existing sections.
Trivy supports them for
- SBOM
- Vulnerabilities
- Licenses
"},{"location":"guide/coverage/others/#supported-elements","title":"Supported elements","text":"Element File Image1 Rootfs2 Filesystem3 Repository4 Bitnami packages /opt/bitnami/<component>/.spdx-<component>.spdx \u2705 \u2705 - - Conda <conda-root>/envs/<env>/conda-meta/<package>.json \u2705 \u2705 - - environment.yml - - \u2705 \u2705 Root.io images - \u2705 \u2705 - - Seal Security - \u2705 \u2705 - - RPM Archives *.rpm \u27055 \u27055 \u27055 \u27055 -
\u2705 means \"enabled\" and - means \"disabled\" in the image scanning\u00a0\u21a9
-
\u2705 means \"enabled\" and - means \"disabled\" in the rootfs scanning\u00a0\u21a9
-
\u2705 means \"enabled\" and - means \"disabled\" in the filesystem scanning\u00a0\u21a9
-
\u2705 means \"enabled\" and - means \"disabled\" in the git repository scanning\u00a0\u21a9
-
Only if the TRIVY_EXPERIMENTAL_RPM_ARCHIVE env is set.\u00a0\u21a9\u21a9\u21a9\u21a9
"},{"location":"guide/coverage/others/bitnami/","title":"Bitnami Images","text":"EXPERIMENTAL
Scanning results may be inaccurate.
While it is not an OS, this page describes the details of the container images provided by Bitnami. Bitnami images are based on Debian. Please see the Debian page for OS packages.
Trivy supports the following scanners for Bitnami packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities - Dependency graph -"},{"location":"guide/coverage/others/bitnami/#sbom","title":"SBOM","text":"Trivy analyzes the SBOM information contained within the container images provided by Bitnami. The SBOM files are located at /opt/bitnami/<component>/.spdx-<component>.spdx.
"},{"location":"guide/coverage/others/bitnami/#vulnerability","title":"Vulnerability","text":"Since Bitnami has its own vulnerability database, it uses these for vulnerability detection of applications and packages distributed by Bitnami.
Note
Trivy does not support vulnerability detection of independently compiled binaries, so even if you scan container images like nginx:1.15.2, vulnerabilities in Nginx cannot be detected. This is because main applications like Nginx are not installed by the package manager. However, in the case of Bitnami images, since these SBOMs are stored within the image, scanning bitnami/nginx:1.15.2 allows for the detection of vulnerabilities in Nginx.
"},{"location":"guide/coverage/others/bitnami/#fixed-version","title":"Fixed Version","text":"Trivy refers to the Bitnami database. Please note that these may differ from the upstream fixed versions.
"},{"location":"guide/coverage/others/bitnami/#severity","title":"Severity","text":"Similar to Fixed versions, it follows Bitnami's vulnerability database.
"},{"location":"guide/coverage/others/bitnami/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for Bitnami packages.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation Will Not Fix Fix Deferred End of Life"},{"location":"guide/coverage/others/bitnami/#license","title":"License","text":"If licenses are included in the SBOM distributed by Bitnami, they will be used for scanning.
"},{"location":"guide/coverage/others/conda/","title":"Conda","text":"Trivy supports the following scanners for Conda packages.
Scanner Supported SBOM \u2713 Vulnerability - License \u2713 Package manager File Transitive dependencies Dev dependencies Dependency graph Position Detection Priority Conda environment.yml - Include - \u2713 -"},{"location":"guide/coverage/others/conda/#packagejson","title":"<package>.json","text":""},{"location":"guide/coverage/others/conda/#sbom","title":"SBOM","text":"Trivy parses <conda-root>/envs/<env>/conda-meta/<package>.json files to find the dependencies installed in your env.
"},{"location":"guide/coverage/others/conda/#license","title":"License","text":"The <package>.json files contain package license information. Trivy includes licenses for the packages it finds without having to parse additional files.
"},{"location":"guide/coverage/others/conda/#environmentyml","title":"environment.yml1","text":""},{"location":"guide/coverage/others/conda/#sbom_1","title":"SBOM","text":"Trivy supports parsing environment.yml1 files to find dependency list.
environment.yml1 files supports version range. We can't be sure about versions for these dependencies. Therefore, you need to use conda env export command to get dependency list in Conda default format before scanning environment.yml1 file.
Note
For dependencies in a non-Conda format, Trivy doesn't include a version of them.
"},{"location":"guide/coverage/others/conda/#license_1","title":"License","text":"Trivy parses conda-meta/<package>.json files at the prefix path.
To correctly define licenses, make sure your environment.yml1 contains prefix field and prefix directory contains package.json files.
Note
To get correct environment.yml1 file and fill prefix directory - use conda env export command.
-
Trivy supports both yaml and yml extensions.\u00a0\u21a9\u21a9\u21a9\u21a9\u21a9\u21a9
"},{"location":"guide/coverage/others/rootio/","title":"Root.io","text":"EXPERIMENTAL
Scanning results may be inaccurate.
While it is not an OS, this page describes the details of Root.io patch distribution service. Root.io provides security patches for Debian, Ubuntu, and Alpine-based container images. Root.io patches are detected when Trivy finds packages with specific version suffixes:
- Debian/Ubuntu: packages with
.root.io in version string - Alpine: packages with
-r\\d007\\d pattern in version string (e.g., -r10071, -r20072)
When Root.io patches are detected, Trivy automatically switches to Root.io scanning mode for vulnerability detection. Even when the original OS distributor (Debian, Ubuntu, Alpine) has not provided a patch for a vulnerability, Trivy will display Root.io patches if they are available.
Note
For vulnerabilities, Trivy uses the severity level from the original OS vendor (if the vendor has specified a severity).
For detailed information about supported scanners, features, and functionality, please refer to the documentation for the underlying OS:
- Debian
- Ubuntu
- Alpine
"},{"location":"guide/coverage/others/rpm/","title":"RPM Archives","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy supports the following scanners for RPM archives.
Scanner Supported SBOM \u2713 Vulnerability \u27131 License \u2713 The table below outlines the features offered by Trivy.
"},{"location":"guide/coverage/others/rpm/#sbom","title":"SBOM","text":"Trivy analyzes RPM archives matching *.rpm. This feature is currently disabled by default but can be enabled with an environment variable, TRIVY_EXPERIMENTAL_RPM_ARCHIVE.
TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true trivy fs ./rpms --format cyclonedx --output rpms.cdx.json\n
Note
Currently, it works with --format cyclonedx, --format spdx or --format spdx-json.
"},{"location":"guide/coverage/others/rpm/#vulnerability","title":"Vulnerability","text":"Since RPM files don't have OS information, you need to generate SBOM, fill in the OS information manually and then scan the SBOM for vulnerabilities.
For example:
$ TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true trivy fs ./rpms -f cyclonedx -o rpms.cdx.json\n$ jq '(.components[] | select(.type == \"operating-system\")) |= (.name = \"redhat\" | .version = \"7.9\")' rpms.cdx.json > rpms-res.cdx.json\n$ trivy sbom ./rpms-res.cdx.json\n
"},{"location":"guide/coverage/others/rpm/#license","title":"License","text":"If licenses are included in the RPM archive, Trivy extracts it.
-
Need to generate SBOM first and add OS information to that SBOM\u00a0\u21a9
"},{"location":"guide/coverage/others/seal/","title":"Seal Security","text":"EXPERIMENTAL
Scanning results may be inaccurate.
While it is not an OS, this page describes the details of the Seal Security vulnerability feed. Seal provides security advisories and patched versions for multiple Linux distributions, including Debian, Ubuntu, Alpine, Red Hat Enterprise Linux, CentOS, Oracle Linux, and Azure Linux (CBL\u2011Mariner).
Seal advisories are used when Trivy finds packages that indicate Seal-provided components:
- Packages whose name or source name starts with
seal- (for example, seal-wget, seal-zlib).
When such Seal packages are detected, Trivy automatically enables Seal scanning for those packages while continuing to use the base OS scanner for the rest.
Note
For vulnerabilities, Trivy prefers severity from the base OS vendor when available.
For details on supported scanners, features, and behavior for each base OS, refer to their respective pages:
- Debian
- Ubuntu
- Alpine
- Red Hat Enterprise Linux
- CentOS
- Oracle Linux
- Azure Linux (CBL\u2011Mariner)
"},{"location":"guide/plugin/","title":"Plugins","text":"Trivy provides a plugin feature to allow others to extend the Trivy CLI without the need to change the Trivy code base. This plugin system was inspired by the plugin system used in kubectl, Helm, and Conftest.
"},{"location":"guide/plugin/#overview","title":"Overview","text":"Trivy plugins are add-on tools that integrate seamlessly with Trivy. They provide a way to extend the core feature set of Trivy, but without requiring every new feature to be written in Go and added to the core tool.
- They can be added and removed from a Trivy installation without impacting the core Trivy tool.
- They can be written in any programming language.
- They integrate with Trivy, and will show up in Trivy help and subcommands.
Warning
Trivy plugins available in public are not audited for security. You should install and run third-party plugins at your own risk, since they are arbitrary programs running on your machine.
"},{"location":"guide/plugin/#quickstart","title":"Quickstart","text":"Trivy helps you discover and install plugins on your machine.
You can install and use a wide variety of Trivy plugins to enhance your experience.
Let\u2019s get started:
-
Download the plugin list:
$ trivy plugin update\n
-
Discover Trivy plugins available on the plugin index:
$ trivy plugin search\nNAME DESCRIPTION MAINTAINER OUTPUT\naqua A plugin for integration with Aqua Security SaaS platform aquasecurity\nkubectl A plugin scanning the images of a kubernetes resource aquasecurity\nreferrer A plugin for OCI referrers aquasecurity \u2713\n[...]\n
-
Choose a plugin from the list and install it:
$ trivy plugin install referrer\n
-
Use the installed plugin:
$ trivy referrer --help\n
-
Keep your plugins up-to-date:
$ trivy plugin upgrade\n
-
Uninstall a plugin you no longer use:
trivy plugin uninstall referrer\n
This is practically all you need to know to start using Trivy plugins.
"},{"location":"guide/plugin/developer-guide/","title":"Developer Guide","text":""},{"location":"guide/plugin/developer-guide/#developing-trivy-plugins","title":"Developing Trivy plugins","text":"This section will guide you through the process of developing Trivy plugins. To help you get started quickly, we have published a plugin template repository. You can use this template as a starting point for your plugin development.
"},{"location":"guide/plugin/developer-guide/#introduction","title":"Introduction","text":"If you are looking to start developing plugins for Trivy, read the user guide first.
The development process involves the following steps:
- Create a repository for your plugin, named
trivy-plugin-<name>. - Create an executable binary that can be invoked as
trivy <name>. - Place the executable binary in a repository.
- Create a
plugin.yaml file that describes the plugin. - (Submit your plugin to the Trivy plugin index.)
After you develop a plugin with a good name following the best practices and publish it, you can submit your plugin to the Trivy plugin index.
"},{"location":"guide/plugin/developer-guide/#naming","title":"Naming","text":"This section describes guidelines for naming your plugins.
"},{"location":"guide/plugin/developer-guide/#use-trivy-plugin-prefix","title":"Use trivy-plugin- prefix","text":"The name of the plugin repository should be prefixed with trivy-plugin-.
"},{"location":"guide/plugin/developer-guide/#use-lowercase-and-hyphens","title":"Use lowercase and hyphens","text":"Plugin names must be all lowercase and separate words with hyphens. Don\u2019t use camelCase, PascalCase, or snake_case; use kebab-case.
- NO:
trivy OpenSvc - YES:
trivy open-svc
"},{"location":"guide/plugin/developer-guide/#be-specific","title":"Be specific","text":"Plugin names should not be verbs or nouns that are generic, already overloaded, or likely to be used for broader purposes by another plugin.
- NO: trivy sast (Too broad)
- YES: trivy govulncheck
"},{"location":"guide/plugin/developer-guide/#be-unique","title":"Be unique","text":"Find a unique name for your plugin that differentiates it from other plugins that perform a similar function.
- NO:
trivy images (Unclear how it is different from the builtin \u201cimage\" command) - YES:
trivy registry-images (Unique name).
"},{"location":"guide/plugin/developer-guide/#prefix-vendor-identifiers","title":"Prefix Vendor Identifiers","text":"Use vendor-specific strings as prefix, separated with a dash. This makes it easier to search/group plugins that are about a specific vendor.
- NO: `trivy security-hub-aws (Makes it harder to search or locate in a plugin list)
- YES: `trivy aws-security-hub (Will show up together with other aws-* plugins)
"},{"location":"guide/plugin/developer-guide/#choosing-a-language","title":"Choosing a language","text":"Since Trivy plugins are standalone executables, you can write them in any programming language.
If you are planning to write a plugin with Go, check out the Report struct, which is the output of Trivy scan.
"},{"location":"guide/plugin/developer-guide/#writing-your-plugin","title":"Writing your plugin","text":"Each plugin has a top-level directory, and then a plugin.yaml file.
your-plugin/\n |\n |- plugin.yaml\n |- your-plugin.sh\n
In the example above, the plugin is contained inside a directory named your-plugin. It has two files: plugin.yaml (required) and an executable script, your-plugin.sh (optional).
"},{"location":"guide/plugin/developer-guide/#writing-a-plugin-manifest","title":"Writing a plugin manifest","text":"The plugin manifest is a simple YAML file named plugin.yaml. Here is an example YAML of trivy-plugin-kubectl plugin that adds support for Kubernetes scanning.
name: \"kubectl\"\nversion: \"0.1.0\"\nrepository: github.com/aquasecurity/trivy-plugin-kubectl\nmaintainer: aquasecurity\noutput: false\nsummary: Scan kubectl resources\ndescription: |-\n A Trivy plugin that scans the images of a kubernetes resource.\n Usage: trivy kubectl TYPE[.VERSION][.GROUP] NAME\nplatforms:\n - selector: # optional\n os: darwin\n arch: amd64\n uri: ./trivy-kubectl # where the execution file is (local file, http, git, etc.)\n bin: ./trivy-kubectl # path to the execution file\n - selector: # optional\n os: linux\n arch: amd64\n uri: https://github.com/aquasecurity/trivy-plugin-kubectl/releases/download/v0.1.0/trivy-kubectl.tar.gz\n bin: ./trivy-kubectl\n
We encourage you to copy and adapt plugin manifests of existing plugins.
- count
- referrer
The plugin.yaml field should contain the following information:
- name: The name of the plugin. This also determines how the plugin will be made available in the Trivy CLI. For example, if the plugin is named kubectl, you can call the plugin with
trivy kubectl. (required) - version: The version of the plugin. Semantic Versioning should be used. (required)
- repository: The repository name where the plugin is hosted. (required)
- maintainer: The name of the maintainer of the plugin. (required)
- output: Whether the plugin supports the output mode. (optional)
- usage: Deprecated: use summary instead. (optional)
- summary: A short usage description. (required)
- description: A long description of the plugin. This is where you could provide a helpful documentation of your plugin. (required)
- platforms: (required)
- selector: The OS/Architecture specific variations of a execution file. (optional)
- os: OS information based on GOOS (linux, darwin, etc.) (optional)
- arch: The architecture information based on GOARCH (amd64, arm64, etc.) (optional)
- uri: Where the executable file is. Relative path from the root directory of the plugin or remote URL such as HTTP and S3. (required)
- bin: Which file to call when the plugin is executed. Relative path from the root directory of the plugin. (required)
The following rules will apply in deciding which platform to select:
- If both
os and arch under selector match the current platform, search will stop and the platform will be used. - If
selector is not present, the platform will be used. - If
os matches and there is no more specific arch match, the platform will be used. - If no
platform match is found, Trivy will exit with an error.
After determining platform, Trivy will download the execution file from uri and store it in the plugin cache. When the plugin is called via Trivy CLI, bin command will be executed.
"},{"location":"guide/plugin/developer-guide/#tagging-plugin-repositories","title":"Tagging plugin repositories","text":"If you are hosting your plugin in a Git repository, it is strongly recommended to tag your releases with a version number. By tagging your releases, Trivy can install specific versions of your plugin.
$ trivy plugin install referrer@v0.3.0\n
When tagging versions, you must follow the Semantic Versioning and prefix the tag with v, like v1.2.3.
"},{"location":"guide/plugin/developer-guide/#plugin-argumentsflags","title":"Plugin arguments/flags","text":"The plugin is responsible for handling flags and arguments. Any arguments are passed to the plugin from the trivy command.
"},{"location":"guide/plugin/developer-guide/#testing-plugin-installation-locally","title":"Testing plugin installation locally","text":"A plugin should be archived *.tar.gz. After you have archived your plugin into a .tar.gz file, you can verify that your plugin installs correctly with Trivy.
$ tar -czvf myplugin.tar.gz plugin.yaml script.py\nplugin.yaml\nscript.py\n\n$ trivy plugin install myplugin.tar.gz\n2023-03-03T19:04:42.026+0600 INFO Installing the plugin from myplugin.tar.gz...\n2023-03-03T19:04:42.026+0600 INFO Loading the plugin metadata...\n\n$ trivy myplugin\nHello from Trivy demo plugin!\n
"},{"location":"guide/plugin/developer-guide/#publishing-plugins","title":"Publishing plugins","text":"The plugin.yaml file is the core of your plugin, so as long as it is published somewhere, your plugin can be installed. If you choose to publish your plugin on GitHub, you can make it installable by placing the plugin.yaml file in the root directory of your repository. Users can then install your plugin with the command, trivy plugin install github.com/org/repo.
While the uri specified in the plugin.yaml file doesn't necessarily need to point to the same repository, it's a good practice to host the executable file within the same repository when using GitHub. You can utilize GitHub Releases to distribute the executable file. For an example of how to structure your plugin repository, refer to the plugin template repository.
"},{"location":"guide/plugin/developer-guide/#distributing-plugins-via-the-trivy-plugin-index","title":"Distributing plugins via the Trivy plugin index","text":"Trivy can install plugins directly by specifying a repository, like trivy plugin install github.com/aquasecurity/trivy-plugin-referrer, so you don't necessarily need to register your plugin in the Trivy plugin index. However, we would recommend distributing your plugin via the Trivy plugin index since it makes it easier for other users to find (trivy plugin search) and install your plugin (e.g. trivy plugin install kubectl).
"},{"location":"guide/plugin/developer-guide/#pre-submit-checklist","title":"Pre-submit checklist","text":" - Review the plugin naming guide.
- Ensure the
plugin.yaml file has all the required fields. - Tag a git release with a semantic version (e.g. v1.0.0).
- Test your plugin installation locally.
"},{"location":"guide/plugin/developer-guide/#submitting-plugins","title":"Submitting plugins","text":"Submitting your plugin to the plugin index is a straightforward process. All you need to do is create a YAML file for your plugin and place it in the plugins/ directory of the index repository.
Once you've done that, create a pull request (PR) and have it reviewed by the maintainers. Once your PR is merged, the index will be updated, and your plugin will be available for installation. The plugin index page will also be automatically updated to list your newly added plugin.
The content of the YAML file is very simple. You only need to specify the name of your plugin and the repository where it is distributed.
name: referrer\nrepository: github.com/aquasecurity/trivy-plugin-referrer\n
After your PR is merged, the CI system will automatically retrieve the plugin.yaml file from your repository and update the index.yaml file. If any required fields are missing from your plugin.yaml, the CI will fail, so make sure your plugin.yaml has all the required fields before creating a PR. Once the index.yaml has been updated, running trivy plugin update will download the updated index to your local machine.
"},{"location":"guide/plugin/user-guide/","title":"User Guide","text":""},{"location":"guide/plugin/user-guide/#discovering-plugins","title":"Discovering Plugins","text":"You can find a list of Trivy plugins distributed via trivy-plugin-index here. However, you can find plugins using the command line as well.
First, refresh your local copy of the plugin index:
$ trivy plugin update\n
To list all plugins available, run:
$ trivy plugin search\nNAME DESCRIPTION MAINTAINER OUTPUT\naqua A plugin for integration with Aqua Security SaaS platform aquasecurity\nkubectl A plugin scanning the images of a kubernetes resource aquasecurity\nreferrer A plugin for OCI referrers aquasecurity \u2713\n
You can specify search keywords as arguments:
$ trivy plugin search referrer\n\nNAME DESCRIPTION MAINTAINER OUTPUT\nreferrer A plugin for OCI referrers aquasecurity \u2713\n
It lists plugins with the keyword in the name or description.
"},{"location":"guide/plugin/user-guide/#installing-plugins","title":"Installing Plugins","text":"Plugins can be installed with the trivy plugin install command:
$ trivy plugin install referrer\n
This command will download the plugin and install it in the plugin cache.
Trivy adheres to the XDG specification, so the location depends on whether XDG_DATA_HOME is set. Trivy will now search XDG_DATA_HOME for the location of the Trivy plugins cache. The preference order is as follows:
- XDG_DATA_HOME if set and .trivy/plugins exists within the XDG_DATA_HOME dir
- ~/.trivy/plugins
Furthermore, it is possible to download plugins that are not registered in the index by specifying the URL directly or by specifying the file path.
$ trivy plugin install github.com/aquasecurity/trivy-plugin-kubectl\n
$ trivy plugin install https://github.com/aquasecurity/trivy-plugin-kubectl/archive/refs/heads/main.zip\n
$ trivy plugin install ./myplugin.tar.gz\n
If the plugin's Git repository is properly tagged, you can specify the version to install like this:
$ trivy plugin install referrer@v0.3.0\n
Note
The leading v in the version is required. Also, the version must follow the Semantic Versioning.
Under the hood Trivy leverages go-getter to download plugins. This means the following protocols are supported for downloading plugins:
- OCI Registries
- Local Files
- Git
- HTTP/HTTPS
- Mercurial
- Amazon S3
- Google Cloud Storage
"},{"location":"guide/plugin/user-guide/#listing-installed-plugins","title":"Listing Installed Plugins","text":"To list all plugins installed, run:
$ trivy plugin list\n
"},{"location":"guide/plugin/user-guide/#using-plugins","title":"Using Plugins","text":"Once the plugin is installed, Trivy will load all available plugins in the cache on the start of the next Trivy execution. A plugin will be made in the Trivy CLI based on the plugin name. To display all plugins, you can list them by trivy --help
$ trivy --help\nNAME:\n trivy - A simple and comprehensive vulnerability scanner for containers\n\nUSAGE:\n trivy [global options] command [command options] target\n\nVERSION:\n dev\n\nScanning Commands\n config Scan config files for misconfigurations\n filesystem Scan local filesystem\n image Scan a container image\n\n...\n\nPlugin Commands\n kubectl scan kubectl resources\n referrer Put referrers to OCI registry\n
As shown above, kubectl subcommand exists in the Plugin Commands section. To call the kubectl plugin and scan existing Kubernetes deployments, you can execute the following command:
$ trivy kubectl deployment <deployment-id> -- --ignore-unfixed --severity CRITICAL\n
Internally the kubectl plugin calls the kubectl binary to fetch information about that deployment and passes the using images to Trivy. You can see the detail here.
If you want to omit even the subcommand, you can use TRIVY_RUN_AS_PLUGIN environment variable.
$ TRIVY_RUN_AS_PLUGIN=kubectl trivy job your-job -- --format json\n
"},{"location":"guide/plugin/user-guide/#installing-and-running-plugins-on-the-fly","title":"Installing and Running Plugins on the fly","text":"trivy plugin run installs a plugin and runs it on the fly. If the plugin is already present in the cache, the installation is skipped.
trivy plugin run kubectl pod your-pod -- --exit-code 1\n
"},{"location":"guide/plugin/user-guide/#upgrading-plugins","title":"Upgrading Plugins","text":"To upgrade all plugins that you have installed to their latest versions, run:
$ trivy plugin upgrade\n
To upgrade only certain plugins, you can explicitly specify their names:
$ trivy plugin upgrade <PLUGIN1> <PLUGIN2>\n
"},{"location":"guide/plugin/user-guide/#uninstalling-plugins","title":"Uninstalling Plugins","text":"Specify a plugin name with trivy plugin uninstall command.
$ trivy plugin uninstall kubectl\n
Here's the revised English documentation based on your requested changes:
"},{"location":"guide/plugin/user-guide/#output-mode-support","title":"Output Mode Support","text":"While plugins are typically intended to be used as subcommands of Trivy, plugins supporting the output mode can be invoked as part of Trivy's built-in commands.
EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy supports plugins that are compatible with the output mode, which process Trivy's output, such as by transforming the output format or sending it elsewhere. You can determine whether a plugin supports the output mode by checking the OUTPUT column in the output of trivy plugin search or trivy plugin list.
$ trivy plugin search\nNAME DESCRIPTION MAINTAINER OUTPUT\naqua A plugin for integration with Aqua Security SaaS platform aquasecurity\nkubectl A plugin scanning the images of a kubernetes resource aquasecurity\nreferrer A plugin for OCI referrers aquasecurity \u2713\n
In this case, the referrer plugin supports the output mode.
For instance, in the case of image scanning, a plugin supporting the output mode can be called as follows:
$ trivy image --format json --output plugin=<plugin_name> [--output-plugin-arg <plugin_flags>] <image_name>\n
Since scan results are passed to the plugin via standard input, plugins must be capable of handling standard input.
Warning
To avoid Trivy hanging, you need to read all data from Stdin before the plugin exits successfully or stops with an error.
While the example passes JSON to the plugin, other formats like SBOM can also be passed (e.g., --format cyclonedx).
If a plugin requires flags or other arguments, they can be passed using --output-plugin-arg. This is directly forwarded as arguments to the plugin. For example, --output plugin=myplugin --output-plugin-arg \"--foo --bar=baz\" translates to myplugin --foo --bar=baz in execution.
An example of a plugin supporting the output mode is available here. It can be used as below:
# Install the plugin first\n$ trivy plugin install count\n\n# Call the plugin supporting the output mode in image scanning\n$ trivy image --format json --output plugin=count --output-plugin-arg \"--published-after 2023-10-01\" debian:12\n
"},{"location":"guide/plugin/user-guide/#example","title":"Example","text":" - kubectl
- count
"},{"location":"guide/references/abbreviations/","title":"Abbreviation List","text":"This list compiles words that frequently appear in CLI flags or configuration files and are commonly abbreviated in industry and OSS communities. Trivy may use the abbreviation in place of the full spelling for flag names. It is also acceptable to add even shorter aliases if needed.
Words not included in this list should be spelled out in full when used in flags.
This list is intentionally limited to the most common and widely recognized abbreviations. Excessive use of abbreviations in CLI flags can hinder initial user understanding and create a steeper learning curve.
Note
This list serves as a guideline rather than a strict requirement. Its purpose is to maintain consistency across the project when naming flags and configuration options. While we strive to follow these abbreviations, there may be exceptions where context or clarity demands a different approach.
"},{"location":"guide/references/abbreviations/#scope","title":"Scope","text":"This list focuses on abbreviations of single words commonly used in technical contexts. It does not include:
- Acronyms formed from the initial letters of multiple words (e.g., OS for Operating System, HTTP for Hypertext Transfer Protocol)
- Domain-specific terminology that already has standardized short forms
- Brand names or product-specific abbreviations
The abbreviations listed here are primarily intended for CLI flags, configuration keys, and similar technical interfaces where brevity is valued while maintaining clarity.
"},{"location":"guide/references/abbreviations/#example","title":"Example","text":"For a flag containing multiple words, only abbreviate words that appear in this list. For instance, in --database-repository, \"database\" is in the list so it should be abbreviated to \"db\", but \"repository\" is not in the list so it must be spelled out completely. The correct flag name would be --db-repository. It's acceptable to add a shorter alias like --db-repo if desired.
"},{"location":"guide/references/abbreviations/#list","title":"List","text":"Full Name Default Abbreviation Examples application app --app-name, --app-mode authentication auth --auth-method, --auth-token authorization authz --authz-rule, --authz-policy command cmd --cmd-option, --cmd-args configuration config --config, --config-dir database db --db-repository, --db-user, --db-pass development dev --dev-dependencies, --dev-mode directory dir --dir-path, --output-dir environment env --env-file, --env-vars information info --info-level, --show-info initialization init --init-script, --init-config library lib --lib-path, --lib-dir maximum max --max-image-size, --max-depth minimum min --min-value, --min-severity misconfiguration misconfig --misconfig-scanners package pkg --pkg-types production prod --prod-env, --prod-deploy specification spec --spec-file, --spec-version temporary tmp --tmp-dir, --tmp-file utility util --util-script, --util-name vulnerability vuln --vuln-scan, --vuln-report"},{"location":"guide/references/terminology/","title":"Terminology","text":"This page explains the terminology system used in Trivy, helping users understand the specific terms and concepts unique to the Trivy ecosystem.
Inclusion Criteria
-
Core Components of Trivy
- Primary features such as Scanner, Target
- Essential components such as Scan Assets (trivy-db, trivy-java-db)
- Components that users directly interact with
-
Trivy-specific Terms
- Terms unique to Trivy (e.g., VEX Hub)
- Terms that have special meaning in Trivy's context (e.g., Plugin, Module)
Exclusion Criteria
-
General Terms
- Common security/technical terms (e.g., CVE, CVSS, Container, Registry)
- Standard industry terminology
-
Implementation Details
- Internal workings of components
- Usage instructions (these belong in feature documentation)
"},{"location":"guide/references/terminology/#core-concepts","title":"Core Concepts","text":""},{"location":"guide/references/terminology/#target","title":"Target","text":"Types of artifacts that Trivy can scan, like container images and filesystem.
"},{"location":"guide/references/terminology/#scanner","title":"Scanner","text":"Trivy's built-in security scanning engines. Trivy has four main scanners:
- Vulnerability Scanner
- Misconfiguration Scanner
- Secret Scanner
- License Scanner
Note
SBOM is not a scanner but an output format option.
"},{"location":"guide/references/terminology/#scan-assets","title":"Scan Assets","text":"External data that Trivy downloads (if needed for scanner) and uses during scanning:
- Vulnerability Database (Trivy DB, trivy-db): Database containing vulnerability information
- Java Index Database (Trivy Java DB, trivy-java-db): Database for Java artifact identification
- Checks Bundle (trivy-checks): Archive containing misconfiguration detection rules
- VEX Repository: Repository containing VEX documents
"},{"location":"guide/references/terminology/#vulnerability-scanning","title":"Vulnerability Scanning","text":""},{"location":"guide/references/terminology/#vulnerability-database-trivy-db-trivy-db","title":"Vulnerability Database (Trivy DB, trivy-db)","text":"The core vulnerability database required for vulnerability detection. Contains comprehensive vulnerability information for multiple ecosystems. Distributed via OCI registry.
Managed at https://github.com/aquasecurity/trivy-db.
The vulnerability database is built from a GitHub repository that collects and stores vulnerability information from various data sources. This repository serves as the foundation for building the Trivy DB.
Managed at:
- https://github.com/aquasecurity/vuln-list
- https://github.com/aquasecurity/vuln-list-nvd
- https://github.com/aquasecurity/vuln-list-redhat
- https://github.com/aquasecurity/vuln-list-debian
- etc.
"},{"location":"guide/references/terminology/#java-index-database-trivy-java-db-trivy-java-db","title":"Java Index Database (Trivy Java DB, trivy-java-db)","text":"Specialized database used for identifying Java libraries and their components during JAR/WAR/PAR/EAR scanning. Distributed via OCI registry.
Managed at https://github.com/aquasecurity/trivy-java-db.
"},{"location":"guide/references/terminology/#misconfiguration-scanning","title":"Misconfiguration Scanning","text":"When the context does not clearly indicate these terms are related to misconfiguration scanning, they may be prefixed with \"Misconfiguration\" for clarity. For example, \"Check\" may be referred to as \"Misconfiguration Check\", and \"Checks Bundle\" as \"Misconfiguration Checks Bundle\".
"},{"location":"guide/references/terminology/#check","title":"Check","text":"A Rego file that defines rules for detecting misconfigurations in various types of IaC files.
"},{"location":"guide/references/terminology/#built-in-checks","title":"Built-in Checks","text":"Default set of checks distributed through the trivy-checks repository, providing standard security and configuration best practices.
"},{"location":"guide/references/terminology/#checks-bundle","title":"Checks Bundle","text":"A tar.gz archive containing the built-in checks, distributed via OCI registry.
"},{"location":"guide/references/terminology/#secret-scanning","title":"Secret Scanning","text":""},{"location":"guide/references/terminology/#rule","title":"Rule","text":"Pattern matching rules used to detect hardcoded secrets and sensitive information. Each rule consists of:
- Metadata (ID, Category, Title, etc.)
- Regular expressions for matching sensitive patterns
- Additional context for detection accuracy
"},{"location":"guide/references/terminology/#kubernetes-integration","title":"Kubernetes Integration","text":""},{"location":"guide/references/terminology/#kbom-kubernetes-bill-of-materials","title":"KBOM (Kubernetes Bill of Materials)","text":"A specialized SBOM format for Kubernetes clusters that includes detailed information about the cluster's components.
"},{"location":"guide/references/terminology/#vex-vulnerability-exploitability-exchange","title":"VEX (Vulnerability Exploitability eXchange)","text":""},{"location":"guide/references/terminology/#vex-repository","title":"VEX Repository","text":"A repository system that stores VEX documents following the VEX Repository Specification. VEX repositories help users manage and share information about vulnerability applicability and exploitability.
For detailed information about VEX repositories, see the document.
"},{"location":"guide/references/terminology/#vex-hub","title":"VEX Hub","text":"The default VEX repository managed by Aqua Security at https://github.com/aquasecurity/vexhub. It primarily aggregates VEX documents published by package maintainers in their source repositories. VEX Hub serves as a central point for collecting and distributing vulnerability applicability information for OSS projects.
"},{"location":"guide/references/terminology/#cache-system","title":"Cache System","text":""},{"location":"guide/references/terminology/#cache-types","title":"Cache Types","text":"The cache directory contains several distinct types of data:
- Vulnerability Database
- Java Index Database
- Misconfiguration Checks
- VEX Repositories
- Scan Cache
"},{"location":"guide/references/terminology/#asset-cache","title":"Asset Cache","text":"Downloaded assets like vulnerability databases and Java index databases.
"},{"location":"guide/references/terminology/#scan-cache","title":"Scan Cache","text":"A caching mechanism that stores analysis results from previous scans to speed up subsequent scans. For container image scanning, the scan cache stores analysis results including package names and versions per layer.
For detailed information about caching, see the document.
"},{"location":"guide/references/terminology/#plugin-system","title":"Plugin System","text":""},{"location":"guide/references/terminology/#plugin","title":"Plugin","text":"An add-on tool that integrates with Trivy to extend its core functionality. Plugins can be written in any programming language and integrate seamlessly with Trivy CLI, appearing in Trivy help and subcommands. They can be installed and removed independently without affecting the core Trivy installation.
For detailed information about plugins, see the document.
"},{"location":"guide/references/terminology/#plugin-index-trivy-plugin-index","title":"Plugin Index (trivy-plugin-index)","text":"A centralized registry that lists available Trivy plugins, managed at https://github.com/aquasecurity/trivy-plugin-index. The index maintains a curated list of official and community plugins, providing metadata such as plugin names, descriptions, and maintainers. It enables plugin discovery through the trivy plugin search command and facilitates automatic plugin installation and updates.
For detailed information about the plugin index, see the document.
"},{"location":"guide/references/terminology/#module-system","title":"Module System","text":""},{"location":"guide/references/terminology/#module","title":"Module","text":"A WebAssembly-based extension mechanism that allows custom scanning logic without modifying the Trivy binary. Modules can modify scan results by analyzing files or post-processing results.
For detailed information about modules, see the document.
"},{"location":"guide/references/troubleshooting/","title":"Troubleshooting","text":""},{"location":"guide/references/troubleshooting/#scan","title":"Scan","text":""},{"location":"guide/references/troubleshooting/#timeout","title":"Timeout","text":"Error
$ trivy image ...\n...\nanalyze error: timeout: context deadline exceeded\n
Your scan may time out. Java takes a particularly long time to scan. Try increasing the value of the --timeout option such as --timeout 15m.
"},{"location":"guide/references/troubleshooting/#unable-to-initialize-an-image-scanner","title":"Unable to initialize an image scanner","text":"Error
$ trivy image ...\n...\n2024-01-19T08:15:33.288Z FATAL image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: 4 errors occurred:\n* docker error: unable to inspect the image (ContainerImageName): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?\n* containerd error: containerd socket not found: /run/containerd/containerd.sock\n* podman error: unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory\n* remote error: GET https://index.docker.io/v2/ContainerImageName: MANIFEST_UNKNOWN: manifest unknown; unknown tag=0.1\n
It means Trivy is unable to find the container image in the following places:
- Docker Engine
- containerd
- Podman
- A remote registry
Please see error messages for details of each error.
Common mistakes include the following, depending on where you are pulling images from:
"},{"location":"guide/references/troubleshooting/#common","title":"Common","text":" - Typos in the image name
- Common mistake :)
- Forgetting to specify the registry
- By default, it is considered to be Docker Hub (
index.docker.io ).
"},{"location":"guide/references/troubleshooting/#docker-engine","title":"Docker Engine","text":" - Incorrect Docker host
- If the Docker daemon's socket path is not
/var/run/docker.sock, you need to specify the --docker-host flag or the DOCKER_HOST environment variable. The same applies when using TCP; you must specify the correct host address.
"},{"location":"guide/references/troubleshooting/#containerd","title":"containerd","text":" - Incorrect containerd address
- If you are using a non-default path, you need to specify the
CONTAINERD_ADDRESS environment variable. Please refer to this documentation.
- Incorrect namespace
- If you are using a non-default namespace, you need to specify the
CONTAINERD_NAMESPACE environment variable. Please refer to this documentation.
"},{"location":"guide/references/troubleshooting/#podman","title":"Podman","text":" - Podman socket configuration
- You need to enable the Podman socket. Please refer to this documentation.
"},{"location":"guide/references/troubleshooting/#container-registry","title":"Container Registry","text":" - Unauthenticated
- If you are using a private container registry, you need to authenticate. Please refer to this documentation.
- Using a proxy
- If you are using a proxy within your network, you need to correctly set the
HTTP_PROXY, HTTPS_PROXY, etc., environment variables.
- Use of a self-signed certificate in the registry
- Because certificate verification will fail, you need to either trust that certificate or use the
--insecure flag (not recommended in production).
"},{"location":"guide/references/troubleshooting/#certification","title":"Certification","text":"Error
Error: x509: certificate signed by unknown authority
TRIVY_INSECURE can be used to allow insecure connections to a container registry when using SSL.
$ TRIVY_INSECURE=true trivy image [YOUR_IMAGE]\n
If you need to trust a custom CA certificate, you can provide a PEM-encoded bundle.
Unix (except macOS)All systems You can specify the location of your certificate using the SSL_CERT_FILE or SSL_CERT_DIR environment variables.
$ SSL_CERT_FILE=/path/to/ca.pem trivy image [YOUR_IMAGE]\n
$ SSL_CERT_DIR=/path/to/certs trivy image [YOUR_IMAGE]\n
Use the --cacert flag to point Trivy to a PEM-encoded CA certificate file, regardless of the operating system.
$ trivy image --cacert /path/to/ca.pem [YOUR_IMAGE]\n
"},{"location":"guide/references/troubleshooting/#github-rate-limiting","title":"GitHub Rate limiting","text":"Trivy uses GitHub API for VEX repositories.
Error
$ trivy image --vex repo ...\n...\nAPI rate limit exceeded for xxx.xxx.xxx.xxx.\n
Specify GITHUB_TOKEN for authentication
$ GITHUB_TOKEN=XXXXXXXXXX trivy image --vex repo [YOUR_IMAGE]\n
Note
GITHUB_TOKEN doesn't help with the rate limit for the vulnerability database and other assets. See https://github.com/aquasecurity/trivy/discussions/8009
"},{"location":"guide/references/troubleshooting/#unable-to-open-jar-files","title":"Unable to open JAR files","text":"Error
$ trivy image ...\n...\nfailed to analyze file: failed to analyze usr/lib/jvm/java-1.8-openjdk/lib/tools.jar: unable to open usr/lib/jvm/java-1.8-openjdk/lib/tools.jar: failed to open: unable to read the file: stream error: stream ID 9; PROTOCOL_ERROR; received from peer\n
Currently, we're investigating this issue. As a temporary mitigation, you may be able to avoid this issue by downloading the Java DB in advance.
$ trivy image --download-java-db-only\n2023-02-01T16:57:04.322+0900 INFO Downloading the Java DB...\n$ trivy image [YOUR_JAVA_IMAGE]\n
"},{"location":"guide/references/troubleshooting/#cache-lock-errors","title":"Cache lock errors","text":"Error
cache may be in use by another process\n
Trivy's vulnerability database is opened in read-only mode, so it does not cause lock issues. Lock errors occur only when using filesystem cache for scan cache storage.
Filesystem cache uses BoltDB internally, which creates file locks to prevent data corruption. As stated in the BoltDB documentation:
Please note that Bolt obtains a file lock on the data file so multiple processes cannot open the same database at the same time. Opening an already open Bolt database will cause it to hang until the other process closes it.
Reference: BoltDB README
If you're using memory cache (default for some commands like fs, rootfs, config, and sbom) or external cache (Redis), you will not encounter lock errors. Lock issues only occur when using filesystem cache with multiple concurrent processes. See Cache Backend for more details.
These errors occur when:
- Multiple Trivy processes try to use the same filesystem cache directory simultaneously
- A previous Trivy process did not shut down cleanly
- Trivy server is running with filesystem cache and holding a lock on the cache
"},{"location":"guide/references/troubleshooting/#solutions","title":"Solutions","text":"Solution 1: Use memory cache or Redis cache (Recommended)
Memory cache is the default for some commands (e.g., fs, rootfs, config, sbom). For other commands like image scanning, you can use --cache-backend memory to enable concurrent execution:
$ trivy image --cache-backend memory debian:11 &\n$ trivy image --cache-backend memory debian:12 &\n
Note that memory cache does not persist scan results, so subsequent scans will take longer as layers need to be scanned again each time.
For server mode or persistent cache with concurrent access, use Redis cache:
$ trivy server --cache-backend redis://localhost:6379\n
Solution 2: Terminate conflicting processes
If you need to use filesystem cache, check for running Trivy processes and terminate them:
$ ps aux | grep trivy\n$ kill [process_id]\n
Solution 3: Use different cache directories
If you must run multiple Trivy processes with filesystem cache, specify different cache directories for each process:
$ trivy image --cache-dir /tmp/trivy-cache-1 debian:11 &\n$ trivy image --cache-dir /tmp/trivy-cache-2 debian:12 &\n
Note that each cache directory will download its own copy of the vulnerability database and other scan assets, which will increase network traffic and storage usage.
"},{"location":"guide/references/troubleshooting/#multiple-trivy-servers","title":"Multiple Trivy servers","text":"Error
$ trivy image --server http://xxx.com:xxxx test-image\n...\n- twirp error internal: failed scan, test-image: failed to apply layers: layer cache missing: sha256:*****\n
To run multiple Trivy servers, you need to use Redis as the cache backend so that those servers can share the cache. Follow this instruction to do so.
"},{"location":"guide/references/troubleshooting/#problems-with-tmp-on-remote-git-repository-scans","title":"Problems with /tmp on remote Git repository scans","text":"Error
FATAL repository scan error: scan error: unable to initialize a scanner: unable to initialize a filesystem scanner: git clone error: write /tmp/fanal-remote...
Trivy clones remote Git repositories under the /tmp directory before scanning them. If /tmp doesn't work for you, you can change it by setting the TMPDIR environment variable.
Try:
$ TMPDIR=/my/custom/path trivy repo ...\n
"},{"location":"guide/references/troubleshooting/#running-out-of-space-during-image-scans","title":"Running out of space during image scans","text":"Error
image scan failed:\nfailed to copy the image:\nwrite /tmp/fanal-3323732142: no space left on device\n
Trivy uses a temporary directory during image scans. The directory path would be determined as follows:
- On Unix systems: Use
$TMPDIR if non-empty, else /tmp. - On Windows: Uses GetTempPath, returning the first non-empty value from
%TMP%, %TEMP%, %USERPROFILE%, or the Windows directory.
See this documentation for more details.
If the image is large or the temporary directory has insufficient space, the scan will fail. You can configure the directory path to redirect Trivy to a directory with adequate storage. On Unix systems, you can set the $TMPDIR environment variable.
$ TMPDIR=/my/custom/path trivy image ...\n
When scanning images from a container registry, Trivy processes each layer by streaming, loading only the necessary files for the scan into memory and discarding unnecessary files. If a layer contains large files that are necessary for the scan (such as JAR files or binary files), Trivy saves them to a temporary directory (e.g. $TMPDIR) on local storage to avoid increased memory consumption. Although these files are deleted after the scan is complete, they can temporarily increase disk consumption and potentially exhaust storage. In such cases, there are currently three workarounds:
-
Use a temporary directory with sufficient capacity
This is the same as explained above.
-
Specify a small value for --parallel
By default, multiple layers are processed in parallel. If each layer contains large files, disk space may be consumed rapidly. By specifying a small value such as --parallel 1, parallelism is reduced, which can mitigate the issue.
-
Specify --skip-files or --skip-dirs
If the container image contains large files that do not need to be scanned, you can skip their processing by specifying --skip-files or --skip-dirs. For more details, please refer to this documentation.
"},{"location":"guide/references/troubleshooting/#db","title":"DB","text":""},{"location":"guide/references/troubleshooting/#old-db-schema","title":"Old DB schema","text":"Error
--skip-update cannot be specified with the old DB schema.
Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow the instruction of air-gapped environment.
"},{"location":"guide/references/troubleshooting/#error-downloading-vulnerability-db","title":"Error downloading vulnerability DB","text":"Error
FATAL failed to download vulnerability DB
If Trivy is running behind corporate firewall, refer to the necessary connectivity requirements as described here.
"},{"location":"guide/references/troubleshooting/#denied","title":"Denied","text":"Error
GET https://ghcr.io/token?scope=repository%3Aaquasecurity%2Ftrivy-db%3Apull&service=ghcr.io: DENIED: denied
Your local GHCR (GitHub Container Registry) token might be expired. Please remove the token and try downloading the DB again.
docker logout ghcr.io\n
or
unset GITHUB_TOKEN\n
"},{"location":"guide/references/troubleshooting/#homebrew","title":"Homebrew","text":""},{"location":"guide/references/troubleshooting/#scope-error","title":"Scope error","text":"Error
Error: Your macOS keychain GitHub credentials do not have sufficient scope!
$ brew tap aquasecurity/trivy\nError: Your macOS keychain GitHub credentials do not have sufficient scope!\nScopes they need: none\nScopes they have:\nCreate a personal access token:\nhttps://github.com/settings/tokens/new?scopes=gist,public_repo&description=Homebrew\necho 'export HOMEBREW_GITHUB_API_TOKEN=your_token_here' >> ~/.zshrc\n
Try:
$ printf \"protocol=https\\nhost=github.com\\n\" | git credential-osxkeychain erase\n
"},{"location":"guide/references/troubleshooting/#already-installed","title":"Already installed","text":"Error
Error: aquasecurity/trivy/trivy 64 already installed
$ brew upgrade\n...\nError: aquasecurity/trivy/trivy 64 already installed\n
Try:
$ brew unlink trivy && brew uninstall trivy\n($ rm -rf /usr/local/Cellar/trivy/64)\n$ brew install aquasecurity/trivy/trivy\n
"},{"location":"guide/references/troubleshooting/#debugging","title":"Debugging","text":""},{"location":"guide/references/troubleshooting/#http-requestresponse-tracing","title":"HTTP Request/Response Tracing","text":"For debugging network issues, connection problems, or authentication failures, you can enable HTTP request/response tracing using the --trace-http flag.
Security Warning
While Trivy attempts to redact known sensitive information such as authentication headers and common secrets, the --trace-http flag may still expose sensitive data in HTTP requests and responses.
Never use this flag in production environments or CI/CD pipelines. This flag is automatically disabled in CI environments for security.
# Enable HTTP tracing for debugging registry issues\n$ trivy image --trace-http registry.example.com/my-image:latest\n\n# HTTP tracing with other debugging options\n$ trivy image --trace-http --debug --insecure my-image:tag\n
"},{"location":"guide/references/troubleshooting/#others","title":"Others","text":""},{"location":"guide/references/troubleshooting/#unknown-error","title":"Unknown error","text":"Try again after running trivy clean --all:
$ trivy clean --all\n
"},{"location":"guide/references/configuration/config-file/","title":"Config file","text":"Trivy can be customized by tweaking a trivy.yaml file. The config path can be overridden by the --config flag.
An example is here.
These samples contain default values for flags.
"},{"location":"guide/references/configuration/config-file/#global-options","title":"Global options","text":"# Same as '--cacert'\ncacert: \"\"\n\ncache:\n # Same as '--cache-dir'\n dir: \"/path/to/cache\"\n\n# Same as '--debug'\ndebug: false\n\n# Same as '--insecure'\ninsecure: false\n\n# Same as '--quiet'\nquiet: false\n\n# Same as '--timeout'\ntimeout: 5m0s\n
"},{"location":"guide/references/configuration/config-file/#cache-options","title":"Cache options","text":"cache:\n # Same as '--cache-backend'\n backend: \"fs\"\n\n redis:\n # Same as '--redis-ca'\n ca: \"\"\n\n # Same as '--redis-cert'\n cert: \"\"\n\n # Same as '--redis-key'\n key: \"\"\n\n # Same as '--redis-tls'\n tls: false\n\n # Same as '--cache-ttl'\n ttl: 0s\n
"},{"location":"guide/references/configuration/config-file/#clean-options","title":"Clean options","text":"clean:\n # Same as '--all'\n all: false\n\n # Same as '--checks-bundle'\n checks-bundle: false\n\n # Same as '--java-db'\n java-db: false\n\n # Same as '--scan-cache'\n scan-cache: false\n\n # Same as '--vex-repo'\n vex-repo: false\n\n # Same as '--vuln-db'\n vuln-db: false\n
"},{"location":"guide/references/configuration/config-file/#clientserver-options","title":"Client/Server options","text":"server:\n # Same as '--server'\n addr: \"\"\n\n # Same as '--custom-headers'\n custom-headers: []\n\n # Same as '--listen'\n listen: \"localhost:4954\"\n\n # Same as '--token'\n token: \"\"\n\n # Same as '--token-header'\n token-header: \"Trivy-Token\"\n
"},{"location":"guide/references/configuration/config-file/#db-options","title":"DB options","text":"db:\n # Same as '--download-java-db-only'\n download-java-only: false\n\n # Same as '--download-db-only'\n download-only: false\n\n # Same as '--java-db-repository'\n java-repository:\n - mirror.gcr.io/aquasec/trivy-java-db:1\n - ghcr.io/aquasecurity/trivy-java-db:1\n\n # Same as '--skip-java-db-update'\n java-skip-update: false\n\n # Same as '--no-progress'\n no-progress: false\n\n # Same as '--db-repository'\n repository:\n - mirror.gcr.io/aquasec/trivy-db:2\n - ghcr.io/aquasecurity/trivy-db:2\n\n # Same as '--skip-db-update'\n skip-update: false\n
"},{"location":"guide/references/configuration/config-file/#image-options","title":"Image options","text":"image:\n docker:\n # Same as '--docker-host'\n host: \"\"\n\n # Same as '--image-config-scanners'\n image-config-scanners: []\n\n # Same as '--input'\n input: \"\"\n\n # Same as '--max-image-size'\n max-size: \"\"\n\n # Same as '--platform'\n platform: \"\"\n\n podman:\n # Same as '--podman-host'\n host: \"\"\n\n # Same as '--removed-pkgs'\n removed-pkgs: false\n\n # Same as '--image-src'\n source:\n - docker\n - containerd\n - podman\n - remote\n
"},{"location":"guide/references/configuration/config-file/#kubernetes-options","title":"Kubernetes options","text":"kubernetes:\n # Same as '--burst'\n burst: 10\n\n # Same as '--disable-node-collector'\n disableNodeCollector: false\n\n exclude:\n # Same as '--exclude-nodes'\n nodes: []\n\n # Same as '--exclude-owned'\n owned: false\n\n # Same as '--exclude-kinds'\n excludeKinds: []\n\n # Same as '--exclude-namespaces'\n excludeNamespaces: []\n\n # Same as '--include-kinds'\n includeKinds: []\n\n # Same as '--include-namespaces'\n includeNamespaces: []\n\n # Same as '--k8s-version'\n k8s-version: \"\"\n\n # Same as '--kubeconfig'\n kubeconfig: \"\"\n\n node-collector:\n # Same as '--node-collector-imageref'\n imageref: \"ghcr.io/aquasecurity/node-collector:0.3.1\"\n\n # Same as '--node-collector-namespace'\n namespace: \"trivy-temp\"\n\n # Same as '--qps'\n qps: 5\n\n # Same as '--skip-images'\n skipImages: false\n\n # Same as '--tolerations'\n tolerations: []\n
"},{"location":"guide/references/configuration/config-file/#license-options","title":"License options","text":"license:\n # Same as '--license-confidence-level'\n confidenceLevel: 0.9\n\n forbidden:\n - AGPL-1.0\n - AGPL-3.0\n - CC-BY-NC-1.0\n - CC-BY-NC-2.0\n - CC-BY-NC-2.5\n - CC-BY-NC-3.0\n - CC-BY-NC-4.0\n - CC-BY-NC-ND-1.0\n - CC-BY-NC-ND-2.0\n - CC-BY-NC-ND-2.5\n - CC-BY-NC-ND-3.0\n - CC-BY-NC-ND-4.0\n - CC-BY-NC-SA-1.0\n - CC-BY-NC-SA-2.0\n - CC-BY-NC-SA-2.5\n - CC-BY-NC-SA-3.0\n - CC-BY-NC-SA-4.0\n - Commons-Clause\n - Facebook-2-Clause\n - Facebook-3-Clause\n - Facebook-Examples\n - WTFPL\n\n # Same as '--license-full'\n full: false\n\n # Same as '--ignored-licenses'\n ignored: []\n\n notice:\n - AFL-1.1\n - AFL-1.2\n - AFL-2.0\n - AFL-2.1\n - AFL-3.0\n - Apache-1.0\n - Apache-1.1\n - Apache-2.0\n - Artistic-1.0-cl8\n - Artistic-1.0-Perl\n - Artistic-1.0\n - Artistic-2.0\n - BSL-1.0\n - BSD-2-Clause-FreeBSD\n - BSD-2-Clause-NetBSD\n - BSD-2-Clause\n - BSD-3-Clause-Attribution\n - BSD-3-Clause-Clear\n - BSD-3-Clause-LBNL\n - BSD-3-Clause\n - BSD-4-Clause\n - BSD-4-Clause-UC\n - BSD-Protection\n - CC-BY-1.0\n - CC-BY-2.0\n - CC-BY-2.5\n - CC-BY-3.0\n - CC-BY-4.0\n - FTL\n - ISC\n - ImageMagick\n - Libpng\n - Lil-1.0\n - Linux-OpenIB\n - LPL-1.02\n - LPL-1.0\n - MS-PL\n - MIT\n - NCSA\n - OpenSSL\n - PHP-3.01\n - PHP-3.0\n - PIL\n - Python-2.0\n - Python-2.0-complete\n - PostgreSQL\n - SGI-B-1.0\n - SGI-B-1.1\n - SGI-B-2.0\n - Unicode-DFS-2015\n - Unicode-DFS-2016\n - Unicode-TOU\n - UPL-1.0\n - W3C-19980720\n - W3C-20150513\n - W3C\n - X11\n - Xnet\n - Zend-2.0\n - zlib-acknowledgement\n - Zlib\n - ZPL-1.1\n - ZPL-2.0\n - ZPL-2.1\n\n permissive: []\n\n reciprocal:\n - APSL-1.0\n - APSL-1.1\n - APSL-1.2\n - APSL-2.0\n - CDDL-1.0\n - CDDL-1.1\n - CPL-1.0\n - EPL-1.0\n - EPL-2.0\n - FreeImage\n - IPL-1.0\n - MPL-1.0\n - MPL-1.1\n - MPL-2.0\n - Ruby\n\n restricted:\n - BCL\n - CC-BY-ND-1.0\n - CC-BY-ND-2.0\n - CC-BY-ND-2.5\n - CC-BY-ND-3.0\n - CC-BY-ND-4.0\n - CC-BY-SA-1.0\n - CC-BY-SA-2.0\n - CC-BY-SA-2.5\n - CC-BY-SA-3.0\n - CC-BY-SA-4.0\n - GPL-1.0\n - GPL-2.0\n - GPL-2.0-with-autoconf-exception\n - GPL-2.0-with-bison-exception\n - GPL-2.0-with-classpath-exception\n - GPL-2.0-with-font-exception\n - GPL-2.0-with-GCC-exception\n - GPL-3.0\n - GPL-3.0-with-autoconf-exception\n - GPL-3.0-with-GCC-exception\n - LGPL-2.0\n - LGPL-2.1\n - LGPL-3.0\n - NPL-1.0\n - NPL-1.1\n - OSL-1.0\n - OSL-1.1\n - OSL-2.0\n - OSL-2.1\n - OSL-3.0\n - QPL-1.0\n - Sleepycat\n\n unencumbered:\n - CC0-1.0\n - Unlicense\n - 0BSD\n
"},{"location":"guide/references/configuration/config-file/#misconfiguration-options","title":"Misconfiguration options","text":"misconfiguration:\n # Same as '--checks-bundle-repository'\n checks-bundle-repository: \"mirror.gcr.io/aquasec/trivy-checks:1\"\n\n cloudformation:\n # Same as '--cf-params'\n params: []\n\n # Same as '--config-file-schemas'\n config-file-schemas: []\n\n helm:\n # Same as '--helm-api-versions'\n api-versions: []\n\n # Same as '--helm-kube-version'\n kube-version: \"\"\n\n # Same as '--helm-set'\n set: []\n\n # Same as '--helm-set-file'\n set-file: []\n\n # Same as '--helm-set-string'\n set-string: []\n\n # Same as '--helm-values'\n values: []\n\n # Same as '--include-non-failures'\n include-non-failures: false\n\n # Same as '--raw-config-scanners'\n raw-config-scanners: []\n\n # Same as '--render-cause'\n render-cause: []\n\n # Same as '--misconfig-scanners'\n scanners:\n - azure-arm\n - cloudformation\n - dockerfile\n - helm\n - kubernetes\n - terraform\n - terraformplan-json\n - terraformplan-snapshot\n\n terraform:\n # Same as '--tf-exclude-downloaded-modules'\n exclude-downloaded-modules: false\n\n # Same as '--tf-vars'\n vars: []\n
"},{"location":"guide/references/configuration/config-file/#module-options","title":"Module options","text":"module:\n # Same as '--module-dir'\n dir: \"$HOME/.trivy/modules\"\n\n # Same as '--enable-modules'\n enable-modules: []\n
"},{"location":"guide/references/configuration/config-file/#package-options","title":"Package options","text":"pkg:\n # Same as '--include-dev-deps'\n include-dev-deps: false\n\n # Same as '--pkg-relationships'\n relationships:\n - unknown\n - root\n - workspace\n - direct\n - indirect\n\n # Same as '--pkg-types'\n types:\n - os\n - library\n
"},{"location":"guide/references/configuration/config-file/#registry-options","title":"Registry options","text":"registry:\n mirrors:\n\n # Same as '--password'\n password: []\n\n # Same as '--password-stdin'\n password-stdin: false\n\n # Same as '--registry-token'\n token: \"\"\n\n # Same as '--username'\n username: []\n
"},{"location":"guide/references/configuration/config-file/#rego-options","title":"Rego options","text":"rego:\n # Same as '--config-check'\n check: []\n\n # Same as '--config-data'\n data: []\n\n # Same as '--rego-error-limit'\n error-limit: 10\n\n # Same as '--include-deprecated-checks'\n include-deprecated-checks: false\n\n # Same as '--check-namespaces'\n namespaces: []\n\n # Same as '--skip-check-update'\n skip-check-update: false\n\n # Same as '--trace-rego'\n trace: false\n
"},{"location":"guide/references/configuration/config-file/#report-options","title":"Report options","text":"# Same as '--dependency-tree'\ndependency-tree: false\n\n# Same as '--exit-code'\nexit-code: 0\n\n# Same as '--exit-on-eol'\nexit-on-eol: 0\n\n# Same as '--format'\nformat: \"table\"\n\n# Same as '--ignore-policy'\nignore-policy: \"\"\n\n# Same as '--ignorefile'\nignorefile: \".trivyignore\"\n\n# Same as '--list-all-pkgs'\nlist-all-pkgs: true\n\n# Same as '--output'\noutput: \"\"\n\n# Same as '--output-plugin-arg'\noutput-plugin-arg: \"\"\n\n# Same as '--report'\nreport: \"all\"\n\nscan:\n # Same as '--compliance'\n compliance: \"\"\n\n # Same as '--show-suppressed'\n show-suppressed: false\n\n# Same as '--severity'\nseverity:\n - UNKNOWN\n - LOW\n - MEDIUM\n - HIGH\n - CRITICAL\n\n# Same as '--table-mode'\ntable-mode:\n - summary\n - detailed\n\n# Same as '--template'\ntemplate: \"\"\n
"},{"location":"guide/references/configuration/config-file/#repository-options","title":"Repository options","text":"repository:\n # Same as '--branch'\n branch: \"\"\n\n # Same as '--commit'\n commit: \"\"\n\n # Same as '--tag'\n tag: \"\"\n
"},{"location":"guide/references/configuration/config-file/#scan-options","title":"Scan options","text":"scan:\n # Same as '--detection-priority'\n detection-priority: \"precise\"\n\n # Same as '--disable-telemetry'\n disable-telemetry: false\n\n # Same as '--distro'\n distro: \"\"\n\n # Same as '--file-patterns'\n file-patterns: []\n\n # Same as '--offline-scan'\n offline: false\n\n # Same as '--parallel'\n parallel: 5\n\n # Same as '--rekor-url'\n rekor-url: \"https://rekor.sigstore.dev\"\n\n # Same as '--sbom-sources'\n sbom-sources: []\n\n # Same as '--scanners'\n scanners:\n - vuln\n - secret\n\n # Same as '--skip-dirs'\n skip-dirs: []\n\n # Same as '--skip-files'\n skip-files: []\n\n # Same as '--skip-version-check'\n skip-version-check: false\n
"},{"location":"guide/references/configuration/config-file/#secret-options","title":"Secret options","text":"secret:\n # Same as '--secret-config'\n config: \"trivy-secret.yaml\"\n
"},{"location":"guide/references/configuration/config-file/#vulnerability-options","title":"Vulnerability options","text":"vulnerability:\n # Same as '--ignore-status'\n ignore-status: []\n\n # Same as '--ignore-unfixed'\n ignore-unfixed: false\n\n # Same as '--vuln-severity-source'\n severity-source:\n - auto\n\n # Same as '--skip-vex-repo-update'\n skip-vex-repo-update: false\n\n # Same as '--vex'\n vex: []\n
"},{"location":"guide/references/configuration/cli/trivy/","title":"Overview","text":""},{"location":"guide/references/configuration/cli/trivy/#trivy","title":"trivy","text":"Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy/#synopsis","title":"Synopsis","text":"Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
trivy [global flags] command [flags] target\n
"},{"location":"guide/references/configuration/cli/trivy/#examples","title":"Examples","text":" # Scan a container image\n $ trivy image python:3.4-alpine\n\n # Scan a container image from a tar archive\n $ trivy image --input ruby-3.1.tar\n\n # Scan local filesystem\n $ trivy fs .\n\n # Run in server mode\n $ trivy server\n
"},{"location":"guide/references/configuration/cli/trivy/#options","title":"Options","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n -f, --format string version format (json)\n --generate-default-config write the default config to trivy-default.yaml\n -h, --help help for trivy\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy/#see-also","title":"SEE ALSO","text":" - trivy clean - Remove cached files
- trivy config - Scan config files for misconfigurations
- trivy convert - Convert Trivy JSON report into a different format
- trivy filesystem - Scan local filesystem
- trivy image - Scan a container image
- trivy kubernetes - [EXPERIMENTAL] Scan kubernetes cluster
- trivy module - Manage modules
- trivy plugin - Manage plugins
- trivy registry - Manage registry authentication
- trivy repository - Scan a repository
- trivy rootfs - Scan rootfs
- trivy sbom - Scan SBOM for vulnerabilities and licenses
- trivy server - Server mode
- trivy version - Print the version
- trivy vex - [EXPERIMENTAL] VEX utilities
- trivy vm - [EXPERIMENTAL] Scan a virtual machine image
"},{"location":"guide/references/configuration/cli/trivy_clean/","title":"Clean","text":""},{"location":"guide/references/configuration/cli/trivy_clean/#trivy-clean","title":"trivy clean","text":"Remove cached files
trivy clean [flags]\n
"},{"location":"guide/references/configuration/cli/trivy_clean/#examples","title":"Examples","text":" # Remove all caches\n $ trivy clean --all\n\n # Remove scan cache\n $ trivy clean --scan-cache\n\n # Remove vulnerability database\n $ trivy clean --vuln-db\n
"},{"location":"guide/references/configuration/cli/trivy_clean/#options","title":"Options","text":" -a, --all remove all caches\n --checks-bundle remove checks bundle\n -h, --help help for clean\n --java-db remove Java database\n --scan-cache remove scan cache (container and VM image analysis results)\n --vex-repo remove VEX repositories\n --vuln-db remove vulnerability database\n
"},{"location":"guide/references/configuration/cli/trivy_clean/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_clean/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_config/","title":"Config","text":""},{"location":"guide/references/configuration/cli/trivy_config/#trivy-config","title":"trivy config","text":"Scan config files for misconfigurations
trivy config [flags] DIR\n
"},{"location":"guide/references/configuration/cli/trivy_config/#options","title":"Options","text":" --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default \"memory\")\n --cache-ttl duration cache TTL when using redis as cache backend\n --cf-params strings specify paths to override the CloudFormation parameters files\n --check-namespaces strings Rego namespaces\n --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default \"mirror.gcr.io/aquasec/trivy-checks:1\")\n --compliance string compliance report to generate\n --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files\n --config-data strings specify paths from which data for the Rego checks will be recursively loaded\n --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking\n --disable-telemetry disable sending anonymous usage data to Aqua\n --enable-modules strings [EXPERIMENTAL] module names to enable\n --exit-code int specify exit code when any security issues are found\n --file-patterns strings specify config file patterns\n -f, --format string format\n Allowed values:\n - table\n - json\n - template\n - sarif\n - cyclonedx\n - spdx\n - spdx-json\n - github\n - cosign-vuln\n (default \"table\")\n --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)\n --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.\n --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)\n --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-values strings specify paths to override the Helm values.yaml files\n -h, --help help for config\n --ignore-policy string specify the Rego file path to evaluate each vulnerability\n --ignorefile string specify .trivyignore file (default \".trivyignore\")\n --include-deprecated-checks include deprecated checks\n --include-non-failures include successes, available with '--scanners misconfig'\n --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)\n --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])\n --module-dir string specify directory to the wasm modules that will be loaded (default \"$HOME/.trivy/modules\")\n -o, --output string output file name\n --output-plugin-arg string [EXPERIMENTAL] output plugin arguments\n --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.\n --password-stdin password from stdin. Comma-separated passwords are not supported.\n --raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)\n --redis-ca string redis ca file location, if using redis as cache backend\n --redis-cert string redis certificate file location, if using redis as cache backend\n --redis-key string redis key file location, if using redis as cache backend\n --redis-tls enable redis TLS with public certificates, if using redis as cache backend\n --registry-token string registry token\n --rego-error-limit int maximum number of compile errors allowed during Rego policy evaluation (default 10)\n --render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)\n --report string specify a compliance report format for the output (allowed values: all,summary) (default \"all\")\n -s, --severity strings severities of security issues to be displayed\n Allowed values:\n - UNKNOWN\n - LOW\n - MEDIUM\n - HIGH\n - CRITICAL\n (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])\n --skip-check-update skip fetching rego check updates\n --skip-dirs strings specify the directories or glob patterns to skip\n --skip-files strings specify the files or glob patterns to skip\n --skip-version-check suppress notices about version updates and Trivy announcements\n --table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])\n -t, --template string output template\n --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules\n --tf-vars strings specify paths to override the Terraform tfvars files\n --trace-rego enable more verbose trace output for custom queries\n --username strings username. Comma-separated usernames allowed.\n
"},{"location":"guide/references/configuration/cli/trivy_config/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_config/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_convert/","title":"Convert","text":""},{"location":"guide/references/configuration/cli/trivy_convert/#trivy-convert","title":"trivy convert","text":"Convert Trivy JSON report into a different format
trivy convert [flags] RESULT_JSON\n
"},{"location":"guide/references/configuration/cli/trivy_convert/#examples","title":"Examples","text":" # report conversion\n $ trivy image --format json --output result.json debian:11\n $ trivy convert --format cyclonedx --output result.cdx result.json\n
"},{"location":"guide/references/configuration/cli/trivy_convert/#options","title":"Options","text":" --compliance string compliance report to generate\n --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages\n --exit-code int specify exit code when any security issues are found\n --exit-on-eol int exit with the specified code when the OS reaches end of service/life\n -f, --format string format\n Allowed values:\n - table\n - json\n - template\n - sarif\n - cyclonedx\n - spdx\n - spdx-json\n - github\n - cosign-vuln\n (default \"table\")\n -h, --help help for convert\n --ignore-policy string specify the Rego file path to evaluate each vulnerability\n --ignorefile string specify .trivyignore file (default \".trivyignore\")\n --list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)\n -o, --output string output file name\n --output-plugin-arg string [EXPERIMENTAL] output plugin arguments\n --report string specify a report format for the output (allowed values: all,summary) (default \"all\")\n --scanners strings List of scanners included when generating the json report. Used only for rendering the summary table. (allowed values: vuln,misconfig,secret,license)\n -s, --severity strings severities of security issues to be displayed\n Allowed values:\n - UNKNOWN\n - LOW\n - MEDIUM\n - HIGH\n - CRITICAL\n (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])\n --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities\n --table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])\n -t, --template string output template\n
"},{"location":"guide/references/configuration/cli/trivy_convert/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_convert/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_filesystem/","title":"Filesystem","text":""},{"location":"guide/references/configuration/cli/trivy_filesystem/#trivy-filesystem","title":"trivy filesystem","text":"Scan local filesystem
trivy filesystem [flags] PATH\n
"},{"location":"guide/references/configuration/cli/trivy_filesystem/#examples","title":"Examples","text":" # Scan a local project including language-specific files\n $ trivy fs /path/to/your_project\n\n # Scan a single file\n $ trivy fs ./trivy-ci-test/Pipfile.lock\n
"},{"location":"guide/references/configuration/cli/trivy_filesystem/#options","title":"Options","text":" --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default \"memory\")\n --cache-ttl duration cache TTL when using redis as cache backend\n --cf-params strings specify paths to override the CloudFormation parameters files\n --check-namespaces strings Rego namespaces\n --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default \"mirror.gcr.io/aquasec/trivy-checks:1\")\n --compliance string compliance report to generate\n --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files\n --config-data strings specify paths from which data for the Rego checks will be recursively loaded\n --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking\n --custom-headers strings custom headers in client mode\n --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])\n --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages\n --detection-priority string specify the detection priority:\n - \"precise\": Prioritizes precise by minimizing false positives.\n - \"comprehensive\": Aims to detect more security findings at the cost of potential false positives.\n (allowed values: precise,comprehensive) (default \"precise\")\n --disable-telemetry disable sending anonymous usage data to Aqua\n --distro string [EXPERIMENTAL] specify a distribution, <family>/<version>\n --download-db-only download/update vulnerability database but don't run a scan\n --download-java-db-only download/update Java index database but don't run a scan\n --enable-modules strings [EXPERIMENTAL] module names to enable\n --exit-code int specify exit code when any security issues are found\n --file-patterns strings specify config file patterns\n -f, --format string format\n Allowed values:\n - table\n - json\n - template\n - sarif\n - cyclonedx\n - spdx\n - spdx-json\n - github\n - cosign-vuln\n (default \"table\")\n --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)\n --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.\n --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)\n --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-values strings specify paths to override the Helm values.yaml files\n -h, --help help for filesystem\n --ignore-policy string specify the Rego file path to evaluate each vulnerability\n --ignore-status strings comma-separated list of vulnerability status to ignore\n Allowed values:\n - unknown\n - not_affected\n - affected\n - fixed\n - under_investigation\n - will_not_fix\n - fix_deferred\n - end_of_life\n --ignore-unfixed display only fixed vulnerabilities\n --ignored-licenses strings specify a list of license to ignore\n --ignorefile string specify .trivyignore file (default \".trivyignore\")\n --include-deprecated-checks include deprecated checks\n --include-dev-deps include development dependencies in the report (supported: npm, yarn, gradle)\n --include-non-failures include successes, available with '--scanners misconfig'\n --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])\n --license-confidence-level float specify license classifier's confidence level (default 0.9)\n --license-full eagerly look for licenses in source code headers and license files\n --list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)\n --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])\n --module-dir string specify directory to the wasm modules that will be loaded (default \"$HOME/.trivy/modules\")\n --no-progress suppress progress bar\n --offline-scan do not issue API requests to identify dependencies\n -o, --output string output file name\n --output-plugin-arg string [EXPERIMENTAL] output plugin arguments\n --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)\n --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.\n --password-stdin password from stdin. Comma-separated passwords are not supported.\n --pkg-relationships strings list of package relationships\n Allowed values:\n - unknown\n - root\n - workspace\n - direct\n - indirect\n (default [unknown,root,workspace,direct,indirect])\n --pkg-types strings list of package types (allowed values: os,library) (default [os,library])\n --raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)\n --redis-ca string redis ca file location, if using redis as cache backend\n --redis-cert string redis certificate file location, if using redis as cache backend\n --redis-key string redis key file location, if using redis as cache backend\n --redis-tls enable redis TLS with public certificates, if using redis as cache backend\n --registry-token string registry token\n --rego-error-limit int maximum number of compile errors allowed during Rego policy evaluation (default 10)\n --rekor-url string [EXPERIMENTAL] address of rekor STL server (default \"https://rekor.sigstore.dev\")\n --render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)\n --report string specify a compliance report format for the output (allowed values: all,summary) (default \"all\")\n --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)\n --scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])\n --secret-config string specify a path to config file for secret scanning (default \"trivy-secret.yaml\")\n --server string server address in client mode\n -s, --severity strings severities of security issues to be displayed\n Allowed values:\n - UNKNOWN\n - LOW\n - MEDIUM\n - HIGH\n - CRITICAL\n (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])\n --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities\n --skip-check-update skip fetching rego check updates\n --skip-db-update skip updating vulnerability database\n --skip-dirs strings specify the directories or glob patterns to skip\n --skip-files strings specify the files or glob patterns to skip\n --skip-java-db-update skip updating Java index database\n --skip-version-check suppress notices about version updates and Trivy announcements\n --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update\n --table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])\n -t, --template string output template\n --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules\n --tf-vars strings specify paths to override the Terraform tfvars files\n --token string for authentication in client/server mode\n --token-header string specify a header name for token in client/server mode (default \"Trivy-Token\")\n --trace-rego enable more verbose trace output for custom queries\n --username strings username. Comma-separated usernames allowed.\n --vex strings [EXPERIMENTAL] VEX sources (\"repo\", \"oci\" or file path)\n --vuln-severity-source strings order of data sources for selecting vulnerability severity level\n Allowed values:\n - nvd\n - redhat\n - redhat-oval\n - debian\n - ubuntu\n - alpine\n - amazon\n - oracle-oval\n - suse-cvrf\n - photon\n - arch-linux\n - alma\n - rocky\n - cbl-mariner\n - azure\n - ruby-advisory-db\n - php-security-advisories\n - nodejs-security-wg\n - ghsa\n - glad\n - aqua\n - osv\n - k8s\n - wolfi\n - chainguard\n - bitnami\n - govulndb\n - echo\n - minimos\n - rootio\n - auto\n (default [auto])\n
"},{"location":"guide/references/configuration/cli/trivy_filesystem/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_filesystem/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_image/","title":"Image","text":""},{"location":"guide/references/configuration/cli/trivy_image/#trivy-image","title":"trivy image","text":"Scan a container image
trivy image [flags] IMAGE_NAME\n
"},{"location":"guide/references/configuration/cli/trivy_image/#examples","title":"Examples","text":" # Scan a container image\n $ trivy image python:3.4-alpine\n\n # Scan a container image from a tar archive\n $ trivy image --input ruby-3.1.tar\n\n # Filter by severities\n $ trivy image --severity HIGH,CRITICAL alpine:3.15\n\n # Ignore unfixed/unpatched vulnerabilities\n $ trivy image --ignore-unfixed alpine:3.15\n\n # Scan a container image in client mode\n $ trivy image --server http://127.0.0.1:4954 alpine:latest\n\n # Generate json result\n $ trivy image --format json --output result.json alpine:3.15\n\n # Generate a report in the CycloneDX format\n $ trivy image --format cyclonedx --output result.cdx alpine:3.15\n
"},{"location":"guide/references/configuration/cli/trivy_image/#options","title":"Options","text":" --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default \"fs\")\n --cache-ttl duration cache TTL when using redis as cache backend\n --check-namespaces strings Rego namespaces\n --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default \"mirror.gcr.io/aquasec/trivy-checks:1\")\n --compliance string compliance report to generate (built-in compliance's: docker-cis-1.6.0)\n --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files\n --config-data strings specify paths from which data for the Rego checks will be recursively loaded\n --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking\n --custom-headers strings custom headers in client mode\n --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])\n --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages\n --detection-priority string specify the detection priority:\n - \"precise\": Prioritizes precise by minimizing false positives.\n - \"comprehensive\": Aims to detect more security findings at the cost of potential false positives.\n (allowed values: precise,comprehensive) (default \"precise\")\n --disable-telemetry disable sending anonymous usage data to Aqua\n --distro string [EXPERIMENTAL] specify a distribution, <family>/<version>\n --docker-host string unix domain socket path to use for docker scanning\n --download-db-only download/update vulnerability database but don't run a scan\n --download-java-db-only download/update Java index database but don't run a scan\n --enable-modules strings [EXPERIMENTAL] module names to enable\n --exit-code int specify exit code when any security issues are found\n --exit-on-eol int exit with the specified code when the OS reaches end of service/life\n --file-patterns strings specify config file patterns\n -f, --format string format\n Allowed values:\n - table\n - json\n - template\n - sarif\n - cyclonedx\n - spdx\n - spdx-json\n - github\n - cosign-vuln\n (default \"table\")\n --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)\n --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.\n --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)\n --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-values strings specify paths to override the Helm values.yaml files\n -h, --help help for image\n --ignore-policy string specify the Rego file path to evaluate each vulnerability\n --ignore-status strings comma-separated list of vulnerability status to ignore\n Allowed values:\n - unknown\n - not_affected\n - affected\n - fixed\n - under_investigation\n - will_not_fix\n - fix_deferred\n - end_of_life\n --ignore-unfixed display only fixed vulnerabilities\n --ignored-licenses strings specify a list of license to ignore\n --ignorefile string specify .trivyignore file (default \".trivyignore\")\n --image-config-scanners strings comma-separated list of what security issues to detect on container image configurations (allowed values: misconfig,secret)\n --image-src strings image source(s) to use, in priority order (allowed values: docker,containerd,podman,remote) (default [docker,containerd,podman,remote])\n --include-deprecated-checks include deprecated checks\n --include-non-failures include successes, available with '--scanners misconfig'\n --input string input file path instead of image name\n --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])\n --license-confidence-level float specify license classifier's confidence level (default 0.9)\n --license-full eagerly look for licenses in source code headers and license files\n --list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)\n --max-image-size string [EXPERIMENTAL] maximum image size to process, specified in a human-readable format (e.g., '44kB', '17MB'); an error will be returned if the image exceeds this size\n --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])\n --module-dir string specify directory to the wasm modules that will be loaded (default \"$HOME/.trivy/modules\")\n --no-progress suppress progress bar\n --offline-scan do not issue API requests to identify dependencies\n -o, --output string output file name\n --output-plugin-arg string [EXPERIMENTAL] output plugin arguments\n --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)\n --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.\n --password-stdin password from stdin. Comma-separated passwords are not supported.\n --pkg-relationships strings list of package relationships\n Allowed values:\n - unknown\n - root\n - workspace\n - direct\n - indirect\n (default [unknown,root,workspace,direct,indirect])\n --pkg-types strings list of package types (allowed values: os,library) (default [os,library])\n --platform string set platform in the form os/arch if image is multi-platform capable\n --podman-host string unix podman socket path to use for podman scanning\n --raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)\n --redis-ca string redis ca file location, if using redis as cache backend\n --redis-cert string redis certificate file location, if using redis as cache backend\n --redis-key string redis key file location, if using redis as cache backend\n --redis-tls enable redis TLS with public certificates, if using redis as cache backend\n --registry-token string registry token\n --rego-error-limit int maximum number of compile errors allowed during Rego policy evaluation (default 10)\n --rekor-url string [EXPERIMENTAL] address of rekor STL server (default \"https://rekor.sigstore.dev\")\n --removed-pkgs detect vulnerabilities of removed packages (only for Alpine)\n --render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)\n --report string specify a format for the compliance report. (allowed values: all,summary) (default \"summary\")\n --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)\n --scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])\n --secret-config string specify a path to config file for secret scanning (default \"trivy-secret.yaml\")\n --server string server address in client mode\n -s, --severity strings severities of security issues to be displayed\n Allowed values:\n - UNKNOWN\n - LOW\n - MEDIUM\n - HIGH\n - CRITICAL\n (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])\n --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities\n --skip-check-update skip fetching rego check updates\n --skip-db-update skip updating vulnerability database\n --skip-dirs strings specify the directories or glob patterns to skip\n --skip-files strings specify the files or glob patterns to skip\n --skip-java-db-update skip updating Java index database\n --skip-version-check suppress notices about version updates and Trivy announcements\n --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update\n --table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])\n -t, --template string output template\n --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules\n --token string for authentication in client/server mode\n --token-header string specify a header name for token in client/server mode (default \"Trivy-Token\")\n --trace-rego enable more verbose trace output for custom queries\n --username strings username. Comma-separated usernames allowed.\n --vex strings [EXPERIMENTAL] VEX sources (\"repo\", \"oci\" or file path)\n --vuln-severity-source strings order of data sources for selecting vulnerability severity level\n Allowed values:\n - nvd\n - redhat\n - redhat-oval\n - debian\n - ubuntu\n - alpine\n - amazon\n - oracle-oval\n - suse-cvrf\n - photon\n - arch-linux\n - alma\n - rocky\n - cbl-mariner\n - azure\n - ruby-advisory-db\n - php-security-advisories\n - nodejs-security-wg\n - ghsa\n - glad\n - aqua\n - osv\n - k8s\n - wolfi\n - chainguard\n - bitnami\n - govulndb\n - echo\n - minimos\n - rootio\n - auto\n (default [auto])\n
"},{"location":"guide/references/configuration/cli/trivy_image/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_image/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_kubernetes/","title":"Kubernetes","text":""},{"location":"guide/references/configuration/cli/trivy_kubernetes/#trivy-kubernetes","title":"trivy kubernetes","text":"[EXPERIMENTAL] Scan kubernetes cluster
"},{"location":"guide/references/configuration/cli/trivy_kubernetes/#synopsis","title":"Synopsis","text":"Default context in kube configuration will be used unless specified
trivy kubernetes [flags] [CONTEXT]\n
"},{"location":"guide/references/configuration/cli/trivy_kubernetes/#examples","title":"Examples","text":" # cluster scanning\n $ trivy k8s --report summary\n\n # cluster scanning with specific namespace:\n $ trivy k8s --include-namespaces kube-system --report summary \n\n # cluster with specific context:\n $ trivy k8s kind-kind --report summary \n
"},{"location":"guide/references/configuration/cli/trivy_kubernetes/#options","title":"Options","text":" --burst int specify the maximum burst for throttle (default 10)\n --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default \"fs\")\n --cache-ttl duration cache TTL when using redis as cache backend\n --check-namespaces strings Rego namespaces\n --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default \"mirror.gcr.io/aquasec/trivy-checks:1\")\n --compliance string compliance report to generate\n Built-in compliance's:\n - k8s-nsa-1.0\n - k8s-cis-1.23\n - eks-cis-1.4\n - rke2-cis-1.24\n - k8s-pss-baseline-0.1\n - k8s-pss-restricted-0.1\n --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files\n --config-data strings specify paths from which data for the Rego checks will be recursively loaded\n --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking\n --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])\n --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages\n --detection-priority string specify the detection priority:\n - \"precise\": Prioritizes precise by minimizing false positives.\n - \"comprehensive\": Aims to detect more security findings at the cost of potential false positives.\n (allowed values: precise,comprehensive) (default \"precise\")\n --disable-node-collector When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.\n --disable-telemetry disable sending anonymous usage data to Aqua\n --distro string [EXPERIMENTAL] specify a distribution, <family>/<version>\n --download-db-only download/update vulnerability database but don't run a scan\n --download-java-db-only download/update Java index database but don't run a scan\n --exclude-kinds strings indicate the kinds exclude from scanning (example: node)\n --exclude-namespaces strings indicate the namespaces excluded from scanning (example: kube-system)\n --exclude-nodes strings indicate the node labels that the node-collector job should exclude from scanning (example: kubernetes.io/arch:arm64,team:dev)\n --exclude-owned exclude resources that have an owner reference\n --exit-code int specify exit code when any security issues are found\n --file-patterns strings specify config file patterns\n -f, --format string format (allowed values: table,json,cyclonedx) (default \"table\")\n --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)\n --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.\n --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)\n --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-values strings specify paths to override the Helm values.yaml files\n -h, --help help for kubernetes\n --ignore-policy string specify the Rego file path to evaluate each vulnerability\n --ignore-status strings comma-separated list of vulnerability status to ignore\n Allowed values:\n - unknown\n - not_affected\n - affected\n - fixed\n - under_investigation\n - will_not_fix\n - fix_deferred\n - end_of_life\n --ignore-unfixed display only fixed vulnerabilities\n --ignorefile string specify .trivyignore file (default \".trivyignore\")\n --image-src strings image source(s) to use, in priority order (allowed values: docker,containerd,podman,remote) (default [docker,containerd,podman,remote])\n --include-deprecated-checks include deprecated checks\n --include-kinds strings indicate the kinds included in scanning (example: node)\n --include-namespaces strings indicate the namespaces included in scanning (example: kube-system)\n --include-non-failures include successes, available with '--scanners misconfig'\n --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])\n --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)\n --kubeconfig string specify the kubeconfig file path to use\n --list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)\n --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])\n --no-progress suppress progress bar\n --node-collector-imageref string indicate the image reference for the node-collector scan job (default \"ghcr.io/aquasecurity/node-collector:0.3.1\")\n --node-collector-namespace string specify the namespace in which the node-collector job should be deployed (default \"trivy-temp\")\n --offline-scan do not issue API requests to identify dependencies\n -o, --output string output file name\n --output-plugin-arg string [EXPERIMENTAL] output plugin arguments\n --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)\n --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.\n --password-stdin password from stdin. Comma-separated passwords are not supported.\n --pkg-relationships strings list of package relationships\n Allowed values:\n - unknown\n - root\n - workspace\n - direct\n - indirect\n (default [unknown,root,workspace,direct,indirect])\n --pkg-types strings list of package types (allowed values: os,library) (default [os,library])\n --qps float specify the maximum QPS to the master from this client (default 5)\n --raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)\n --redis-ca string redis ca file location, if using redis as cache backend\n --redis-cert string redis certificate file location, if using redis as cache backend\n --redis-key string redis key file location, if using redis as cache backend\n --redis-tls enable redis TLS with public certificates, if using redis as cache backend\n --registry-token string registry token\n --rego-error-limit int maximum number of compile errors allowed during Rego policy evaluation (default 10)\n --rekor-url string [EXPERIMENTAL] address of rekor STL server (default \"https://rekor.sigstore.dev\")\n --render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)\n --report string specify a report format for the output (allowed values: all,summary) (default \"all\")\n --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)\n --scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])\n --secret-config string specify a path to config file for secret scanning (default \"trivy-secret.yaml\")\n -s, --severity strings severities of security issues to be displayed\n Allowed values:\n - UNKNOWN\n - LOW\n - MEDIUM\n - HIGH\n - CRITICAL\n (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])\n --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities\n --skip-check-update skip fetching rego check updates\n --skip-db-update skip updating vulnerability database\n --skip-dirs strings specify the directories or glob patterns to skip\n --skip-files strings specify the files or glob patterns to skip\n --skip-images skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources\n --skip-java-db-update skip updating Java index database\n --skip-version-check suppress notices about version updates and Trivy announcements\n --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update\n -t, --template string output template\n --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules\n --tolerations strings specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)\n --trace-rego enable more verbose trace output for custom queries\n --username strings username. Comma-separated usernames allowed.\n --vex strings [EXPERIMENTAL] VEX sources (\"repo\", \"oci\" or file path)\n --vuln-severity-source strings order of data sources for selecting vulnerability severity level\n Allowed values:\n - nvd\n - redhat\n - redhat-oval\n - debian\n - ubuntu\n - alpine\n - amazon\n - oracle-oval\n - suse-cvrf\n - photon\n - arch-linux\n - alma\n - rocky\n - cbl-mariner\n - azure\n - ruby-advisory-db\n - php-security-advisories\n - nodejs-security-wg\n - ghsa\n - glad\n - aqua\n - osv\n - k8s\n - wolfi\n - chainguard\n - bitnami\n - govulndb\n - echo\n - minimos\n - rootio\n - auto\n (default [auto])\n
"},{"location":"guide/references/configuration/cli/trivy_kubernetes/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_kubernetes/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_module/","title":"Module","text":""},{"location":"guide/references/configuration/cli/trivy_module/#trivy-module","title":"trivy module","text":"Manage modules
"},{"location":"guide/references/configuration/cli/trivy_module/#options","title":"Options","text":" --enable-modules strings [EXPERIMENTAL] module names to enable\n -h, --help help for module\n --module-dir string specify directory to the wasm modules that will be loaded (default \"$HOME/.trivy/modules\")\n
"},{"location":"guide/references/configuration/cli/trivy_module/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_module/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
- trivy module install - Install a module
- trivy module uninstall - Uninstall a module
"},{"location":"guide/references/configuration/cli/trivy_module_install/","title":"Module Install","text":""},{"location":"guide/references/configuration/cli/trivy_module_install/#trivy-module-install","title":"trivy module install","text":"Install a module
trivy module install [flags] REPOSITORY\n
"},{"location":"guide/references/configuration/cli/trivy_module_install/#options","title":"Options","text":" -h, --help help for install\n
"},{"location":"guide/references/configuration/cli/trivy_module_install/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --enable-modules strings [EXPERIMENTAL] module names to enable\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n --module-dir string specify directory to the wasm modules that will be loaded (default \"$HOME/.trivy/modules\")\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_module_install/#see-also","title":"SEE ALSO","text":" - trivy module - Manage modules
"},{"location":"guide/references/configuration/cli/trivy_module_uninstall/","title":"Module Uninstall","text":""},{"location":"guide/references/configuration/cli/trivy_module_uninstall/#trivy-module-uninstall","title":"trivy module uninstall","text":"Uninstall a module
trivy module uninstall [flags] REPOSITORY\n
"},{"location":"guide/references/configuration/cli/trivy_module_uninstall/#options","title":"Options","text":" -h, --help help for uninstall\n
"},{"location":"guide/references/configuration/cli/trivy_module_uninstall/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --enable-modules strings [EXPERIMENTAL] module names to enable\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n --module-dir string specify directory to the wasm modules that will be loaded (default \"$HOME/.trivy/modules\")\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_module_uninstall/#see-also","title":"SEE ALSO","text":" - trivy module - Manage modules
"},{"location":"guide/references/configuration/cli/trivy_plugin/","title":"Plugin","text":""},{"location":"guide/references/configuration/cli/trivy_plugin/#trivy-plugin","title":"trivy plugin","text":"Manage plugins
"},{"location":"guide/references/configuration/cli/trivy_plugin/#options","title":"Options","text":" -h, --help help for plugin\n
"},{"location":"guide/references/configuration/cli/trivy_plugin/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_plugin/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
- trivy plugin info - Show information about the specified plugin
- trivy plugin install - Install a plugin
- trivy plugin list - List installed plugin
- trivy plugin run - Run a plugin on the fly
- trivy plugin search - List Trivy plugins available on the plugin index and search among them
- trivy plugin uninstall - Uninstall a plugin
- trivy plugin update - Update the local copy of the plugin index
- trivy plugin upgrade - Upgrade installed plugins to newer versions
"},{"location":"guide/references/configuration/cli/trivy_plugin_info/","title":"Plugin Info","text":""},{"location":"guide/references/configuration/cli/trivy_plugin_info/#trivy-plugin-info","title":"trivy plugin info","text":"Show information about the specified plugin
trivy plugin info PLUGIN_NAME\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_info/#options","title":"Options","text":" -h, --help help for info\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_info/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_info/#see-also","title":"SEE ALSO","text":" - trivy plugin - Manage plugins
"},{"location":"guide/references/configuration/cli/trivy_plugin_install/","title":"Plugin Install","text":""},{"location":"guide/references/configuration/cli/trivy_plugin_install/#trivy-plugin-install","title":"trivy plugin install","text":"Install a plugin
trivy plugin install NAME | URL | FILE_PATH\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_install/#examples","title":"Examples","text":" # Install a plugin from the plugin index\n $ trivy plugin install referrer\n\n # Specify the version of the plugin to install\n $ trivy plugin install referrer@v0.3.0\n\n # Install a plugin from a URL\n $ trivy plugin install github.com/aquasecurity/trivy-plugin-referrer\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_install/#options","title":"Options","text":" -h, --help help for install\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_install/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_install/#see-also","title":"SEE ALSO","text":" - trivy plugin - Manage plugins
"},{"location":"guide/references/configuration/cli/trivy_plugin_list/","title":"Plugin List","text":""},{"location":"guide/references/configuration/cli/trivy_plugin_list/#trivy-plugin-list","title":"trivy plugin list","text":"List installed plugin
trivy plugin list\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_list/#options","title":"Options","text":" -h, --help help for list\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_list/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_list/#see-also","title":"SEE ALSO","text":" - trivy plugin - Manage plugins
"},{"location":"guide/references/configuration/cli/trivy_plugin_run/","title":"Plugin Run","text":""},{"location":"guide/references/configuration/cli/trivy_plugin_run/#trivy-plugin-run","title":"trivy plugin run","text":"Run a plugin on the fly
trivy plugin run NAME | URL | FILE_PATH\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_run/#options","title":"Options","text":" -h, --help help for run\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_run/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_run/#see-also","title":"SEE ALSO","text":" - trivy plugin - Manage plugins
"},{"location":"guide/references/configuration/cli/trivy_plugin_search/","title":"Plugin Search","text":""},{"location":"guide/references/configuration/cli/trivy_plugin_search/#trivy-plugin-search","title":"trivy plugin search","text":"List Trivy plugins available on the plugin index and search among them
trivy plugin search [KEYWORD]\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_search/#options","title":"Options","text":" -h, --help help for search\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_search/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_search/#see-also","title":"SEE ALSO","text":" - trivy plugin - Manage plugins
"},{"location":"guide/references/configuration/cli/trivy_plugin_uninstall/","title":"Plugin Uninstall","text":""},{"location":"guide/references/configuration/cli/trivy_plugin_uninstall/#trivy-plugin-uninstall","title":"trivy plugin uninstall","text":"Uninstall a plugin
trivy plugin uninstall PLUGIN_NAME\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_uninstall/#options","title":"Options","text":" -h, --help help for uninstall\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_uninstall/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_uninstall/#see-also","title":"SEE ALSO","text":" - trivy plugin - Manage plugins
"},{"location":"guide/references/configuration/cli/trivy_plugin_update/","title":"Plugin Update","text":""},{"location":"guide/references/configuration/cli/trivy_plugin_update/#trivy-plugin-update","title":"trivy plugin update","text":"Update the local copy of the plugin index
trivy plugin update\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_update/#options","title":"Options","text":" -h, --help help for update\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_update/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_update/#see-also","title":"SEE ALSO","text":" - trivy plugin - Manage plugins
"},{"location":"guide/references/configuration/cli/trivy_plugin_upgrade/","title":"Plugin Upgrade","text":""},{"location":"guide/references/configuration/cli/trivy_plugin_upgrade/#trivy-plugin-upgrade","title":"trivy plugin upgrade","text":"Upgrade installed plugins to newer versions
trivy plugin upgrade [PLUGIN_NAMES]\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_upgrade/#options","title":"Options","text":" -h, --help help for upgrade\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_upgrade/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_upgrade/#see-also","title":"SEE ALSO","text":" - trivy plugin - Manage plugins
"},{"location":"guide/references/configuration/cli/trivy_registry/","title":"Registry","text":""},{"location":"guide/references/configuration/cli/trivy_registry/#trivy-registry","title":"trivy registry","text":"Manage registry authentication
"},{"location":"guide/references/configuration/cli/trivy_registry/#options","title":"Options","text":" -h, --help help for registry\n
"},{"location":"guide/references/configuration/cli/trivy_registry/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_registry/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
- trivy registry login - Log in to a registry
- trivy registry logout - Log out of a registry
"},{"location":"guide/references/configuration/cli/trivy_registry_login/","title":"Registry Login","text":""},{"location":"guide/references/configuration/cli/trivy_registry_login/#trivy-registry-login","title":"trivy registry login","text":"Log in to a registry
trivy registry login SERVER [flags]\n
"},{"location":"guide/references/configuration/cli/trivy_registry_login/#examples","title":"Examples","text":" # Log in to reg.example.com\n cat ~/my_password.txt | trivy registry login --username foo --password-stdin reg.example.com\n
"},{"location":"guide/references/configuration/cli/trivy_registry_login/#options","title":"Options","text":" -h, --help help for login\n --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.\n --password-stdin password from stdin. Comma-separated passwords are not supported.\n --username strings username. Comma-separated usernames allowed.\n
"},{"location":"guide/references/configuration/cli/trivy_registry_login/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_registry_login/#see-also","title":"SEE ALSO","text":" - trivy registry - Manage registry authentication
"},{"location":"guide/references/configuration/cli/trivy_registry_logout/","title":"Registry Logout","text":""},{"location":"guide/references/configuration/cli/trivy_registry_logout/#trivy-registry-logout","title":"trivy registry logout","text":"Log out of a registry
trivy registry logout SERVER [flags]\n
"},{"location":"guide/references/configuration/cli/trivy_registry_logout/#examples","title":"Examples","text":" # Log out of reg.example.com\n trivy registry logout reg.example.com\n
"},{"location":"guide/references/configuration/cli/trivy_registry_logout/#options","title":"Options","text":" -h, --help help for logout\n
"},{"location":"guide/references/configuration/cli/trivy_registry_logout/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_registry_logout/#see-also","title":"SEE ALSO","text":" - trivy registry - Manage registry authentication
"},{"location":"guide/references/configuration/cli/trivy_repository/","title":"Repository","text":""},{"location":"guide/references/configuration/cli/trivy_repository/#trivy-repository","title":"trivy repository","text":"Scan a repository
trivy repository [flags] (REPO_PATH | REPO_URL)\n
"},{"location":"guide/references/configuration/cli/trivy_repository/#examples","title":"Examples","text":" # Scan your remote git repository\n $ trivy repo https://github.com/knqyf263/trivy-ci-test\n # Scan your local git repository\n $ trivy repo /path/to/your/repository\n
"},{"location":"guide/references/configuration/cli/trivy_repository/#options","title":"Options","text":" --branch string pass the branch name to be scanned\n --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default \"fs\")\n --cache-ttl duration cache TTL when using redis as cache backend\n --cf-params strings specify paths to override the CloudFormation parameters files\n --check-namespaces strings Rego namespaces\n --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default \"mirror.gcr.io/aquasec/trivy-checks:1\")\n --commit string pass the commit hash to be scanned\n --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files\n --config-data strings specify paths from which data for the Rego checks will be recursively loaded\n --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking\n --custom-headers strings custom headers in client mode\n --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])\n --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages\n --detection-priority string specify the detection priority:\n - \"precise\": Prioritizes precise by minimizing false positives.\n - \"comprehensive\": Aims to detect more security findings at the cost of potential false positives.\n (allowed values: precise,comprehensive) (default \"precise\")\n --disable-telemetry disable sending anonymous usage data to Aqua\n --download-db-only download/update vulnerability database but don't run a scan\n --download-java-db-only download/update Java index database but don't run a scan\n --enable-modules strings [EXPERIMENTAL] module names to enable\n --exit-code int specify exit code when any security issues are found\n --file-patterns strings specify config file patterns\n -f, --format string format\n Allowed values:\n - table\n - json\n - template\n - sarif\n - cyclonedx\n - spdx\n - spdx-json\n - github\n - cosign-vuln\n (default \"table\")\n --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)\n --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.\n --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)\n --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-values strings specify paths to override the Helm values.yaml files\n -h, --help help for repository\n --ignore-policy string specify the Rego file path to evaluate each vulnerability\n --ignore-status strings comma-separated list of vulnerability status to ignore\n Allowed values:\n - unknown\n - not_affected\n - affected\n - fixed\n - under_investigation\n - will_not_fix\n - fix_deferred\n - end_of_life\n --ignore-unfixed display only fixed vulnerabilities\n --ignored-licenses strings specify a list of license to ignore\n --ignorefile string specify .trivyignore file (default \".trivyignore\")\n --include-deprecated-checks include deprecated checks\n --include-dev-deps include development dependencies in the report (supported: npm, yarn, gradle)\n --include-non-failures include successes, available with '--scanners misconfig'\n --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])\n --license-confidence-level float specify license classifier's confidence level (default 0.9)\n --license-full eagerly look for licenses in source code headers and license files\n --list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)\n --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])\n --module-dir string specify directory to the wasm modules that will be loaded (default \"$HOME/.trivy/modules\")\n --no-progress suppress progress bar\n --offline-scan do not issue API requests to identify dependencies\n -o, --output string output file name\n --output-plugin-arg string [EXPERIMENTAL] output plugin arguments\n --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)\n --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.\n --password-stdin password from stdin. Comma-separated passwords are not supported.\n --pkg-relationships strings list of package relationships\n Allowed values:\n - unknown\n - root\n - workspace\n - direct\n - indirect\n (default [unknown,root,workspace,direct,indirect])\n --pkg-types strings list of package types (allowed values: os,library) (default [os,library])\n --raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)\n --redis-ca string redis ca file location, if using redis as cache backend\n --redis-cert string redis certificate file location, if using redis as cache backend\n --redis-key string redis key file location, if using redis as cache backend\n --redis-tls enable redis TLS with public certificates, if using redis as cache backend\n --registry-token string registry token\n --rego-error-limit int maximum number of compile errors allowed during Rego policy evaluation (default 10)\n --rekor-url string [EXPERIMENTAL] address of rekor STL server (default \"https://rekor.sigstore.dev\")\n --render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)\n --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)\n --scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])\n --secret-config string specify a path to config file for secret scanning (default \"trivy-secret.yaml\")\n --server string server address in client mode\n -s, --severity strings severities of security issues to be displayed\n Allowed values:\n - UNKNOWN\n - LOW\n - MEDIUM\n - HIGH\n - CRITICAL\n (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])\n --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities\n --skip-check-update skip fetching rego check updates\n --skip-db-update skip updating vulnerability database\n --skip-dirs strings specify the directories or glob patterns to skip\n --skip-files strings specify the files or glob patterns to skip\n --skip-java-db-update skip updating Java index database\n --skip-version-check suppress notices about version updates and Trivy announcements\n --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update\n --table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])\n --tag string pass the tag name to be scanned\n -t, --template string output template\n --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules\n --tf-vars strings specify paths to override the Terraform tfvars files\n --token string for authentication in client/server mode\n --token-header string specify a header name for token in client/server mode (default \"Trivy-Token\")\n --trace-rego enable more verbose trace output for custom queries\n --username strings username. Comma-separated usernames allowed.\n --vex strings [EXPERIMENTAL] VEX sources (\"repo\", \"oci\" or file path)\n --vuln-severity-source strings order of data sources for selecting vulnerability severity level\n Allowed values:\n - nvd\n - redhat\n - redhat-oval\n - debian\n - ubuntu\n - alpine\n - amazon\n - oracle-oval\n - suse-cvrf\n - photon\n - arch-linux\n - alma\n - rocky\n - cbl-mariner\n - azure\n - ruby-advisory-db\n - php-security-advisories\n - nodejs-security-wg\n - ghsa\n - glad\n - aqua\n - osv\n - k8s\n - wolfi\n - chainguard\n - bitnami\n - govulndb\n - echo\n - minimos\n - rootio\n - auto\n (default [auto])\n
"},{"location":"guide/references/configuration/cli/trivy_repository/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_repository/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_rootfs/","title":"Rootfs","text":""},{"location":"guide/references/configuration/cli/trivy_rootfs/#trivy-rootfs","title":"trivy rootfs","text":"Scan rootfs
trivy rootfs [flags] ROOTDIR\n
"},{"location":"guide/references/configuration/cli/trivy_rootfs/#examples","title":"Examples","text":" # Scan unpacked filesystem\n $ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -\n $ trivy rootfs /tmp/rootfs\n\n # Scan from inside a container\n $ docker run --rm -it alpine:3.11\n / # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin\n / # trivy rootfs /\n
"},{"location":"guide/references/configuration/cli/trivy_rootfs/#options","title":"Options","text":" --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default \"memory\")\n --cache-ttl duration cache TTL when using redis as cache backend\n --cf-params strings specify paths to override the CloudFormation parameters files\n --check-namespaces strings Rego namespaces\n --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default \"mirror.gcr.io/aquasec/trivy-checks:1\")\n --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files\n --config-data strings specify paths from which data for the Rego checks will be recursively loaded\n --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking\n --custom-headers strings custom headers in client mode\n --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])\n --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages\n --detection-priority string specify the detection priority:\n - \"precise\": Prioritizes precise by minimizing false positives.\n - \"comprehensive\": Aims to detect more security findings at the cost of potential false positives.\n (allowed values: precise,comprehensive) (default \"precise\")\n --disable-telemetry disable sending anonymous usage data to Aqua\n --distro string [EXPERIMENTAL] specify a distribution, <family>/<version>\n --download-db-only download/update vulnerability database but don't run a scan\n --download-java-db-only download/update Java index database but don't run a scan\n --enable-modules strings [EXPERIMENTAL] module names to enable\n --exit-code int specify exit code when any security issues are found\n --exit-on-eol int exit with the specified code when the OS reaches end of service/life\n --file-patterns strings specify config file patterns\n -f, --format string format\n Allowed values:\n - table\n - json\n - template\n - sarif\n - cyclonedx\n - spdx\n - spdx-json\n - github\n - cosign-vuln\n (default \"table\")\n --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)\n --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.\n --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)\n --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-values strings specify paths to override the Helm values.yaml files\n -h, --help help for rootfs\n --ignore-policy string specify the Rego file path to evaluate each vulnerability\n --ignore-status strings comma-separated list of vulnerability status to ignore\n Allowed values:\n - unknown\n - not_affected\n - affected\n - fixed\n - under_investigation\n - will_not_fix\n - fix_deferred\n - end_of_life\n --ignore-unfixed display only fixed vulnerabilities\n --ignored-licenses strings specify a list of license to ignore\n --ignorefile string specify .trivyignore file (default \".trivyignore\")\n --include-deprecated-checks include deprecated checks\n --include-non-failures include successes, available with '--scanners misconfig'\n --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])\n --license-confidence-level float specify license classifier's confidence level (default 0.9)\n --license-full eagerly look for licenses in source code headers and license files\n --list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)\n --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])\n --module-dir string specify directory to the wasm modules that will be loaded (default \"$HOME/.trivy/modules\")\n --no-progress suppress progress bar\n --offline-scan do not issue API requests to identify dependencies\n -o, --output string output file name\n --output-plugin-arg string [EXPERIMENTAL] output plugin arguments\n --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)\n --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.\n --password-stdin password from stdin. Comma-separated passwords are not supported.\n --pkg-relationships strings list of package relationships\n Allowed values:\n - unknown\n - root\n - workspace\n - direct\n - indirect\n (default [unknown,root,workspace,direct,indirect])\n --pkg-types strings list of package types (allowed values: os,library) (default [os,library])\n --raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)\n --redis-ca string redis ca file location, if using redis as cache backend\n --redis-cert string redis certificate file location, if using redis as cache backend\n --redis-key string redis key file location, if using redis as cache backend\n --redis-tls enable redis TLS with public certificates, if using redis as cache backend\n --registry-token string registry token\n --rego-error-limit int maximum number of compile errors allowed during Rego policy evaluation (default 10)\n --rekor-url string [EXPERIMENTAL] address of rekor STL server (default \"https://rekor.sigstore.dev\")\n --render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)\n --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)\n --scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])\n --secret-config string specify a path to config file for secret scanning (default \"trivy-secret.yaml\")\n --server string server address in client mode\n -s, --severity strings severities of security issues to be displayed\n Allowed values:\n - UNKNOWN\n - LOW\n - MEDIUM\n - HIGH\n - CRITICAL\n (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])\n --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities\n --skip-check-update skip fetching rego check updates\n --skip-db-update skip updating vulnerability database\n --skip-dirs strings specify the directories or glob patterns to skip\n --skip-files strings specify the files or glob patterns to skip\n --skip-java-db-update skip updating Java index database\n --skip-version-check suppress notices about version updates and Trivy announcements\n --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update\n --table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])\n -t, --template string output template\n --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules\n --tf-vars strings specify paths to override the Terraform tfvars files\n --token string for authentication in client/server mode\n --token-header string specify a header name for token in client/server mode (default \"Trivy-Token\")\n --trace-rego enable more verbose trace output for custom queries\n --username strings username. Comma-separated usernames allowed.\n --vex strings [EXPERIMENTAL] VEX sources (\"repo\", \"oci\" or file path)\n --vuln-severity-source strings order of data sources for selecting vulnerability severity level\n Allowed values:\n - nvd\n - redhat\n - redhat-oval\n - debian\n - ubuntu\n - alpine\n - amazon\n - oracle-oval\n - suse-cvrf\n - photon\n - arch-linux\n - alma\n - rocky\n - cbl-mariner\n - azure\n - ruby-advisory-db\n - php-security-advisories\n - nodejs-security-wg\n - ghsa\n - glad\n - aqua\n - osv\n - k8s\n - wolfi\n - chainguard\n - bitnami\n - govulndb\n - echo\n - minimos\n - rootio\n - auto\n (default [auto])\n
"},{"location":"guide/references/configuration/cli/trivy_rootfs/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_rootfs/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_sbom/","title":"SBOM","text":""},{"location":"guide/references/configuration/cli/trivy_sbom/#trivy-sbom","title":"trivy sbom","text":"Scan SBOM for vulnerabilities and licenses
trivy sbom [flags] SBOM_PATH\n
"},{"location":"guide/references/configuration/cli/trivy_sbom/#examples","title":"Examples","text":" # Scan CycloneDX and show the result in tables\n $ trivy sbom /path/to/report.cdx\n\n # Scan CycloneDX-type attestation and show the result in tables\n $ trivy sbom /path/to/report.cdx.intoto.jsonl\n
"},{"location":"guide/references/configuration/cli/trivy_sbom/#options","title":"Options","text":" --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default \"memory\")\n --cache-ttl duration cache TTL when using redis as cache backend\n --compliance string compliance report to generate\n --custom-headers strings custom headers in client mode\n --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])\n --detection-priority string specify the detection priority:\n - \"precise\": Prioritizes precise by minimizing false positives.\n - \"comprehensive\": Aims to detect more security findings at the cost of potential false positives.\n (allowed values: precise,comprehensive) (default \"precise\")\n --disable-telemetry disable sending anonymous usage data to Aqua\n --distro string [EXPERIMENTAL] specify a distribution, <family>/<version>\n --download-db-only download/update vulnerability database but don't run a scan\n --download-java-db-only download/update Java index database but don't run a scan\n --exit-code int specify exit code when any security issues are found\n --exit-on-eol int exit with the specified code when the OS reaches end of service/life\n --file-patterns strings specify config file patterns\n -f, --format string format\n Allowed values:\n - table\n - json\n - template\n - sarif\n - cyclonedx\n - spdx\n - spdx-json\n - github\n - cosign-vuln\n (default \"table\")\n -h, --help help for sbom\n --ignore-policy string specify the Rego file path to evaluate each vulnerability\n --ignore-status strings comma-separated list of vulnerability status to ignore\n Allowed values:\n - unknown\n - not_affected\n - affected\n - fixed\n - under_investigation\n - will_not_fix\n - fix_deferred\n - end_of_life\n --ignore-unfixed display only fixed vulnerabilities\n --ignored-licenses strings specify a list of license to ignore\n --ignorefile string specify .trivyignore file (default \".trivyignore\")\n --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])\n --list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)\n --no-progress suppress progress bar\n --offline-scan do not issue API requests to identify dependencies\n -o, --output string output file name\n --output-plugin-arg string [EXPERIMENTAL] output plugin arguments\n --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.\n --password-stdin password from stdin. Comma-separated passwords are not supported.\n --pkg-relationships strings list of package relationships\n Allowed values:\n - unknown\n - root\n - workspace\n - direct\n - indirect\n (default [unknown,root,workspace,direct,indirect])\n --pkg-types strings list of package types (allowed values: os,library) (default [os,library])\n --redis-ca string redis ca file location, if using redis as cache backend\n --redis-cert string redis certificate file location, if using redis as cache backend\n --redis-key string redis key file location, if using redis as cache backend\n --redis-tls enable redis TLS with public certificates, if using redis as cache backend\n --registry-token string registry token\n --rekor-url string [EXPERIMENTAL] address of rekor STL server (default \"https://rekor.sigstore.dev\")\n --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)\n --scanners strings comma-separated list of what security issues to detect (allowed values: vuln,license) (default [vuln])\n --server string server address in client mode\n -s, --severity strings severities of security issues to be displayed\n Allowed values:\n - UNKNOWN\n - LOW\n - MEDIUM\n - HIGH\n - CRITICAL\n (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])\n --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities\n --skip-db-update skip updating vulnerability database\n --skip-java-db-update skip updating Java index database\n --skip-version-check suppress notices about version updates and Trivy announcements\n --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update\n --table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])\n -t, --template string output template\n --token string for authentication in client/server mode\n --token-header string specify a header name for token in client/server mode (default \"Trivy-Token\")\n --username strings username. Comma-separated usernames allowed.\n --vex strings [EXPERIMENTAL] VEX sources (\"repo\", \"oci\" or file path)\n --vuln-severity-source strings order of data sources for selecting vulnerability severity level\n Allowed values:\n - nvd\n - redhat\n - redhat-oval\n - debian\n - ubuntu\n - alpine\n - amazon\n - oracle-oval\n - suse-cvrf\n - photon\n - arch-linux\n - alma\n - rocky\n - cbl-mariner\n - azure\n - ruby-advisory-db\n - php-security-advisories\n - nodejs-security-wg\n - ghsa\n - glad\n - aqua\n - osv\n - k8s\n - wolfi\n - chainguard\n - bitnami\n - govulndb\n - echo\n - minimos\n - rootio\n - auto\n (default [auto])\n
"},{"location":"guide/references/configuration/cli/trivy_sbom/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_sbom/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_server/","title":"Server","text":""},{"location":"guide/references/configuration/cli/trivy_server/#trivy-server","title":"trivy server","text":"Server mode
trivy server [flags]\n
"},{"location":"guide/references/configuration/cli/trivy_server/#examples","title":"Examples","text":" # Run a server\n $ trivy server\n\n # Listen on 0.0.0.0:10000\n $ trivy server --listen 0.0.0.0:10000\n
"},{"location":"guide/references/configuration/cli/trivy_server/#options","title":"Options","text":" --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default \"fs\")\n --cache-ttl duration cache TTL when using redis as cache backend\n --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])\n --download-db-only download/update vulnerability database but don't run a scan\n --enable-modules strings [EXPERIMENTAL] module names to enable\n -h, --help help for server\n --listen string listen address in server mode (default \"localhost:4954\")\n --module-dir string specify directory to the wasm modules that will be loaded (default \"$HOME/.trivy/modules\")\n --no-progress suppress progress bar\n --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.\n --password-stdin password from stdin. Comma-separated passwords are not supported.\n --redis-ca string redis ca file location, if using redis as cache backend\n --redis-cert string redis certificate file location, if using redis as cache backend\n --redis-key string redis key file location, if using redis as cache backend\n --redis-tls enable redis TLS with public certificates, if using redis as cache backend\n --registry-token string registry token\n --skip-db-update skip updating vulnerability database\n --token string for authentication in client/server mode\n --token-header string specify a header name for token in client/server mode (default \"Trivy-Token\")\n --username strings username. Comma-separated usernames allowed.\n
"},{"location":"guide/references/configuration/cli/trivy_server/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_server/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_version/","title":"Version","text":""},{"location":"guide/references/configuration/cli/trivy_version/#trivy-version","title":"trivy version","text":"Print the version
trivy version [flags]\n
"},{"location":"guide/references/configuration/cli/trivy_version/#options","title":"Options","text":" -f, --format string version format (json)\n -h, --help help for version\n
"},{"location":"guide/references/configuration/cli/trivy_version/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_version/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_vex/","title":"VEX","text":""},{"location":"guide/references/configuration/cli/trivy_vex/#trivy-vex","title":"trivy vex","text":"[EXPERIMENTAL] VEX utilities
"},{"location":"guide/references/configuration/cli/trivy_vex/#options","title":"Options","text":" -h, --help help for vex\n
"},{"location":"guide/references/configuration/cli/trivy_vex/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_vex/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
- trivy vex repo - Manage VEX repositories
"},{"location":"guide/references/configuration/cli/trivy_vex_repo/","title":"VEX Repo","text":""},{"location":"guide/references/configuration/cli/trivy_vex_repo/#trivy-vex-repo","title":"trivy vex repo","text":"Manage VEX repositories
"},{"location":"guide/references/configuration/cli/trivy_vex_repo/#examples","title":"Examples","text":" # Initialize the configuration file\n $ trivy vex repo init\n\n # List VEX repositories\n $ trivy vex repo list\n\n # Download the VEX repositories\n $ trivy vex repo download\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo/#options","title":"Options","text":" -h, --help help for repo\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo/#see-also","title":"SEE ALSO","text":" - trivy vex - [EXPERIMENTAL] VEX utilities
- trivy vex repo download - Download the VEX repositories
- trivy vex repo init - Initialize a configuration file
- trivy vex repo list - List VEX repositories
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_download/","title":"VEX Download","text":""},{"location":"guide/references/configuration/cli/trivy_vex_repo_download/#trivy-vex-repo-download","title":"trivy vex repo download","text":"Download the VEX repositories
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_download/#synopsis","title":"Synopsis","text":"Downloads enabled VEX repositories. If specific repository names are provided as arguments, only those repositories will be downloaded. Otherwise, all enabled repositories are downloaded.
trivy vex repo download [REPO_NAMES] [flags]\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_download/#options","title":"Options","text":" -h, --help help for download\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_download/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_download/#see-also","title":"SEE ALSO","text":" - trivy vex repo - Manage VEX repositories
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_init/","title":"VEX Init","text":""},{"location":"guide/references/configuration/cli/trivy_vex_repo_init/#trivy-vex-repo-init","title":"trivy vex repo init","text":"Initialize a configuration file
trivy vex repo init [flags]\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_init/#options","title":"Options","text":" -h, --help help for init\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_init/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_init/#see-also","title":"SEE ALSO","text":" - trivy vex repo - Manage VEX repositories
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_list/","title":"VEX List","text":""},{"location":"guide/references/configuration/cli/trivy_vex_repo_list/#trivy-vex-repo-list","title":"trivy vex repo list","text":"List VEX repositories
trivy vex repo list [flags]\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_list/#options","title":"Options","text":" -h, --help help for list\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_list/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_list/#see-also","title":"SEE ALSO","text":" - trivy vex repo - Manage VEX repositories
"},{"location":"guide/references/configuration/cli/trivy_vm/","title":"VM","text":""},{"location":"guide/references/configuration/cli/trivy_vm/#trivy-vm","title":"trivy vm","text":"[EXPERIMENTAL] Scan a virtual machine image
trivy vm [flags] VM_IMAGE\n
"},{"location":"guide/references/configuration/cli/trivy_vm/#examples","title":"Examples","text":" # Scan your AWS AMI\n $ trivy vm --scanners vuln ami:${your_ami_id}\n\n # Scan your AWS EBS snapshot\n $ trivy vm ebs:${your_ebs_snapshot_id}\n
"},{"location":"guide/references/configuration/cli/trivy_vm/#options","title":"Options","text":" --aws-region string AWS region to scan\n --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default \"fs\")\n --cache-ttl duration cache TTL when using redis as cache backend\n --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default \"mirror.gcr.io/aquasec/trivy-checks:1\")\n --compliance string compliance report to generate\n --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking\n --custom-headers strings custom headers in client mode\n --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])\n --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages\n --detection-priority string specify the detection priority:\n - \"precise\": Prioritizes precise by minimizing false positives.\n - \"comprehensive\": Aims to detect more security findings at the cost of potential false positives.\n (allowed values: precise,comprehensive) (default \"precise\")\n --disable-telemetry disable sending anonymous usage data to Aqua\n --distro string [EXPERIMENTAL] specify a distribution, <family>/<version>\n --download-db-only download/update vulnerability database but don't run a scan\n --download-java-db-only download/update Java index database but don't run a scan\n --enable-modules strings [EXPERIMENTAL] module names to enable\n --exit-code int specify exit code when any security issues are found\n --exit-on-eol int exit with the specified code when the OS reaches end of service/life\n --file-patterns strings specify config file patterns\n -f, --format string format\n Allowed values:\n - table\n - json\n - template\n - sarif\n - cyclonedx\n - spdx\n - spdx-json\n - github\n - cosign-vuln\n (default \"table\")\n --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)\n --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.\n --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)\n --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-values strings specify paths to override the Helm values.yaml files\n -h, --help help for vm\n --ignore-policy string specify the Rego file path to evaluate each vulnerability\n --ignore-status strings comma-separated list of vulnerability status to ignore\n Allowed values:\n - unknown\n - not_affected\n - affected\n - fixed\n - under_investigation\n - will_not_fix\n - fix_deferred\n - end_of_life\n --ignore-unfixed display only fixed vulnerabilities\n --ignorefile string specify .trivyignore file (default \".trivyignore\")\n --include-non-failures include successes, available with '--scanners misconfig'\n --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])\n --list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)\n --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])\n --module-dir string specify directory to the wasm modules that will be loaded (default \"$HOME/.trivy/modules\")\n --no-progress suppress progress bar\n --offline-scan do not issue API requests to identify dependencies\n -o, --output string output file name\n --output-plugin-arg string [EXPERIMENTAL] output plugin arguments\n --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)\n --pkg-relationships strings list of package relationships\n Allowed values:\n - unknown\n - root\n - workspace\n - direct\n - indirect\n (default [unknown,root,workspace,direct,indirect])\n --pkg-types strings list of package types (allowed values: os,library) (default [os,library])\n --raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)\n --redis-ca string redis ca file location, if using redis as cache backend\n --redis-cert string redis certificate file location, if using redis as cache backend\n --redis-key string redis key file location, if using redis as cache backend\n --redis-tls enable redis TLS with public certificates, if using redis as cache backend\n --rekor-url string [EXPERIMENTAL] address of rekor STL server (default \"https://rekor.sigstore.dev\")\n --render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)\n --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)\n --scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])\n --secret-config string specify a path to config file for secret scanning (default \"trivy-secret.yaml\")\n --server string server address in client mode\n -s, --severity strings severities of security issues to be displayed\n Allowed values:\n - UNKNOWN\n - LOW\n - MEDIUM\n - HIGH\n - CRITICAL\n (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])\n --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities\n --skip-db-update skip updating vulnerability database\n --skip-dirs strings specify the directories or glob patterns to skip\n --skip-files strings specify the files or glob patterns to skip\n --skip-java-db-update skip updating Java index database\n --skip-version-check suppress notices about version updates and Trivy announcements\n --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update\n --table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])\n -t, --template string output template\n --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules\n --token string for authentication in client/server mode\n --token-header string specify a header name for token in client/server mode (default \"Trivy-Token\")\n --vex strings [EXPERIMENTAL] VEX sources (\"repo\", \"oci\" or file path)\n --vuln-severity-source strings order of data sources for selecting vulnerability severity level\n Allowed values:\n - nvd\n - redhat\n - redhat-oval\n - debian\n - ubuntu\n - alpine\n - amazon\n - oracle-oval\n - suse-cvrf\n - photon\n - arch-linux\n - alma\n - rocky\n - cbl-mariner\n - azure\n - ruby-advisory-db\n - php-security-advisories\n - nodejs-security-wg\n - ghsa\n - glad\n - aqua\n - osv\n - k8s\n - wolfi\n - chainguard\n - bitnami\n - govulndb\n - echo\n - minimos\n - rootio\n - auto\n (default [auto])\n
"},{"location":"guide/references/configuration/cli/trivy_vm/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_vm/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/modes/client-server/","title":"Client/Server","text":"Trivy has client/server mode. Trivy server has vulnerability database and Trivy client doesn't have to download vulnerability database. It is useful if you want to scan images or files at multiple locations and do not want to download the database at every location.
Client/Server Mode Image Rootfs Filesystem Repository Config K8s Supported \u2705 \u2705 \u2705 \u2705 - - Some scanners run on the client side, even in client/server mode.
Scanner Run on Client or Server Vulnerability Server Misconfiguration Client1 Secret Client2 License Server Note
Scanning of misconfigurations and secrets is performed on the client side (as in standalone mode). Otherwise, the client would need to send files to the server that may contain sensitive information.
"},{"location":"guide/references/modes/client-server/#server","title":"Server","text":"At first, you need to launch Trivy server. It downloads vulnerability database automatically and continue to fetch the latest DB in the background.
$ trivy server --listen localhost:8080\n2019-12-12T15:17:06.551+0200 INFO Need to update DB\n2019-12-12T15:17:56.706+0200 INFO Reopening DB...\n2019-12-12T15:17:56.707+0200 INFO Listening localhost:8080...\n
If you want to accept a connection from outside, you have to specify 0.0.0.0 or your ip address, not localhost.
$ trivy server --listen 0.0.0.0:8080\n
"},{"location":"guide/references/modes/client-server/#remote-image-scan","title":"Remote image scan","text":"Then, specify the server address for image command.
$ trivy image --server http://localhost:8080 alpine:3.10\n
Note: It's important to specify the protocol (http or https). Result alpine:3.10 (alpine 3.10.2)\n===========================\nTotal: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 0)\n\n+---------+------------------+----------+-------------------+---------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |\n+---------+------------------+----------+-------------------+---------------+\n| openssl | CVE-2019-1549 | MEDIUM | 1.1.1c-r0 | 1.1.1d-r0 |\n+ +------------------+ + + +\n| | CVE-2019-1563 | | | |\n+ +------------------+----------+ + +\n| | CVE-2019-1547 | LOW | | |\n+---------+------------------+----------+-------------------+---------------+\n
"},{"location":"guide/references/modes/client-server/#remote-scan-of-local-filesystem","title":"Remote scan of local filesystem","text":"Also, there is a way to scan local file system:
$ trivy fs --server http://localhost:8080 --severity CRITICAL ./integration/testdata/fixtures/fs/pom/\n
Note: It's important to specify the protocol (http or https). Result pom.xml (pom)\n=============\nTotal: 24 (CRITICAL: 24)\n\n+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+\n| com.fasterxml.jackson.core:jackson-databind | CVE-2017-17485 | CRITICAL | 2.9.1 | 2.8.11, 2.9.4 | jackson-databind: Unsafe |\n| | | | | | deserialization due to |\n| | | | | | incomplete black list (incomplete |\n| | | | | | fix for CVE-2017-15095)... |\n| | | | | | -->avd.aquasec.com/nvd/cve-2017-17485 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2018-11307 | | | 2.7.9.4, 2.8.11.2, 2.9.6 | jackson-databind: Potential |\n| | | | | | information exfiltration with |\n| | | | | | default typing, serialization |\n| | | | | | gadget from MyBatis |\n| | | | | | -->avd.aquasec.com/nvd/cve-2018-11307 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2018-14718 | | | 2.6.7.2, 2.9.7 | jackson-databind: arbitrary code |\n| | | | | | execution in slf4j-ext class |\n| | | | | | -->avd.aquasec.com/nvd/cve-2018-14718 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2018-14719 | | | | jackson-databind: arbitrary |\n| | | | | | code execution in blaze-ds-opt |\n| | | | | | and blaze-ds-core classes |\n| | | | | | -->avd.aquasec.com/nvd/cve-2018-14719 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2018-14720 | | | | jackson-databind: exfiltration/XXE |\n| | | | | | in some JDK classes |\n| | | | | | -->avd.aquasec.com/nvd/cve-2018-14720 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2018-14721 | | | | jackson-databind: server-side request |\n| | | | | | forgery (SSRF) in axis2-jaxws class |\n| | | | | | -->avd.aquasec.com/nvd/cve-2018-14721 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2018-19360 | | | 2.6.7.3, 2.7.9.5, 2.8.11.3, | jackson-databind: improper |\n| | | | | 2.9.8 | polymorphic deserialization |\n| | | | | | in axis2-transport-jms class |\n| | | | | | -->avd.aquasec.com/nvd/cve-2018-19360 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2018-19361 | | | | jackson-databind: improper |\n| | | | | | polymorphic deserialization |\n| | | | | | in openjpa class |\n| | | | | | -->avd.aquasec.com/nvd/cve-2018-19361 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2018-19362 | | | | jackson-databind: improper |\n| | | | | | polymorphic deserialization |\n| | | | | | in jboss-common-core class |\n| | | | | | -->avd.aquasec.com/nvd/cve-2018-19362 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2018-7489 | | | 2.7.9.3, 2.8.11.1, 2.9.5 | jackson-databind: incomplete fix |\n| | | | | | for CVE-2017-7525 permits unsafe |\n| | | | | | serialization via c3p0 libraries |\n| | | | | | -->avd.aquasec.com/nvd/cve-2018-7489 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2019-14379 | | | 2.7.9.6, 2.8.11.4, 2.9.9.2 | jackson-databind: default |\n| | | | | | typing mishandling leading |\n| | | | | | to remote code execution |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-14379 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2019-14540 | | | 2.9.10 | jackson-databind: |\n| | | | | | Serialization gadgets in |\n| | | | | | com.zaxxer.hikari.HikariConfig |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-14540 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2019-14892 | | | 2.6.7.3, 2.8.11.5, 2.9.10 | jackson-databind: Serialization |\n| | | | | | gadgets in classes of the |\n| | | | | | commons-configuration package |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-14892 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2019-14893 | | | 2.8.11.5, 2.9.10 | jackson-databind: |\n| | | | | | Serialization gadgets in |\n| | | | | | classes of the xalan package |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-14893 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2019-16335 | | | 2.9.10 | jackson-databind: |\n| | | | | | Serialization gadgets in |\n| | | | | | com.zaxxer.hikari.HikariDataSource |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-16335 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2019-16942 | | | 2.9.10.1 | jackson-databind: |\n| | | | | | Serialization gadgets in |\n| | | | | | org.apache.commons.dbcp.datasources.* |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-16942 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2019-16943 | | | | jackson-databind: |\n| | | | | | Serialization gadgets in |\n| | | | | | com.p6spy.engine.spy.P6DataSource |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-16943 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2019-17267 | | | 2.9.10 | jackson-databind: Serialization |\n| | | | | | gadgets in classes of |\n| | | | | | the ehcache package |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-17267 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2019-17531 | | | 2.9.10.1 | jackson-databind: |\n| | | | | | Serialization gadgets in |\n| | | | | | org.apache.log4j.receivers.db.* |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-17531 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2019-20330 | | | 2.8.11.5, 2.9.10.2 | jackson-databind: lacks |\n| | | | | | certain net.sf.ehcache blocking |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-20330 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2020-8840 | | | 2.7.9.7, 2.8.11.5, 2.9.10.3 | jackson-databind: Lacks certain |\n| | | | | | xbean-reflect/JNDI blocking |\n| | | | | | -->avd.aquasec.com/nvd/cve-2020-8840 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2020-9546 | | | 2.7.9.7, 2.8.11.6, 2.9.10.4 | jackson-databind: Serialization |\n| | | | | | gadgets in shaded-hikari-config |\n| | | | | | -->avd.aquasec.com/nvd/cve-2020-9546 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2020-9547 | | | | jackson-databind: Serialization |\n| | | | | | gadgets in ibatis-sqlmap |\n| | | | | | -->avd.aquasec.com/nvd/cve-2020-9547 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2020-9548 | | | | jackson-databind: Serialization |\n| | | | | | gadgets in anteros-core |\n| | | | | | -->avd.aquasec.com/nvd/cve-2020-9548 |\n+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+\n
"},{"location":"guide/references/modes/client-server/#remote-scan-of-root-filesystem","title":"Remote scan of root filesystem","text":"Also, there is a way to scan root file system:
$ trivy rootfs --server http://localhost:8080 --severity CRITICAL /tmp/rootfs\n
Note: It's important to specify the protocol (http or https). Result /tmp/rootfs (alpine 3.10.2)\n\nTotal: 1 (CRITICAL: 1)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 apk-tools \u2502 CVE-2021-36159 \u2502 CRITICAL \u2502 2.10.4-r2 \u2502 2.10.7-r0 \u2502 libfetch before 2021-07-26, as used in apk-tools, xbps, and \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 other products, mishandles... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-36159 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/references/modes/client-server/#remote-scan-of-git-repository","title":"Remote scan of git repository","text":"Also, there is a way to scan remote git repository:
$ trivy repo https://github.com/knqyf263/trivy-ci-test --server http://localhost:8080 \n
Note: It's important to specify the protocol (http or https). Result Cargo.lock (cargo)\n==================\nTotal: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 ammonia \u2502 CVE-2019-15542 \u2502 HIGH \u2502 1.9.0 \u2502 2.1.0 \u2502 Uncontrolled recursion in ammonia \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2019-15542 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2021-38193 \u2502 MEDIUM \u2502 \u2502 2.1.3, 3.1.0 \u2502 An issue was discovered in the ammonia crate before 3.1.0 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 for Rust.... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-38193 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 smallvec \u2502 CVE-2019-15551 \u2502 \u2502 0.6.9 \u2502 0.6.10 \u2502 An issue was discovered in the smallvec crate before 0.6.10 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 for Rust.... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2019-15551 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2018-25023 \u2502 HIGH \u2502 \u2502 0.6.13 \u2502 An issue was discovered in the smallvec crate before 0.6.13 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 for Rust.... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2018-25023 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 GHSA-66p5-j55p-32r9 \u2502 MEDIUM \u2502 \u2502 \u2502 smallvec creates uninitialized value of any type \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://github.com/advisories/GHSA-66p5-j55p-32r9 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n\nPipfile.lock (pipenv)\n=====================\nTotal: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 celery \u2502 CVE-2021-23727 \u2502 HIGH \u2502 4.3.0 \u2502 5.2.2 \u2502 celery: stored command injection vulnerability may allow \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 privileges escalation \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-23727 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 django \u2502 CVE-2019-6975 \u2502 \u2502 2.0.9 \u2502 1.11.19, 2.0.12, 2.1.7 \u2502 python-django: memory exhaustion in \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 django.utils.numberformat.format() \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2019-6975 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2019-3498 \u2502 MEDIUM \u2502 \u2502 1.11.18, 2.0.10, 2.1.5 \u2502 python-django: Content spoofing via URL path in default 404 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 page \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2019-3498 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2021-33203 \u2502 \u2502 \u2502 2.2.24, 3.1.12, 3.2.4 \u2502 django: Potential directory traversal via ``admindocs`` \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-33203 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 urllib3 \u2502 CVE-2019-11324 \u2502 \u2502 1.24.1 \u2502 1.24.2 \u2502 python-urllib3: Certification mishandle when error should be \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 thrown \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2019-11324 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2021-33503 \u2502 \u2502 \u2502 1.26.5 \u2502 python-urllib3: ReDoS in the parsing of authority part of \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 URL \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-33503 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2019-11236 \u2502 MEDIUM \u2502 \u2502 1.24.3 \u2502 python-urllib3: CRLF injection due to not encoding the \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 '\\r\\n' sequence leading to... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2019-11236 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2020-26137 \u2502 \u2502 \u2502 1.25.9 \u2502 python-urllib3: CRLF injection via HTTP request method \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2020-26137 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/references/modes/client-server/#authentication","title":"Authentication","text":"$ trivy server --listen localhost:8080 --token dummy\n
$ trivy image --server http://localhost:8080 --token dummy alpine:3.10\n
"},{"location":"guide/references/modes/client-server/#endpoints","title":"Endpoints","text":""},{"location":"guide/references/modes/client-server/#health","title":"Health","text":"Checks whether the Trivy server is running. Authentication is not required.
Example request:
curl -s 0.0.0.0:8080/healthz\nok\n
Returns the 200 OK status if the request was successful.
"},{"location":"guide/references/modes/client-server/#version","title":"Version","text":"Returns the version of the Trivy and all components (db, policy). Authentication is not required.
Example request:
curl -s 0.0.0.0:8080/version | jq\n{\n \"Version\": \"dev\",\n \"VulnerabilityDB\": {\n \"Version\": 2,\n \"NextUpdate\": \"2023-07-25T14:15:29.876639806Z\",\n \"UpdatedAt\": \"2023-07-25T08:15:29.876640206Z\",\n \"DownloadedAt\": \"2023-07-25T09:36:25.599004Z\"\n },\n \"JavaDB\": {\n \"Version\": 1,\n \"NextUpdate\": \"2023-07-28T01:03:52.169192565Z\",\n \"UpdatedAt\": \"2023-07-25T01:03:52.169192765Z\",\n \"DownloadedAt\": \"2023-07-25T09:37:48.906152Z\"\n },\n \"PolicyBundle\": {\n \"Digest\": \"sha256:829832357626da2677955e3b427191212978ba20012b6eaa03229ca28569ae43\",\n \"DownloadedAt\": \"2023-07-23T11:40:33.122462Z\"\n }\n}\n
Returns the 200 OK status if the request was successful.
"},{"location":"guide/references/modes/client-server/#architecture","title":"Architecture","text":" -
The checks bundle is also downloaded on the client side.\u00a0\u21a9
-
The scan result with masked secrets is sent to the server\u00a0\u21a9
"},{"location":"guide/references/modes/standalone/","title":"Standalone","text":"trivy image, trivy filesystem, and trivy repo works as standalone mode.
"},{"location":"guide/references/modes/standalone/#image","title":"Image","text":""},{"location":"guide/references/modes/standalone/#filesystem","title":"Filesystem","text":""},{"location":"guide/references/modes/standalone/#git-repository","title":"Git Repository","text":""},{"location":"guide/scanner/license/","title":"License Scanning","text":"Trivy scans any container image for license files and offers an opinionated view on the risk associated with the license.
Licenses are classified using the Google License Classification -
- Forbidden
- Restricted
- Reciprocal
- Notice
- Permissive
- Unencumbered
- Unknown
Tip
Licenses that Trivy fails to recognize are classified as UNKNOWN. As those licenses may be in violation, it is recommended to check those unknown licenses as well.
By default, Trivy scans licenses for packages installed by apk, apt-get, dnf, npm, pip, gem, etc. Check out the coverage document for details.
To enable extended license scanning, you can use --license-full. In addition to package licenses, Trivy scans source code files, Markdown documents, text files and LICENSE documents to identify license usage within the image or filesystem.
By default, Trivy only classifies licenses that are matched with a confidence level of 0.9 or more by the classifier. To configure the confidence level, you can use --license-confidence-level. This enables us to classify licenses that might be matched with a lower confidence level by the classifier.
Note
The full license scanning is expensive. It takes a while.
License scanning Image Rootfs Filesystem Repository SBOM Standard \u2705 \u2705 \u270512 \u270512 \u2705 Full (--license-full) \u2705 \u2705 \u2705 \u2705 - License checking classifies the identified licenses and maps the classification to severity.
Classification Severity Forbidden CRITICAL Restricted HIGH Reciprocal MEDIUM Notice LOW Permissive LOW Unencumbered LOW Unknown UNKNOWN"},{"location":"guide/scanner/license/#quick-start","title":"Quick start","text":"This section shows how to scan license in container image and filesystem.
"},{"location":"guide/scanner/license/#standard-scanning","title":"Standard scanning","text":"Specify an image name with --scanners license.
$ trivy image --scanners license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15\n2022-07-13T17:28:39.526+0300 INFO License scanning is enabled\n\nOS Packages (license)\n=====================\nTotal: 6 (UNKNOWN: 0, HIGH: 6, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Package \u2502 License \u2502 Classification \u2502 Severity \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 alpine-baselayout \u2502 GPL-2.0 \u2502 Restricted \u2502 HIGH \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502\n\u2502 apk-tools \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502\n\u2502 busybox \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502\n\u2502 musl-utils \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502\n\u2502 scanelf \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502\n\u2502 ssl_client \u2502 \u2502 \u2502 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/scanner/license/#full-scanning","title":"Full scanning","text":"Specify --license-full
$ trivy image --scanners license --severity UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana\n2022-07-13T17:48:40.905+0300 INFO Full license scanning is enabled\n\nOS Packages (license)\n=====================\nTotal: 20 (UNKNOWN: 9, HIGH: 11, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Package \u2502 License \u2502 Classification \u2502 Severity \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 alpine-baselayout \u2502 GPL-2.0 \u2502 Restricted \u2502 HIGH \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502\n\u2502 apk-tools \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502\n\u2502 bash \u2502 GPL-3.0 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 keyutils-libs \u2502 GPL-2.0 \u2502 Restricted \u2502 HIGH \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 LGPL-2.0-or-later \u2502 Non Standard \u2502 UNKNOWN \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502\n\u2502 libaio \u2502 LGPL-2.1-or-later \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 libcom_err \u2502 GPL-2.0 \u2502 Restricted \u2502 HIGH \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 LGPL-2.0-or-later \u2502 Non Standard \u2502 UNKNOWN \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 tzdata \u2502 Public-Domain \u2502 Non Standard \u2502 UNKNOWN \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n\nLoose File License(s) (license)\n===============================\nTotal: 6 (UNKNOWN: 4, HIGH: 0, CRITICAL: 2)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Classification \u2502 Severity \u2502 License \u2502 File Location \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 Forbidden \u2502 CRITICAL \u2502 AGPL-3.0 \u2502 /usr/share/grafana/LICENSE \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 Non Standard \u2502 UNKNOWN \u2502 BSD-0-Clause \u2502 /usr/share/grafana/public/build/5069.d6aae9dd11d49c741a80.j- \u2502\n\u2502 \u2502 \u2502 \u2502 s.LICENSE.txt \u2502\n\u2502 \u2502 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 \u2502 \u2502 /usr/share/grafana/public/build/6444.d6aae9dd11d49c741a80.j- \u2502\n\u2502 \u2502 \u2502 \u2502 s.LICENSE.txt \u2502\n\u2502 \u2502 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 \u2502 \u2502 /usr/share/grafana/public/build/7889.d6aae9dd11d49c741a80.j- \u2502\n\u2502 \u2502 \u2502 \u2502 s.LICENSE.txt \u2502\n\u2502 \u2502 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 \u2502 \u2502 /usr/share/grafana/public/build/canvasPanel.d6aae9dd11d49c7- \u2502\n\u2502 \u2502 \u2502 \u2502 41a80.js.LICENSE.txt \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/scanner/license/#configuration","title":"Configuration","text":"Trivy has a number of configuration flags for use with license scanning:
"},{"location":"guide/scanner/license/#ignored-licenses","title":"Ignored Licenses","text":"Trivy license scanning can ignore licenses that are identified to explicitly remove them from the results using the --ignored-licenses flag;
$ trivy image --scanners license --ignored-licenses MPL-2.0,MIT --severity HIGH grafana/grafana:latest\n2022-07-13T18:15:28.605Z INFO License scanning is enabled\n\nOS Packages (license)\n=====================\nTotal: 2 (HIGH: 2, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Package \u2502 License \u2502 Classification \u2502 Severity \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 alpine-baselayout \u2502 GPL-2.0 \u2502 Restricted \u2502 HIGH \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502\n\u2502 ssl_client \u2502 \u2502 \u2502 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/scanner/license/#configuring-classifier-confidence-level","title":"Configuring Classifier Confidence Level","text":"You can use the --license-confidence-level flag to adjust the confidence level between 0.0 to 1.0 (default 0.9). For example, when you run the scanner with the default confidence level on SPDX license list data, it is able to detect only 258 licenses.
$ trivy fs --scanners license --license-full <path/to/spdx/list/data>\n2023-04-18T10:05:13.601-0700 INFO Full license scanning is enabled\n\nLoose File License(s) (license)\n===============================\nTotal: 258 (UNKNOWN: 70, LOW: 90, MEDIUM: 18, HIGH: 58, CRITICAL: 22)\n
However, by configuring the confidence level to 0.8, the scanner is now able to detect 282 licenses.
$ trivy fs --scanners license --license-full --license-confidence-level 0.8 <path/to/spdx/list/data>\n2023-04-18T10:21:39.637-0700 INFO Full license scanning is enabled\n\nLoose File License(s) (license)\n===============================\nTotal: 282 (UNKNOWN: 81, LOW: 97, MEDIUM: 24, HIGH: 58, CRITICAL: 22)\n
"},{"location":"guide/scanner/license/#custom-classification","title":"Custom Classification","text":"You can generate the default config by the --generate-default-config flag and customize the license classification. For example, if you want to forbid only AGPL-3.0, you can leave it under forbidden and move other licenses to another classification.
$ trivy image --generate-default-config\n$ vim trivy.yaml\nlicense:\n forbidden:\n - AGPL-3.0\n\n restricted:\n - AGPL-1.0\n - CC-BY-NC-1.0\n - CC-BY-NC-2.0\n - CC-BY-NC-2.5\n - CC-BY-NC-3.0\n - CC-BY-NC-4.0\n - CC-BY-NC-ND-1.0\n - CC-BY-NC-ND-2.0\n - CC-BY-NC-ND-2.5\n - CC-BY-NC-ND-3.0\n - CC-BY-NC-ND-4.0\n - CC-BY-NC-SA-1.0\n - CC-BY-NC-SA-2.0\n - CC-BY-NC-SA-2.5\n - CC-BY-NC-SA-3.0\n - CC-BY-NC-SA-4.0\n - Commons-Clause\n - Facebook-2-Clause\n - Facebook-3-Clause\n - Facebook-Examples\n - WTFPL\n - BCL\n - CC-BY-ND-1.0\n - CC-BY-ND-2.0\n - CC-BY-ND-2.5\n - CC-BY-ND-3.0\n - CC-BY-ND-4.0\n - CC-BY-SA-1.0\n - CC-BY-SA-2.0\n - CC-BY-SA-2.5\n - CC-BY-SA-3.0\n - CC-BY-SA-4.0\n - GPL-1.0\n - GPL-2.0\n - GPL-2.0-with-autoconf-exception\n - GPL-2.0-with-bison-exception\n - GPL-2.0-with-classpath-exception\n - GPL-2.0-with-font-exception\n - GPL-2.0-with-GCC-exception\n - GPL-3.0\n - GPL-3.0-with-autoconf-exception\n - GPL-3.0-with-GCC-exception\n - LGPL-2.0\n - LGPL-2.1\n - LGPL-3.0\n - NPL-1.0\n - NPL-1.1\n - OSL-1.0\n - OSL-1.1\n - OSL-2.0\n - OSL-2.1\n - OSL-3.0\n - QPL-1.0\n - Sleepycat\n\n reciprocal:\n - APSL-1.0\n - APSL-1.1\n - APSL-1.2\n - APSL-2.0\n - CDDL-1.0\n - CDDL-1.1\n - CPL-1.0\n - EPL-1.0\n - EPL-2.0\n - FreeImage\n - IPL-1.0\n - MPL-1.0\n - MPL-1.1\n - MPL-2.0\n - Ruby\n\n notice:\n - AFL-1.1\n - AFL-1.2\n - AFL-2.0\n - AFL-2.1\n - AFL-3.0\n - Apache-1.0\n - Apache-1.1\n - Apache-2.0\n - Artistic-1.0-cl8\n - Artistic-1.0-Perl\n - Artistic-1.0\n - Artistic-2.0\n - BSL-1.0\n - BSD-2-Clause-FreeBSD\n - BSD-2-Clause-NetBSD\n - BSD-2-Clause\n - BSD-3-Clause-Attribution\n - BSD-3-Clause-Clear\n - BSD-3-Clause-LBNL\n - BSD-3-Clause\n - BSD-4-Clause\n - BSD-4-Clause-UC\n - BSD-Protection\n - CC-BY-1.0\n - CC-BY-2.0\n - CC-BY-2.5\n - CC-BY-3.0\n - CC-BY-4.0\n - FTL\n - ISC\n - ImageMagick\n - Libpng\n - Lil-1.0\n - Linux-OpenIB\n - LPL-1.02\n - LPL-1.0\n - MS-PL\n - MIT\n - NCSA\n - OpenSSL\n - PHP-3.01\n - PHP-3.0\n - PIL\n - Python-2.0\n - Python-2.0-complete\n - PostgreSQL\n - SGI-B-1.0\n - SGI-B-1.1\n - SGI-B-2.0\n - Unicode-DFS-2015\n - Unicode-DFS-2016\n - Unicode-TOU\n - UPL-1.0\n - W3C-19980720\n - W3C-20150513\n - W3C\n - X11\n - Xnet\n - Zend-2.0\n - zlib-acknowledgement\n - Zlib\n - ZPL-1.1\n - ZPL-2.0\n - ZPL-2.1\n\n unencumbered:\n - CC0-1.0\n - Unlicense\n - 0BSD\n\n permissive: []\n
"},{"location":"guide/scanner/license/#text-licenses","title":"Text licenses","text":"By default, Trivy categorizes a license as UNKNOWN if it cannot determine the license name from the license text.
To define a category for a text license, you need to add license with the text:// prefix to license classification. For example:
license:\n forbidden:\n - \"text://Text of Apache Software Foundation License\"\n
But a text license can be large. So for these cases, Trivy supports using regex in license classification. For example:
license:\n forbidden:\n - \"text://.* Apache Software .*\"\n
Note
regex is only used for text licenses and can't be used to configure license IDs.
"},{"location":"guide/scanner/license/#enabling-a-subset-of-package-types","title":"Enabling a Subset of Package Types","text":"It's possible to only enable certain package types if you prefer. You can do so by passing the --pkg-types option. This flag takes a comma-separated list of package types.
Available values:
- os
- Scan OS packages managed by the OS package manager (e.g.
dpkg, yum, apk).
- library
- Scan language-specific packages (e.g. packages installed by
pip, npm, or gem).
$ trivy image --pkg-types os ruby:2.4.0\n
-
See the list of supported language files here.\u00a0\u21a9\u21a9
-
Some lock files require additional files (e.g. files from the cache directory) to detect licenses. Check coverage for more information.\u00a0\u21a9\u21a9
"},{"location":"guide/scanner/secret/","title":"Secret Scanning","text":"Trivy scans any container image, filesystem, and git repository to detect exposed secrets like passwords, API keys, and tokens. Secret scanning is enabled by default.
Trivy will scan every plaintext file, according to builtin rules or configuration. Also, Trivy can detect secrets in compiled Python files (.pyc).
There are plenty of builtin rules:
- AWS access key
- GCP service account
- GitHub personal access token
- GitLab personal access token
- Slack access token
- etc.
You can see a full list of built-in rules and built-in allow rules.
Tip
If your secret is not detected properly, please make sure that your file including the secret is not in the allowed paths. You can disable allow rules via disable-allow-rules.
"},{"location":"guide/scanner/secret/#quick-start","title":"Quick start","text":"This section shows how to scan secrets in container image and filesystem. Other subcommands should be the same.
"},{"location":"guide/scanner/secret/#container-image","title":"Container image","text":"Specify an image name.
$ trivy image myimage:1.0.0\n2022-04-21T18:56:44.099+0300 INFO Detected OS: alpine\n2022-04-21T18:56:44.099+0300 INFO Detecting Alpine vulnerabilities...\n2022-04-21T18:56:44.101+0300 INFO Number of language-specific files: 0\n\nmyimage:1.0.0 (alpine 3.15.0)\n=============================\nTotal: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)\n\n+--------------+------------------+----------+-------------------+---------------+---------------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+--------------+------------------+----------+-------------------+---------------+---------------------------------------+\n| busybox | CVE-2022-28391 | CRITICAL | 1.34.1-r3 | 1.34.1-r5 | CVE-2022-28391 affecting |\n| | | | | | package busybox 1.35.0 |\n| | | | | | -->avd.aquasec.com/nvd/cve-2022-28391 |\n+--------------+------------------| |-------------------+---------------+---------------------------------------+\n| ssl_client | CVE-2022-28391 | | 1.34.1-r3 | 1.34.1-r5 | CVE-2022-28391 affecting |\n| | | | | | package busybox 1.35.0 |\n| | | | | | -->avd.aquasec.com/nvd/cve-2022-28391 |\n+--------------+------------------+----------+-------------------+---------------+---------------------------------------+\n\napp/secret.sh (secrets)\n=======================\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)\n\n+----------+-------------------+----------+---------+--------------------------------+\n| CATEGORY | DESCRIPTION | SEVERITY | LINE NO | MATCH |\n+----------+-------------------+----------+---------+--------------------------------+\n| AWS | AWS Access Key ID | CRITICAL | 10 | export AWS_ACCESS_KEY_ID=***** |\n+----------+-------------------+----------+---------+--------------------------------+\n
Tip
Trivy tries to detect a base image and skip those layers for secret scanning. A base image usually contains a lot of files and makes secret scanning much slower. If a secret is not detected properly, you can see base layers with the --debug flag.
"},{"location":"guide/scanner/secret/#filesystem","title":"Filesystem","text":"$ trivy fs /path/to/your_project\n...(snip)...\n\ncerts/key.pem (secrets)\n========================\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)\n\n+----------------------+------------------------+----------+---------+---------------------------------+\n| CATEGORY | DESCRIPTION | SEVERITY | LINE NO | MATCH |\n+----------------------+------------------------+----------+---------+---------------------------------+\n| AsymmetricPrivateKey | Asymmetric Private Key | HIGH | 1 | -----BEGIN RSA PRIVATE KEY----- |\n+----------------------+------------------------+----------+---------+---------------------------------+\n
Tip
Your project may have some secrets for testing. You can skip them with --skip-dirs or --skip-files. We would recommend specifying these options so that the secret scanning can be faster if those files don't need to be scanned. Also, you can specify paths to be allowed in a configuration file. See the detail here.
"},{"location":"guide/scanner/secret/#configuration","title":"Configuration","text":"This section describes secret-specific configuration. Other common options are documented here.
Trivy has a set of builtin rules for secret scanning, which can be extended or modified by a configuration file. Trivy tries to load trivy-secret.yaml in the current directory by default. If the file doesn't exist, only built-in rules are used. You can customize the config file path via the --secret-config flag.
Warning
Trivy uses Golang regexp package. To use ^ and $ as symbols of begin and end of line use multi-line mode -(?m).
"},{"location":"guide/scanner/secret/#custom-rules","title":"Custom Rules","text":"Trivy allows defining custom rules.
rules:\n - id: rule1\n category: general\n title: Generic Rule\n severity: HIGH\n path: .*\\.sh\n keywords:\n - secret\n regex: (?i)(?P<key>(secret))(=|:).{0,5}['\"](?P<secret>[0-9a-zA-Z\\-_=]{8,64})['\"]\n secret-group-name: secret\n allow-rules:\n - id: skip-text\n description: skip text files\n path: .*\\.txt\n
id (required) - Unique identifier for this rule.
category (required) - String used for metadata and reporting purposes.
title (required) - Short human-readable title of the rule.
severity (required) - How critical this rule is.
- Allowed values:
- CRITICAL
- HIGH
- MEDIUM
- LOW
regex (required) - Golang regular expression used to detect secrets.
path (optional) - Golang regular expression used to match paths.
keywords (optional, recommended) - Keywords are used for pre-regex check filtering.
- Rules that contain keywords will perform a quick string compare check to make sure the keyword(s) are in the content being scanned.
- Ideally these values should either be part of the identifier or unique strings specific to the rule's regex.
- It is recommended to define for better performance.
allow-rules (optional) - Allow rules for a single rule to reduce false positives with known secrets.
- The details are below.
"},{"location":"guide/scanner/secret/#allow-rules","title":"Allow Rules","text":"If the detected secret is matched with the specified regex, then that secret will be skipped and not detected. The same logic applies for path.
allow-rules can be defined globally and per each rule. The fields are the same.
rules:\n - id: rule1\n category: general\n title: Generic Rule\n severity: HIGH\n regex: (?i)(?P<key>(secret))(=|:).{0,5}['\"](?P<secret>[0-9a-zA-Z\\-_=]{8,64})['\"]\n allow-rules:\n - id: skip-text\n description: skip text files\n path: .*\\.txt\nallow-rules:\n - id: social-security-number\n description: skip social security number\n regex: 219-09-9999\n
id (required) - Unique identifier for this allow rule.
description (optional) - Short human-readable description of this allow rule.
regex (optional) - Golang regular expression used to allow detected secrets.
regex or path must be specified.
path (optional) - Golang regular expression used to allow matched paths.
regex or path must be specified.
"},{"location":"guide/scanner/secret/#enable-rules","title":"Enable Rules","text":"Trivy provides plenty of out-of-box rules and allow rules, but you may not need all of them. In that case, enable-builtin-rules will be helpful. If you just need AWS secret detection, you can enable only relevant rules as shown below. It specifies AWS-related rule IDs in enable-builtin-rules. All other rules are disabled, so the scanning will be much faster. We would strongly recommend using this option if you don't need all rules.
You can see a full list of built-in rule IDs and built-in allow rule IDs.
enable-builtin-rules:\n - aws-access-key-id\n - aws-account-id\n - aws-secret-access-key\n
"},{"location":"guide/scanner/secret/#disable-rules","title":"Disable Rules","text":"Trivy offers built-in rules and allow rules, but you may want to disable some of them. For example, you don't use Slack, so Slack doesn't have to be scanned. You can specify the Slack rule IDs, slack-access-token and slack-web-hook in disable-rules so that those rules will be disabled for less false positives.
You should specify either enable-builtin-rules or disable-rules. If they both are specified, disable-rules takes precedence. In case github-pat is specified in enable-builtin-rules and disable-rules, it will be disabled.
In addition, there are some allow rules. Markdown files are ignored by default, but you may want to scan markdown files as well. You can disable the allow rule by adding markdown to disable-allow-rules.
You can see a full list of built-in rule IDs and built-in allow rule IDs.
disable-rules:\n - slack-access-token\n - slack-web-hook\ndisable-allow-rules:\n - markdown\n
"},{"location":"guide/scanner/secret/#recommendation","title":"Recommendation","text":"We would recommend specifying --skip-dirs for faster secret scanning. In container image scanning, Trivy walks the file tree rooted at / and scans all the files other than built-in allowed paths. It will take a while if your image contains a lot of files even though Trivy tries to avoid scanning layers from a base image. If you want to make scanning faster, --skip-dirs and --skip-files helps so that Trivy will skip scanning those files and directories. You can see more options here.
allow-rules is also helpful. See the allow-rules section.
In addition, all the built-in rules are enabled by default, so it takes some time to scan all of them. If you don't need all those rules, you can use enable-builtin-rules or disable-rules in the configuration file. You should use enable-builtin-rules if you need only AWS secret detection, for example. All rules are disabled except for the ones you specify, so it runs very fast. On the other hand, you should use disable-rules if you just want to disable some built-in rules. See the enable-rules and disable-rules sections for the detail.
If you don't need secret scanning, you can disable it via the --scanners flag.
$ trivy image --scanners vuln alpine:3.15\n
"},{"location":"guide/scanner/secret/#example","title":"Example","text":"trivy-secret.yaml in the working directory is loaded by default.
$ cat trivy-secret.yaml\nrules:\n - id: rule1\n category: general\n title: Generic Rule\n severity: HIGH\n regex: (?i)(?P<key>(secret))(=|:).{0,5}['\"](?P<secret>[0-9a-zA-Z\\-_=]{8,64})['\"]\nallow-rules:\n - id: social-security-number\n description: skip social security number\n regex: 219-09-9999\n - id: log-dir\n description: skip log directory\n path: ^\\/var\\/log\\/\ndisable-rules:\n - slack-access-token\n - slack-web-hook\ndisable-allow-rules:\n - markdown\n\n# The following command automatically loads the above configuration.\n$ trivy image YOUR_IMAGE\n
Also, you can customize the config file path via --secret-config.
$ cat ./secret-config/trivy.yaml\nrules:\n - id: rule1\n category: general\n title: Generic Rule\n severity: HIGH\n regex: (?i)(?P<key>(secret))(=|:).{0,5}['\"](?P<secret>[0-9a-zA-Z\\-_=]{8,64})['\"]\n allow-rules:\n - id: skip-text\n description: skip text files\n path: .*\\.txt\nenable-builtin-rules:\n - aws-access-key-id\n - aws-account-id\n - aws-secret-access-key\ndisable-allow-rules:\n - usr-dirs\n\n# Pass the above config with `--secret-config`.\n$ trivy fs --secret-config ./secret-config/trivy.yaml /path/to/your_project\n
"},{"location":"guide/scanner/secret/#credit","title":"Credit","text":"This feature is inspired by gitleaks.
"},{"location":"guide/scanner/vulnerability/","title":"Vulnerability Scanning","text":"Trivy detects known vulnerabilities in software components that it finds in the scan target.
The following are supported:
- OS packages
- Language-specific packages
- Non-packaged software
- Kubernetes components
"},{"location":"guide/scanner/vulnerability/#os-packages","title":"OS Packages","text":"Trivy is capable of automatically detecting installed OS packages when scanning container images, VM images and running hosts.
Note
Trivy doesn't support third-party/self-compiled packages/binaries, but official packages provided by vendors such as Red Hat and Debian.
"},{"location":"guide/scanner/vulnerability/#supported-os","title":"Supported OS","text":"See here for the supported OSes.
"},{"location":"guide/scanner/vulnerability/#data-sources","title":"Data Sources","text":"OS Source Arch Linux Vulnerable Issues Alpine Linux secdb Wolfi Linux secdb Chainguard secdb MinimOS secdb Amazon Linux Amazon Linux Security Center Echo Echo Debian Security Bug Tracker / OVAL Ubuntu Ubuntu CVE Tracker RHEL/CentOS OVAL / Security Data AlmaLinux AlmaLinux Product Errata Rocky Linux Rocky Linux UpdateInfo Oracle Linux OVAL Azure Linux (CBL-Mariner) OVAL OpenSUSE/SLES CVRF Photon OS Photon Security Advisory Root.io Root.io Patch Feed Seal Security Seal Security vulnerability feed"},{"location":"guide/scanner/vulnerability/#data-source-selection","title":"Data Source Selection","text":"Trivy only consumes security advisories from the sources listed in the above table.
As for packages installed from OS package managers (dpkg, yum, apk, etc.), Trivy uses the advisory database from the appropriate OS vendor.
For example: for a python package installed from yum (Amazon linux), Trivy will only get advisories from ALAS. But for a python package installed from another source (e.g. pip), Trivy will get advisories from the GitLab and GitHub databases.
This advisory selection is essential to avoid getting false positives because OS vendors usually backport upstream fixes, and the fixed version can be different from the upstream fixed version.
"},{"location":"guide/scanner/vulnerability/#severity-selection","title":"Severity Selection","text":"The severity is taken from the selected data source since the severity from vendors is more accurate. Using CVE-2023-0464 as an example, while it is rated as \"HIGH\" in NVD, Red Hat has marked its 'Impact' as \"Low\". As a result, Trivy will display it as \"Low\".
The severity depends on the compile option, the default configuration, etc. NVD doesn't know how the vendor distributes the software. Red Hat evaluates the severity more accurately. That's why Trivy prefers vendor scores over NVD.
If the data source does not provide a severity, the severity is determined based on the CVSS score as follows:
Base Score Range Severity 0.1-3.9 Low 4.0-6.9 Medium 7.0-8.9 High 9.0-10.0 Critical If the CVSS score is also not provided, it falls back to NVD.
NVD and some vendors may delay severity analysis, while other vendors, such as Red Hat, are able to quickly evaluate and announce the severity of vulnerabilities. To avoid marking too many vulnerabilities as \"UNKNOWN\" severity, Trivy uses severity ratings from other vendors when the NVD information is not yet available. The order of preference for vendor severity data can be found here.
You can reference SeveritySource in the JSON reporting format to see from where the severity is taken for a given vulnerability.
\"SeveritySource\": \"debian\",\n
In addition, you can see all the vendor severity ratings.
\"VendorSeverity\": {\n \"amazon\": 2,\n \"cbl-mariner\": 4,\n \"ghsa\": 4,\n \"nvd\": 4,\n \"photon\": 4,\n \"redhat\": 2,\n \"ubuntu\": 2\n}\n
Here is the severity mapping in Trivy:
Number Severity 0 Unknown 1 Low 2 Medium 3 High 4 Critical If no vendor has a severity, the UNKNOWN severity will be used.
"},{"location":"guide/scanner/vulnerability/#unfixed-vulnerabilities","title":"Unfixed Vulnerabilities","text":"The unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution. To hide unfixed/unfixable vulnerabilities, you can use the --ignore-unfixed flag.
"},{"location":"guide/scanner/vulnerability/#language-specific-packages","title":"Language-specific Packages","text":""},{"location":"guide/scanner/vulnerability/#supported-languages","title":"Supported Languages","text":"See here for the supported languages.
"},{"location":"guide/scanner/vulnerability/#langpkg-data-sources","title":"Data Sources","text":"Language Source Commercial Use Delay1 PHP PHP Security Advisories Database \u2705 - GitHub Advisory Database (Composer) \u2705 - Python GitHub Advisory Database (pip) \u2705 - Ruby Ruby Advisory Database \u2705 - GitHub Advisory Database (RubyGems) \u2705 - Node.js Ecosystem Security Working Group \u2705 - GitHub Advisory Database (npm) \u2705 - Java GitHub Advisory Database (Maven) \u2705 - Go GitHub Advisory Database (Go) \u2705 - Go Vulnerability Database \u2705 - Rust Open Source Vulnerabilities (crates.io) \u2705 - .NET GitHub Advisory Database (NuGet) \u2705 - C/C++ GitLab Advisories Community \u2705 1 month Dart GitHub Advisory Database (Pub) \u2705 - Elixir GitHub Advisory Database (Erlang) \u2705 - Swift GitHub Advisory Database (Swift) \u2705 -"},{"location":"guide/scanner/vulnerability/#non-packaged-software","title":"Non-packaged software","text":"If you have software that is not managed by a package manager, Trivy can still detect vulnerabilities in it in some cases:
- Using SBOM from Sigstore Rekor
- Go Binaries with embedded module information
- Rust Binaries with embedded information
- SBOM embedded in container images
"},{"location":"guide/scanner/vulnerability/#detection-behavior","title":"Detection Behavior","text":"Trivy prioritizes precision in vulnerability detection, aiming to minimize false positives while potentially accepting some false negatives. This approach is particularly relevant in two key areas:
- Handling Software Installed via OS Packages
- Handling Packages with Unspecified Versions
Trivy can also detect only specific packages:
- Subset of Package Types
- Specific package Relationship
"},{"location":"guide/scanner/vulnerability/#handling-software-installed-via-os-packages","title":"Handling Software Installed via OS Packages","text":"For files installed by OS package managers, such as apt, Trivy exclusively uses advisories from the OS vendor. This means that even if a JAR file is present in a container image, if it was installed via an OS package manager (e.g., apt), Trivy will not analyze the JAR file itself and use upstream security advisories.
For example, consider the Python requests package in Red Hat Universal Base Image 8:
[root@987ee49dc93d /]# head -n 3 /usr/lib/python3.6/site-packages/requests-2.20.0-py3.6.egg-info/PKG-INFO\nMetadata-Version: 2.1\nName: requests\nVersion: 2.20.0\n
Version 2.20.0 is installed, and this package is installed by dnf.
[root@987ee49dc93d /]# rpm -ql python3-requests | grep PKG-INFO\n/usr/lib/python3.6/site-packages/requests-2.20.0-py3.6.egg-info/PKG-INFO\n
At first glance, this might seem vulnerable to CVE-2023-32681, which affects versions of requests prior to v2.31.0. However, Red Hat backported the fix to v2.20.0-3 in RHSA-2023:4520, and the package is not vulnerable.
- Upstream (PyPI requests): Fixed in v2.31.0
- Red Hat (
python-requests): Backported fix applied in v2.20.0-3 (RHSA-2023:4520)
If Trivy were to detect CVE-2023-32681 in this case, it would be a false positive. This illustrates why using the correct security advisory is crucial to avoid false detections. To minimize false positives, Trivy trusts the OS vendor's advisory for software installed via OS package managers and does not use upstream advisories for these packages.
However, this approach may lead to false negatives if the OS vendor's advisories are delayed or missing. In such cases, using --detection-priority comprehensive allows Trivy to consider upstream advisories (e.g., GitHub Advisory Database), potentially increasing false positives but reducing false negatives.
"},{"location":"guide/scanner/vulnerability/#handling-packages-with-unspecified-versions","title":"Handling Packages with Unspecified Versions","text":"When a package version cannot be uniquely determined (e.g., package-a: \">=3.0\"), Trivy typically skips vulnerability detection for that package to avoid false positives. If a lock file is present with fixed versions, Trivy will use those for detection.
To detect potential vulnerabilities even with unspecified versions, use --detection-priority comprehensive. This option makes Trivy use the minimum version in the specified range for vulnerability detection. While this may increase false positives if the actual version used is not the minimum, it helps reduce false negatives.
"},{"location":"guide/scanner/vulnerability/#package-detection","title":"Package Detection","text":"Vulnerability detection is based on package detection. This section describes the specifics of package detection, which also affect SBOM generation.
"},{"location":"guide/scanner/vulnerability/#detection-priority","title":"Detection Priority","text":"Trivy provides a --detection-priority flag to control the balance between false positives and false negatives in package/vulnerability detection. This concept is similar to the relationship between precision and recall in machine learning evaluation.
$ trivy image --detection-priority {precise|comprehensive} alpine:3.15\n
precise: This mode prioritizes reducing false positives. It results in less noisy vulnerability reports but may miss some potential vulnerabilities.comprehensive: This mode aims to detect more vulnerabilities, potentially including some that might be false positives. It provides broader coverage but may increase the noise in the results.
The default value is precise. Also refer to the detection behavior section for more information.
Regardless of the chosen mode, user review of detected vulnerabilities is crucial:
precise: Review thoroughly, considering potential missed vulnerabilities.comprehensive: Carefully investigate each reported vulnerability due to increased false positive possibility.
"},{"location":"guide/scanner/vulnerability/#enabling-a-subset-of-package-types","title":"Enabling a Subset of Package Types","text":"It's possible to only enable certain package types if you prefer. You can do so by passing the --pkg-types option. This flag takes a comma-separated list of package types.
Available values:
- os
- Scan OS packages managed by the OS package manager (e.g.
dpkg, yum, apk).
- library
- Scan language-specific packages (e.g. packages installed by
pip, npm, or gem).
$ trivy image --pkg-types os ruby:2.4.0\n
Result 2019-05-22T19:36:50.530+0200 \u001b[34mINFO\u001b[0m Updating vulnerability database...\n2019-05-22T19:36:51.681+0200 \u001b[34mINFO\u001b[0m Detecting Alpine vulnerabilities...\n2019-05-22T19:36:51.685+0200 \u001b[34mINFO\u001b[0m Updating npm Security DB...\n2019-05-22T19:36:52.389+0200 \u001b[34mINFO\u001b[0m Detecting npm vulnerabilities...\n2019-05-22T19:36:52.390+0200 \u001b[34mINFO\u001b[0m Updating pipenv Security DB...\n2019-05-22T19:36:53.406+0200 \u001b[34mINFO\u001b[0m Detecting pipenv vulnerabilities...\n\nruby:2.4.0 (debian 8.7)\n=======================\nTotal: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)\n\n+---------+------------------+----------+-------------------+---------------+----------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+---------+------------------+----------+-------------------+---------------+----------------------------------+\n| curl | CVE-2018-14618 | CRITICAL | 7.61.0-r0 | 7.61.1-r0 | curl: NTLM password overflow |\n| | | | | | via integer overflow |\n+ +------------------+----------+ +---------------+----------------------------------+\n| | CVE-2018-16839 | HIGH | | 7.61.1-r1 | curl: Integer overflow leading |\n| | | | | | to heap-based buffer overflow in |\n| | | | | | Curl_sasl_create_plain_message() |\n+---------+------------------+----------+-------------------+---------------+----------------------------------+\n| git | CVE-2018-17456 | HIGH | 2.15.2-r0 | 2.15.3-r0 | git: arbitrary code execution |\n| | | | | | via .gitmodules |\n+ +------------------+ + + +----------------------------------+\n| | CVE-2018-19486 | | | | git: Improper handling of |\n| | | | | | PATH allows for commands to be |\n| | | | | | executed from... |\n+---------+------------------+----------+-------------------+---------------+----------------------------------+\n| libssh2 | CVE-2019-3855 | CRITICAL | 1.8.0-r2 | 1.8.1-r0 | libssh2: Integer overflow in |\n| | | | | | transport read resulting in |\n| | | | | | out of bounds write... |\n+---------+------------------+----------+-------------------+---------------+----------------------------------+\n| sqlite | CVE-2018-20346 | MEDIUM | 3.21.0-r1 | 3.25.3-r0 | CVE-2018-20505 CVE-2018-20506 |\n| | | | | | sqlite: Multiple flaws in |\n| | | | | | sqlite which can be triggered |\n| | | | | | via... |\n+---------+------------------+----------+-------------------+---------------+----------------------------------+\n| tar | CVE-2018-20482 | LOW | 1.29-r1 | 1.31-r0 | tar: Infinite read loop in |\n| | | | | | sparse_dump_region function in |\n| | | | | | sparse.c |\n+---------+------------------+----------+-------------------+---------------+----------------------------------+\n
Info
This flag filters the packages themselves, so it also affects the list of detected packages in JSON reports and SBOM generation.
"},{"location":"guide/scanner/vulnerability/#filtering-by-package-relationships","title":"Filtering by Package Relationships","text":"Trivy supports filtering vulnerabilities based on the relationship of packages within a project. This is achieved through the --pkg-relationships flag. This feature allows you to focus on vulnerabilities in specific types of dependencies, such as only those in direct dependencies.
In Trivy, there are four types of package relationships:
root: The root package being scannedworkspace: Workspaces of the root package (Currently only pom.xml, yarn.lock and cargo.lock files are supported)direct: Direct dependencies of the root/workspace packageindirect: Transitive dependenciesunknown: Packages whose relationship cannot be determined
The available relationships may vary depending on the ecosystem. To see which relationships are supported for a particular project, you can use the JSON output format and check the Relationship field:
$ trivy repo -f json /path/to/project\n
To scan only the root package and its direct dependencies, you can use the flag as follows:
$ trivy repo --pkg-relationships root,direct /path/to/project\n
By default, all relationships are included in the scan.
Info
This flag filters the packages themselves, so it also affects the list of detected packages in JSON reports and SBOM generation.
Warning
As it may not provide a complete package list, --pkg-relationships cannot be used with --dependency-tree, --vex or SBOM generation.
"},{"location":"guide/scanner/vulnerability/#kubernetes","title":"Kubernetes","text":"Trivy can detect vulnerabilities in Kubernetes clusters and components by scanning a Kubernetes Cluster, or a KBOM (Kubernetes bill of Material). To learn more, see the documentation for Kubernetes scanning.
"},{"location":"guide/scanner/vulnerability/#data-sources_1","title":"Data Sources","text":"Vendor Source Kubernetes Kubernetes Official CVE feed1"},{"location":"guide/scanner/vulnerability/#databases","title":"Databases","text":"The information from the above sources is collected and stored in databases that Trivy uses for vulnerability scanning. Trivy automatically fetches, maintains, and caches the relevant databases when performing a vulnerability scan For more information about Trivy's Databases mechanism and configurations, refer to the Databases document.
"},{"location":"guide/scanner/vulnerability/#configuration","title":"Configuration","text":"This section describes vulnerability-specific configuration. Other common options are documented here.
"},{"location":"guide/scanner/vulnerability/#overriding-os-version","title":"Overriding OS version","text":"By default, Trivy automatically detects the OS during container image scanning and performs vulnerability detection based on that OS. However, in some cases, you may want to scan an image with a different OS version than the one detected. Also, you may want to specify the OS version when OS is not detected. For these cases, Trivy supports a --distro flag using the <family>/<version> format (e.g. alpine/3.20) to set the desired OS version.
"},{"location":"guide/scanner/vulnerability/#severity-selection_1","title":"Severity selection","text":"By default, Trivy automatically detects severity (as described here). But there are cases when you may want to use your own source priority. Trivy supports the --vuln-severity-source flag for this.
Fill in a list of required sources, and Trivy will check the sources in that order until it finds an existing severity. If no source has the severity - Trivy will use the UNKNOWN severity.
Note
To use the default logic in combination with your sources - use the auto value.
Example logic for the following vendor severity levels when scanning an Alpine image:
\"VendorSeverity\": {\n \"ghsa\": 3,\n \"nvd\": 4,\n}\n
--vuln-severity-source auto,nvd - severity is CRITICAL, got from auto.--vuln-severity-source alpine,auto - severity is CRITICAL, got from auto.--vuln-severity-source alpine,ghsa - severity is HIGH, got from ghsa.--vuln-severity-source alpine,alma - severity is UNKNOWN.
-
https://github.com/GoogleContainerTools/distroless \u21a9\u21a9
"},{"location":"guide/scanner/misconfiguration/","title":"Misconfiguration Scanning","text":"Trivy provides built-in checks to detect configuration issues in popular Infrastructure as Code files, such as: Docker, Kubernetes, Terraform, CloudFormation, and more. In addition to built-in checks, you can write your own custom checks, as you can see here.
"},{"location":"guide/scanner/misconfiguration/#quick-start","title":"Quick start","text":"Simply specify a directory containing IaC files such as Terraform, CloudFormation, Azure ARM templates, Helm Charts and Dockerfile.
$ trivy config [YOUR_IaC_DIRECTORY]\n
Example
$ ls build/\nDockerfile\n$ trivy config ./build\n2022-05-16T13:29:29.952+0100 INFO Detected config files: 1\n\nDockerfile (dockerfile)\n=======================\nTests: 23 (SUCCESSES: 22, FAILURES: 1)\nFailures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n\nMEDIUM: Specify a tag in the 'FROM' statement for image 'alpine'\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nWhen using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.\n\nSee https://avd.aquasec.com/misconfig/ds001\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nDockerfile:1\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n1 [ FROM alpine:latest\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n
You can also enable misconfiguration detection in container image, filesystem and git repository scanning via --scanners misconfig.
$ trivy image --scanners misconfig IMAGE_NAME\n
$ trivy fs --scanners misconfig /path/to/dir\n
Note
Misconfiguration detection is not enabled by default in image, fs and repo subcommands.
Unlike the config subcommand, image, fs and repo subcommands can also scan for vulnerabilities and secrets at the same time. You can specify --scanners vuln,misconfig,secret to enable vulnerability and secret detection as well as misconfiguration detection.
Example
$ ls myapp/\nDockerfile Pipfile.lock\n$ trivy fs --scanners vuln,misconfig,secret --severity HIGH,CRITICAL myapp/\n2022-05-16T13:42:21.440+0100 INFO Number of language-specific files: 1\n2022-05-16T13:42:21.440+0100 INFO Detecting pipenv vulnerabilities...\n2022-05-16T13:42:21.440+0100 INFO Detected config files: 1\n\nPipfile.lock (pipenv)\n=====================\nTotal: 1 (HIGH: 1, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 httplib2 \u2502 CVE-2021-21240 \u2502 HIGH \u2502 0.12.1 \u2502 0.19.0 \u2502 python-httplib2: Regular expression denial of service via \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 malicious header \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-21240 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n\nDockerfile (dockerfile)\n=======================\nTests: 17 (SUCCESSES: 16, FAILURES: 1)\nFailures: 1 (HIGH: 1, CRITICAL: 0)\n\nHIGH: Last USER command in Dockerfile should not be 'root'\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.\n\nSee https://avd.aquasec.com/misconfig/ds002\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nDockerfile:3\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n3 [ USER root\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n
In the above example, Trivy detected vulnerabilities of Python dependencies and misconfigurations in Dockerfile.
"},{"location":"guide/scanner/misconfiguration/#type-detection","title":"Type detection","text":"The specified directory can contain mixed types of IaC files. Trivy automatically detects config types and applies relevant checks.
For example, the following example holds IaC files for Terraform, CloudFormation, Kubernetes, Helm Charts, and Dockerfile in the same directory.
$ ls iac/\nDockerfile deployment.yaml main.tf mysql-8.8.26.tar\n$ trivy config --severity HIGH,CRITICAL ./iac\n
Result 2022-06-06T11:01:21.142+0100 INFO Detected config files: 8\n\nDockerfile (dockerfile)\n\nTests: 21 (SUCCESSES: 20, FAILURES: 1)\nFailures: 1 (MEDIUM: 0, HIGH: 1, CRITICAL: 0)\n\nHIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.\n\nSee https://avd.aquasec.com/misconfig/ds002\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\n\ndeployment.yaml (kubernetes)\n\nTests: 20 (SUCCESSES: 15, FAILURES: 5)\nFailures: 5 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)\n\nMEDIUM: Container 'hello-kubernetes' of Deployment 'hello-kubernetes' should set 'securityContext.allowPrivilegeEscalation' to false\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nA program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.\n\nSee https://avd.aquasec.com/misconfig/ksv001\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n deployment.yaml:16-19\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 16 \u250c - name: hello-kubernetes\n 17 \u2502 image: hello-kubernetes:1.5\n 18 \u2502 ports:\n 19 \u2514 - containerPort: 8080\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\nHIGH: Deployment 'hello-kubernetes' should not specify '/var/run/docker.socker' in 'spec.template.volumes.hostPath.path'\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nMounting docker.sock from the host can give the container full root access to the host.\n\nSee https://avd.aquasec.com/misconfig/ksv006\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n deployment.yaml:6-29\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 6 \u250c replicas: 3\n 7 \u2502 selector:\n 8 \u2502 matchLabels:\n 9 \u2502 app: hello-kubernetes\n 10 \u2502 template:\n 11 \u2502 metadata:\n 12 \u2502 labels:\n 13 \u2502 app: hello-kubernetes\n 14 \u2514 spec:\n .. \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\nMEDIUM: Container 'hello-kubernetes' of Deployment 'hello-kubernetes' should set 'securityContext.runAsNonRoot' to true\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\n'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.\n\nSee https://avd.aquasec.com/misconfig/ksv012\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n deployment.yaml:16-19\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 16 \u250c - name: hello-kubernetes\n 17 \u2502 image: hello-kubernetes:1.5\n 18 \u2502 ports:\n 19 \u2514 - containerPort: 8080\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\nMEDIUM: Deployment 'hello-kubernetes' should not set 'spec.template.volumes.hostPath'\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nHostPath volumes must be forbidden.\n\nSee https://avd.aquasec.com/misconfig/ksv023\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n deployment.yaml:6-29\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 6 \u250c replicas: 3\n 7 \u2502 selector:\n 8 \u2502 matchLabels:\n 9 \u2502 app: hello-kubernetes\n 10 \u2502 template:\n 11 \u2502 metadata:\n 12 \u2502 labels:\n 13 \u2502 app: hello-kubernetes\n 14 \u2514 spec:\n .. \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\nMEDIUM: Deployment 'hello-kubernetes' should set 'securityContext.sysctl' to the allowed values\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nSysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed 'safe' subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.\n\nSee https://avd.aquasec.com/misconfig/ksv026\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n deployment.yaml:6-29\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 6 \u250c replicas: 3\n 7 \u2502 selector:\n 8 \u2502 matchLabels:\n 9 \u2502 app: hello-kubernetes\n 10 \u2502 template:\n 11 \u2502 metadata:\n 12 \u2502 labels:\n 13 \u2502 app: hello-kubernetes\n 14 \u2514 spec:\n .. \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\n\nmysql-8.8.26.tar:templates/primary/statefulset.yaml (helm)\n\nTests: 20 (SUCCESSES: 18, FAILURES: 2)\nFailures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)\n\nMEDIUM: Container 'mysql' of StatefulSet 'mysql' should set 'securityContext.allowPrivilegeEscalation' to false\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nA program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.\n\nSee https://avd.aquasec.com/misconfig/ksv001\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n mysql-8.8.26.tar:templates/primary/statefulset.yaml:56-130\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 56 \u250c - name: mysql\n 57 \u2502 image: docker.io/bitnami/mysql:8.0.28-debian-10-r23\n 58 \u2502 imagePullPolicy: \"IfNotPresent\"\n 59 \u2502 securityContext:\n 60 \u2502 runAsUser: 1001\n 61 \u2502 env:\n 62 \u2502 - name: BITNAMI_DEBUG\n 63 \u2502 value: \"false\"\n 64 \u2514 - name: MYSQL_ROOT_PASSWORD\n .. \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\nMEDIUM: Container 'mysql' of StatefulSet 'mysql' should set 'securityContext.runAsNonRoot' to true\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\n'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.\n\nSee https://avd.aquasec.com/misconfig/ksv012\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n mysql-8.8.26.tar:templates/primary/statefulset.yaml:56-130\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 56 \u250c - name: mysql\n 57 \u2502 image: docker.io/bitnami/mysql:8.0.28-debian-10-r23\n 58 \u2502 imagePullPolicy: \"IfNotPresent\"\n 59 \u2502 securityContext:\n 60 \u2502 runAsUser: 1001\n 61 \u2502 env:\n 62 \u2502 - name: BITNAMI_DEBUG\n 63 \u2502 value: \"false\"\n 64 \u2514 - name: MYSQL_ROOT_PASSWORD\n .. \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n
You can see the config type next to each file name.
Example
Dockerfile (dockerfile)\n=======================\nTests: 23 (SUCCESSES: 22, FAILURES: 1)\nFailures: 1 (HIGH: 1, CRITICAL: 0)\n\n...\n\ndeployment.yaml (kubernetes)\n============================\nTests: 28 (SUCCESSES: 15, FAILURES: 13)\nFailures: 13 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)\n\n...\n\nmain.tf (terraform)\n===================\nTests: 23 (SUCCESSES: 14, FAILURES: 9)\nFailures: 9 (HIGH: 6, CRITICAL: 1)\n\n...\n\nbucket.yaml (cloudformation)\n============================\nTests: 9 (SUCCESSES: 3, FAILURES: 6)\nFailures: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)\n\n...\n\nmysql-8.8.26.tar:templates/primary/statefulset.yaml (helm)\n==========================================================\nTests: 20 (SUCCESSES: 18, FAILURES: 2)\nFailures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)\n
"},{"location":"guide/scanner/misconfiguration/#scan-raw-configurations","title":"Scan raw configurations","text":"IaC configurations from cloud providers such as Terraform, CloudFormation, and ARM are converted into a unified structure that is exported to Rego. Checks are developed only for the unified structure, not for each configuration type with its own structure. This avoids duplication and simplifies maintenance. Using the unified structure has a limitation: it is not possible to create checks for resources or attributes that are not exported.
The --raw-config-scanners flag allows scanning the raw configuration \u2014 that is, evaluated but not converted into the unified structure. Currently, only terraform is supported.
Note
The raw configuration scanner does not work on its own. To use --raw-config-scanners, you must also specify the corresponding --misconfig-scanners. The report will include results from both scanners.
For more information on custom checks and exported data schemas, see here.
Example check:
# METADATA\n# title: AWS required resource tags\n# description: Ensure required tags are set on AWS resources\n# scope: package\n# schemas:\n# - input: schema[\"terraform-raw\"]\n# custom:\n# id: USR-TFRAW-0001\n# severity: CRITICAL\n# short_code: required-aws-resource-tags\n# recommended_actions: Add the required tags to AWS resources.\n# input:\n# selector:\n# - type: terraform-raw\npackage user.terraform.required_aws_tags\n\nimport rego.v1\n\nresource_types_to_check := {\"aws_s3_bucket\"}\n\nresources_to_check := {block |\n some module in input.modules\n some block in module.blocks\n block.kind == \"resource\"\n block.type in resource_types_to_check\n}\n\nrequired_tags := {\"Access\", \"Owner\"}\n\ndeny contains res if {\n some block in resources_to_check\n not block.attributes.tags\n res := result.new(\n sprintf(\"The resource %q does not contain the following required tags: %v\", [block.type, required_tags]),\n block,\n )\n}\n\ndeny contains res if {\n some block in resources_to_check\n tags_attr := block.attributes.tags\n tags := object.keys(tags_attr.value)\n missing_tags := required_tags - tags\n count(missing_tags) > 0\n res := result.new(\n sprintf(\"The resource %q does not contain the following required tags: %v\", [block.type, missing_tags]),\n tags_attr,\n )\n}\n
Running Trivy:
trivy conf main.tf \\\n --check-namespaces user \\\n --config-check examples/terraform-raw/required-aws-tags.rego \\\n --misconfig-scanners terraform --raw-config-scanners terraform\n
Example output:
main.tf (terraform)\n\nTests: 10 (SUCCESSES: 0, FAILURES: 10)\nFailures: 10 (UNKNOWN: 0, LOW: 2, MEDIUM: 1, HIGH: 6, CRITICAL: 1)\n\n (CRITICAL): The resource \"aws_s3_bucket\" does not contain the following required tags: {\"Access\"}\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nEnsure required tags are set on AWS resources\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n main.tf:3-5\n via main.tf:1-6 (aws_s3_bucket.this)\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 1 resource \"aws_s3_bucket\" \"this\" {\n 2 bucket = \"test\"\n 3 \u250c tags = {\n 4 \u2502 Owner: \"user\"\n 5 \u2514 }\n 6 }\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n
"},{"location":"guide/scanner/misconfiguration/#external-connectivity","title":"External connectivity","text":"Trivy needs to connect to the internet to download the checks bundle. If you are running Trivy in an air-gapped environment, or a tightly controlled network, please refer to the Advanced Network Scenarios document.
"},{"location":"guide/scanner/misconfiguration/#configuration","title":"Configuration","text":"More misconfiguration scanning specific configurations can be found here.
"},{"location":"guide/scanner/misconfiguration/check/builtin/","title":"Built-in Checks","text":""},{"location":"guide/scanner/misconfiguration/check/builtin/#checks-sources","title":"Checks Sources","text":"Trivy has an extensive library of misconfiguration checks that is maintained at https://github.com/aquasecurity/trivy-checks. Trivy checks are mainly written in Rego, while some checks are written in Go. See here for the list of supported config types.
"},{"location":"guide/scanner/misconfiguration/check/builtin/#checks-bundle","title":"Checks Bundle","text":"When performing a misconfiguration scan, Trivy will automatically download the relevant Checks bundle. The bundle is cached locally and Trivy will reuse it for subsequent scans on the same machine. Trivy takes care of updating the cache automatically, so normally users can be oblivious to it.
"},{"location":"guide/scanner/misconfiguration/check/builtin/#checks-distribution","title":"Checks Distribution","text":"Trivy checks are distributed as an OPA bundle hosted in the following GitHub Container Registry: https://ghcr.io/aquasecurity/trivy-checks. Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
"},{"location":"guide/scanner/misconfiguration/check/builtin/#external-connectivity","title":"External connectivity","text":"Trivy needs to connect to the internet to download the bundle. If you are running Trivy in an air-gapped environment, or an tightly controlled network, please refer to the Advanced Network Scenarios document. The Checks bundle is also embedded in the Trivy binary (at build time), and will be used as a fallback if Trivy is unable to download the bundle. This means that you can still scan for misconfigurations in an air-gapped environment using the Checks from the time of the Trivy release you are using.
"},{"location":"guide/scanner/misconfiguration/config/config/","title":"Configuration","text":"This page describes misconfiguration-specific configuration.
"},{"location":"guide/scanner/misconfiguration/config/config/#enabling-a-subset-of-misconfiguration-scanners","title":"Enabling a subset of misconfiguration scanners","text":"It's possible to only enable certain misconfiguration scanners if you prefer. You can do so by passing the --misconfig-scanners option. This flag takes a comma-separated list of configuration scanner types.
trivy config --misconfig-scanners=terraform,dockerfile .\n
Will only scan for misconfigurations that pertain to Terraform and Dockerfiles.
"},{"location":"guide/scanner/misconfiguration/config/config/#loading-custom-checks","title":"Loading custom checks","text":"You can load check files or directories including your custom checks using the --config-check flag. This can be repeated for specifying multiple files or directories.
trivy config --config-check custom-policy/policy --config-check combine/policy --config-check policy.rego --namespaces user myapp\n
You can load checks bundle as OCI Image from a Container Registry using the --checks-bundle-repository flag.
trivy config --checks-bundle-repository myregistry.local/mychecks --namespaces user myapp\n
"},{"location":"guide/scanner/misconfiguration/config/config/#passing-custom-data","title":"Passing custom data","text":"You can pass directories including your custom data through --data option. This can be repeated for specifying multiple directories.
cd examples/misconf/custom-data\ntrivy config --config-check ./my-check --data ./data --namespaces user ./configs\n
For more details, see Custom Data.
"},{"location":"guide/scanner/misconfiguration/config/config/#passing-namespaces","title":"Passing namespaces","text":"By default, Trivy evaluates checks defined in builtin.*. If you want to evaluate custom checks in other packages, you have to specify package prefixes through --namespaces option. This can be repeated for specifying multiple packages.
trivy config --config-check ./my-check --namespaces main --namespaces user ./configs\n
"},{"location":"guide/scanner/misconfiguration/config/config/#limiting-rego-compile-errors","title":"Limiting Rego compile errors","text":"By default, Trivy limits the number of compile errors allowed during Rego policy compilation. You can configure this limit using the --rego-error-limit flag.
trivy config --rego-error-limit 20 ./configs\n
This flag controls the maximum number of compile errors Trivy will tolerate before stopping the compilation.
If the number of compile errors exceeds this limit, Trivy will terminate the scan. You can set --rego-error-limit 0 to enforce strict checking and disallow any compile errors.
The default value is defined internally via CompileErrorLimit.
"},{"location":"guide/scanner/misconfiguration/config/config/#private-terraform-registries","title":"Private Terraform registries","text":"Trivy can download Terraform code from private registries. To pass credentials you must use the TF_TOKEN_ environment variables. You cannot use a .terraformrc or terraform.rc file, these are not supported by trivy yet.
From the Terraform docs:
Environment variable names should have the prefix TF_TOKEN_ added to the domain name, with periods encoded as underscores. For example, the value of a variable named TF_TOKEN_app_terraform_io will be used as a bearer authorization token when the CLI makes service requests to the hostname app.terraform.io.
You must convert domain names containing non-ASCII characters to their punycode equivalent with an ACE prefix. For example, token credentials for \u4f8b\u3048\u3070.com must be set in a variable called TF_TOKEN_xn--r8j3dr99h_com.
Hyphens are also valid within host names but usually invalid as variable names and may be encoded as double underscores. For example, you can set a token for the domain name caf\u00e9.fr as TF_TOKEN_xn--caf-dma_fr or TF_TOKEN_xn_cafdmafr.
If multiple variables evaluate to the same hostname, Trivy will choose the environment variable name where the dashes have not been encoded as double underscores.
"},{"location":"guide/scanner/misconfiguration/config/config/#scan-arbitrary-json-and-yaml-configurations","title":"Scan arbitrary JSON and YAML configurations","text":"By default, scanning JSON and YAML configurations is disabled, since Trivy does not contain built-in checks for these configurations. To enable it, pass the json or yaml to --misconfig-scanners. See Enabling a subset of misconfiguration scanners for more information. Trivy will pass each file as is to the checks input.
Example
$ cat iac/serverless.yaml\nservice: serverless-rest-api-with-pynamodb\n\nframeworkVersion: \">=2.24.0\"\n\nplugins:\n - serverless-python-requirements\n...\n\n$ cat serverless.rego\n# METADATA\n# title: Serverless Framework service name not starting with \"aws-\"\n# description: Ensure that Serverless Framework service names start with \"aws-\"\n# schemas:\n# - input: schema[\"serverless-schema\"]\n# custom:\n# avd_id: AVD-SF-0001\n# severity: LOW\npackage user.serverless001\n\ndeny[res] {\n not startswith(input.service, \"aws-\")\n res := result.new(\n sprintf(\"Service name %q is not allowed\", [input.service]),\n input.service\n )\n}\n\n$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user ./iac\nserverless.yaml (yaml)\n\nTests: 4 (SUCCESSES: 3, FAILURES: 1)\nFailures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n\nLOW: Service name \"serverless-rest-api-with-pynamodb\" is not allowed\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nEnsure that Serverless Framework service names start with \"aws-\"\n
Note
In the case above, the custom check specified has a metadata annotation for the input schema input: schema[\"serverless-schema\"]. This allows Trivy to type check the input IaC files provided.
Optionally, you can also pass schemas using the config-file-schemas flag. Trivy will use these schemas for file filtering and type checking in Rego checks.
Example
$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user --config-file-schemas ./serverless-schema.json ./iac\n
If the --config-file-schemas flag is specified Trivy ensures that each input IaC config file being scanned is type-checked against the schema. If the input file does not match any of the passed schemas, it will be ignored.
If the schema is specified in the check metadata and is in the directory specified in the --config-check argument, it will be automatically loaded as specified here, and will only be used for type checking in Rego.
Note
If a user specifies the --config-file-schemas flag, all input IaC config files are ensured that they pass type-checking. It is not required to pass an input schema in case type checking is not required. This is helpful for scenarios where you simply want to write a Rego check and pass in IaC input for it. Such a use case could include scanning for a new service which Trivy might not support just yet.
Tip
It is also possible to specify multiple input schemas with --config-file-schema flag as it can accept a comma separated list of file paths or a directory as input. In the case of multiple schemas being specified, all of them will be evaluated against all the input files.
"},{"location":"guide/scanner/misconfiguration/config/config/#filtering-resources-by-inline-comments","title":"Filtering resources by inline comments","text":"Trivy supports ignoring misconfigured resources by inline comments for Terraform, CloudFormation, Helm and Dockerfile configuration files only.
In cases where Trivy can detect comments of a specific format immediately adjacent to resource definitions, it is possible to ignore findings from a single source of resource definition (in contrast to .trivyignore, which has a directory-wide scope on all of the files scanned). The format for these comments is trivy:ignore:<rule> immediately following the format-specific line-comment token.
Note
Inline ignore rules only work for checks associated with an existing resource. Checks triggered by the absence of a resource (e.g., AVD-DS-0002 when a Dockerfile lacks a USER instruction) cannot be ignored inline. Use a .trivyignore.yaml file to ignore such checks.
The ignore rule must contain one of the possible check IDs that can be found in its metadata: ID, short code or alias. The id from the metadata is not case-sensitive, so you can specify, for example, AVD-AWS-0089 or avd-aws-0089.
For example, to ignore a misconfiguration ID AVD-GCP-0051 in a Terraform HCL file:
#trivy:ignore:AVD-GCP-0051\nresource \"google_container_cluster\" \"example\" {\n name = var.cluster_name\n location = var.region\n}\n
You can add multiple ignores on the same comment line:
#trivy:ignore:AVD-GCP-0051 trivy:ignore:AVD-GCP-0053\nresource \"google_container_cluster\" \"example\" {\n name = var.cluster_name\n location = var.region\n}\n
You can also specify a long ID, which is formed as follows: <provider>-<service>-<short-code>.
As an example, consider the following check metadata:
# custom:\n # id: AVD-AWS-0089\n # avd_id: AVD-AWS-0089\n # provider: aws\n # service: s3\n # severity: LOW\n # short_code: enable-logging\n
Long ID would look like the following: aws-s3-enable-logging. Example for CloudFromation:
AWSTemplateFormatVersion: \"2010-09-09\"\nResources:\n#trivy:ignore:*\n S3Bucket:\n Type: 'AWS::S3::Bucket'\n Properties:\n BucketName: test-bucket\n
Note
Ignore rules for Helm files should be placed before the YAML object, since only it contains the location data needed for ignoring.
Example for Helm:
serviceAccountName: \"testchart.serviceAccountName\"\n containers:\n # trivy:ignore:KSV018\n - name: \"testchart\"\n securityContext:\n runAsUser: 1000\n runAsGroup: 3000\n image: \"your-repository/your-image:your-tag\"\n imagePullPolicy: \"Always\"\n
"},{"location":"guide/scanner/misconfiguration/config/config/#expiration-date","title":"Expiration Date","text":"You can specify the expiration date of the ignore rule in yyyy-mm-dd format. This is a useful feature when you want to make sure that an ignored issue is not forgotten and worth revisiting in the future. For example:
#trivy:ignore:aws-s3-enable-logging:exp:2024-03-10\nresource \"aws_s3_bucket\" \"example\" {\n bucket = \"test\"\n}\n
The aws-s3-enable-logging check will be ignored until 2024-03-10 until the ignore rule expires.
"},{"location":"guide/scanner/misconfiguration/config/config/#ignoring-by-attributes","title":"Ignoring by attributes","text":"You can ignore a resource by its attribute value. This is useful when using the for-each meta-argument. For example:
locals {\n ports = [\"3306\", \"5432\"]\n}\n\n#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=3306]\nresource \"aws_security_group_rule\" \"example\" {\n for_each = toset(local.ports)\n type = \"ingress\"\n from_port = each.key\n to_port = each.key\n protocol = \"TCP\"\n cidr_blocks = [\"0.0.0.0/0\"]\n security_group_id = aws_security_group.example.id\n source_security_group_id = aws_security_group.example.id\n}\n
The aws-ec2-no-public-ingress-sgr check will be ignored only for the aws_security_group_rule resource with port number 5432. It is important to note that the ignore rule should not enclose the attribute value in quotes, despite the fact that the port is represented as a string.
If you want to ignore multiple resources on different attributes, you can specify multiple ignore rules:
#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=3306]\n#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=5432]\n
You can also ignore a resource on multiple attributes in the same rule:
locals {\n rules = {\n first = {\n port = 1000\n type = \"ingress\"\n },\n second = {\n port = 1000\n type = \"egress\"\n }\n }\n}\n\n#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=1000,type=egress]\nresource \"aws_security_group_rule\" \"example\" {\n for_each = { for k, v in local.rules : k => v }\n\n type = each.value.type\n from_port = each.value.port\n to_port = each.value.port\n protocol = \"TCP\"\n cidr_blocks = [\"0.0.0.0/0\"]\n security_group_id = aws_security_group.example.id\n source_security_group_id = aws_security_group.example.id\n}\n
Checks can also be ignored by nested attributes:
#trivy:ignore:*[logging_config.prefix=myprefix]\nresource \"aws_cloudfront_distribution\" \"example\" {\n logging_config {\n include_cookies = false\n bucket = \"mylogs.s3.amazonaws.com\"\n prefix = \"myprefix\"\n }\n}\n
"},{"location":"guide/scanner/misconfiguration/config/config/#ignoring-module-issues","title":"Ignoring module issues","text":"Issues in third-party modules cannot be ignored using the method described above, because you may not have access to modify the module source code. In such a situation you can add ignore rules above the module block, for example:
#trivy:ignore:aws-s3-enable-logging\nmodule \"s3_bucket\" {\n source = \"terraform-aws-modules/s3-bucket/aws\"\n\n bucket = \"my-s3-bucket\"\n}\n
An example of ignoring checks for a specific bucket in a module:
locals {\n bucket = [\"test1\", \"test2\"]\n}\n\n#trivy:ignore:*[bucket=test1]\nmodule \"s3_bucket\" {\n for_each = toset(local.bucket)\n source = \"terraform-aws-modules/s3-bucket/aws\"\n bucket = each.value\n}\n
"},{"location":"guide/scanner/misconfiguration/config/config/#support-for-wildcards","title":"Support for Wildcards","text":"You can use wildcards in the ws (workspace) and ignore sections of the ignore rules.
# trivy:ignore:aws-s3-*:ws:dev-*\n
This example ignores all checks starting with aws-s3- for workspaces matching the pattern dev-*.
"},{"location":"guide/scanner/misconfiguration/custom/","title":"Custom Checks","text":""},{"location":"guide/scanner/misconfiguration/custom/#overview","title":"Overview","text":"You can write custom checks in Rego. Once you finish writing custom checks, you can pass the check files or the directory where those checks are stored with --config-check` option.
trivy config --config-check /path/to/policy.rego --config-check /path/to/custom_checks --namespaces user /path/to/config_dir\n
As for --namespaces option, the detail is described as below.
"},{"location":"guide/scanner/misconfiguration/custom/#file-formats","title":"File formats","text":"If a file name matches the following file patterns, Trivy will parse the file and pass it as input to your Rego policy.
File format File pattern JSON *.json YAML *.yaml and *.yml Dockerfile Dockerfile, Dockerfile.*, and *.Dockerfile Containerfile Containerfile, Containerfile.*, and *.Containerfile Terraform *.tf and *.tf.json"},{"location":"guide/scanner/misconfiguration/custom/#configuration-languages","title":"Configuration languages","text":"In the above general file formats, Trivy automatically identifies the following types of configuration files:
- CloudFormation (JSON/YAML)
- Kubernetes (JSON/YAML)
- Helm (YAML)
- Terraform Plan (JSON/Snapshot)
This is useful for filtering inputs, as described below.
"},{"location":"guide/scanner/misconfiguration/custom/#rego-format","title":"Rego format","text":"A single package must contain only one policy.
Example
# METADATA\n# title: Deployment not allowed\n# description: Deployments are not allowed because of some reasons.\n# schemas:\n# - input: schema[\"kubernetes\"]\n# custom:\n# id: ID001\n# severity: LOW\n# input:\n# selector: \n# - type: kubernetes\npackage user.kubernetes.ID001\n\ndeny[res] {\n input.kind == \"Deployment\"\n msg := sprintf(\"Found deployment '%s' but deployments are not allowed\", [input.metadata.name])\n res := result.new(msg, input.kind)\n}\n
In this example, ID001 \"Deployment not allowed\" is defined under user.kubernetes.ID001. If you add a new custom policy, it must be defined under a new package like user.kubernetes.ID002.
"},{"location":"guide/scanner/misconfiguration/custom/#policy-structure","title":"Policy structure","text":"# METADATA (optional unless the check will be contributed into Trivy) - SHOULD be defined for clarity since these values will be displayed in the scan results
custom.input SHOULD be set to indicate the input type the policy should be applied to. See list of available types
package (required) - MUST follow the Rego's specification
- MUST be unique per policy
- SHOULD include policy id for uniqueness
- MAY include the group name such as
kubernetes for clarity - Group name has no effect on policy evaluation
deny (required) - SHOULD be
deny or start with deny_ - Although
warn, warn_*, violation, violation_ also work for compatibility, deny is recommended as severity can be defined in __rego_metadata__.
- SHOULD return ONE OF:
- The result of a call to
result.new(msg, cause). The msg is a string describing the issue occurrence, and the cause is the property/object where the issue occurred. Providing this allows Trivy to ascertain line numbers and highlight code in the output. - A
string denoting the detected issue - Although
object with msg field is accepted, other fields are dropped and string is recommended if result.new() is not utilised. - e.g.
{\"msg\": \"deny message\", \"details\": \"something\"}
"},{"location":"guide/scanner/misconfiguration/custom/#package","title":"Package","text":"A package name must be unique per policy.
Example
package user.kubernetes.ID001\n
By default, only builtin.* packages will be evaluated. If you define custom packages, you have to specify the package prefix via --namespaces option. By default, Trivy only runs in its own namespace, unless specified by the user. Note that the custom namespace does not have to be user as in this example. It could be anything user-defined.
trivy config --config-check /path/to/custom_checks --namespaces user /path/to/config_dir\n
In this case, user.* will be evaluated. Any package prefixes such as main and user are allowed.
"},{"location":"guide/scanner/misconfiguration/custom/#metadata","title":"Metadata","text":"The check must contain a Rego Metadata section. Trivy uses standard rego metadata to define the new policy and general information about it.
Trivy supports extra fields in the custom section as described below.
Example
# METADATA\n# title: Deployment not allowed\n# description: Deployments are not allowed because of some reasons.\n# custom:\n# id: ID001\n# severity: LOW\n# input:\n# selector:\n# - type: kubernetes\n
If you are creating checks for your Trivy misconfiguration scans, some fields are optional as referenced in the table below. The schemas field should be used to enable policy validation using a built-in schema. It is recommended to use this to ensure your checks are correct and do not reference incorrect properties/values.
Field name Allowed values Default value In table In JSON title Any characters N/A \u2705 \u2705 description Any characters - \u2705 schemas.input schema[\"kubernetes\"], schema[\"dockerfile\"], schema[\"cloud\"], schema[\"terraform-raw\"] (applied to all input types) - - custom.id Any characters N/A \u2705 \u2705 custom.severity LOW, MEDIUM, HIGH, CRITICAL UNKNOWN \u2705 \u2705 custom.recommended_actions Any characters - \u2705 custom.deprecated true, false false - \u2705 custom.input.selector.type Any item(s) in this list - \u2705 custom.minimum_trivy_version The minimum version of Trivy that's required to evaluate this check - \u2705 url Any characters - \u2705"},{"location":"guide/scanner/misconfiguration/custom/#customavd_id-and-customid","title":"custom.avd_id and custom.id","text":"The AVD_ID can be used to link the check to the Aqua Vulnerability Database (AVD) entry. For example, the avd_id AVD-AWS-0176 is the ID of the check in the AWS Vulnerability Database. If you are contributing your check to trivy-checks, you need to generate an ID using make id in the trivy-checks repository. The output of the command will provide you the next free IDs for the different providers in Trivy.
The ID is based on the AVD_ID. For instance if the avd_id is AVD-AWS-0176, the ID is ID0176.
"},{"location":"guide/scanner/misconfiguration/custom/#customprovider","title":"custom.provider","text":"The provider field references the provider available in Trivy. This should be the same as the provider name in the pkg/iac/providers directory, e.g. aws.
"},{"location":"guide/scanner/misconfiguration/custom/#customservice","title":"custom.service","text":"Services are defined within a provider. For instance, RDS is a service and AWS is a provider. This should be the same as the service name in one of the provider directories. (Link), e.g. aws/rds.
"},{"location":"guide/scanner/misconfiguration/custom/#custominput","title":"custom.input","text":"The input tells Trivy what inputs this check should be applied to. Cloud provider checks should always use the selector input, and should always use the type selector with cloud. Check targeting Kubernetes yaml can use kubernetes, RBAC can use rbac, and so on.
"},{"location":"guide/scanner/misconfiguration/custom/#subtypes-in-the-custom-data","title":"Subtypes in the custom data","text":"Subtypes currently only need to be defined for cloud providers as detailed in the documentation.
"},{"location":"guide/scanner/misconfiguration/custom/#scan-result","title":"Scan Result","text":"Some fields are displayed in scan results.
k.yaml (kubernetes)\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\nTests: 32 (SUCCESSES: 31, FAILURES: 1)\nFailures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n\nLOW: Found deployment 'my-deployment' but deployments are not allowed\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nDeployments are not allowed because of some reasons.\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n k.yaml:1-2\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 1 \u250c apiVersion: v1\n 2 \u2514 kind: Deployment\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n
"},{"location":"guide/scanner/misconfiguration/custom/#input","title":"Input","text":"You can specify input format via the custom.input annotation.
Example
# METADATA\n# custom:\n# input:\n# combine: false\n# selector:\n# - type: kubernetes\n
combine (boolean) The details are here. selector (array) This option filters the input by file format or configuration language. In the above example, Trivy passes only Kubernetes files to this policy. Even if a Dockerfile exists in the specified directory, it will not be passed to the policy as input.
Possible values for input types are:
dockerfile (Dockerfile)kubernetes (Kubernetes YAML/JSON)rbac (Kubernetes RBAC YAML/JSON)cloud (Cloud format, as defined by Trivy - this is used for Terraform, CloudFormation, and Cloud/AWS scanning)yaml (Generic YAML)json (Generic JSON)toml (Generic TOML)terraform-raw (Terraform configuration is not converted to common state as for the Cloud format, allowing for more flexible and direct checks on the original code)
When configuration languages such as Kubernetes are not identified, file formats such as JSON will be used as type. When a configuration language is identified, it will overwrite type.
Example
pod.yaml including Kubernetes Pod will be handled as kubernetes, not yaml. type is overwritten by kubernetes from yaml.
type accepts kubernetes, dockerfile, cloudformation, terraform, terraformplan, json, or yaml.
"},{"location":"guide/scanner/misconfiguration/custom/#schemas","title":"Schemas","text":"See here for the detail.
"},{"location":"guide/scanner/misconfiguration/custom/combine/","title":"Combined input","text":""},{"location":"guide/scanner/misconfiguration/custom/combine/#overview","title":"Overview","text":"Trivy usually scans each configuration file individually. Sometimes it might be useful to compare values from different configuration files simultaneously.
When combine is set to true, all config files under the specified directory are combined into one input data structure.
Example
__rego_input__ := {\n \"combine\": false,\n}\n
In \"combine\" mode, the input document becomes an array, where each element is an object with two fields:
\"path\": \"path/to/file\": the relative file path of the respective file\"contents\": ...: the parsed content of the respective file
Now you can ensure that duplicate values match across the entirety of your configuration files.
"},{"location":"guide/scanner/misconfiguration/custom/combine/#return-value","title":"Return value","text":"In \"combine\" mode, the deny entrypoint must return an object with two keys
filepath (required) the relative file path of the file being evaluated msg (required) the message describing an issue Example
deny[res] {\n resource := input[i].contents\n ... some logic ...\n\n res := {\n \"filepath\": input[i].path,\n \"msg\": \"something bad\",\n }\n}\n
"},{"location":"guide/scanner/misconfiguration/custom/contribute-checks/","title":"Contribute Checks","text":""},{"location":"guide/scanner/misconfiguration/custom/contribute-checks/#contribute-rego-checks","title":"Contribute Rego Checks","text":"The contributing section provides detailed information on how to contribute custom checks to the trivy-checks repository
This way, they become accessible as default checks.
"},{"location":"guide/scanner/misconfiguration/custom/data/","title":"Custom Data","text":"Custom checks may require additional data in order to make a resolution. You can pass arbitrary data files to Trivy to be used when evaluating rego checks using the --config-data flag. Trivy recursively searches the specified data paths for JSON (*.json) and YAML (*.yaml) files.
For example, consider an allowed list of resources that can be created. Instead of hardcoding this information inside your check, you can maintain the list in a separate file.
Example data file:
services:\n ports:\n - \"20\"\n - \"20/tcp\"\n - \"20/udp\"\n - \"23\"\n - \"23/tcp\"\n
Example usage in a Rego check:
import data.services\n\nports := services.ports\n
Example loading the data file:
trivy config --config-check ./checks --config-data ./data --namespaces user ./configs\n
"},{"location":"guide/scanner/misconfiguration/custom/data/#customizing-default-checks-data","title":"Customizing default checks data","text":"Some checks allow you to customize the default data values. To do this, simply pass a data file via --config-data (see the section above).
Table of supported data for customizing and their paths:
Check ID Data path Description KSV0125 ksv0125.trusted_registries List of trusted container registries DS031 ds031.included_envs List of allowed environment variables (merged with defaults) Example of overriding trusted registries for KSV0125:
ksv0125:\n trusted_registries:\n - \"my-registry.example.com\"\n - \"registry.internal.local\"\n
"},{"location":"guide/scanner/misconfiguration/custom/debug/","title":"Debugging checks","text":"When working on more complex queries (or when learning Rego), it's useful to see exactly how the policy is applied. For this purpose you can use the --trace-rego flag. This will output a large trace from Open Policy Agent like the following:
Tip
Only failed checks show traces. If you want to debug a passed check, you need to make it fail on purpose.
$ trivy config --trace-rego configs/\n2022-05-16T13:47:58.853+0100 INFO Detected config files: 1\n\nDockerfile (dockerfile)\n=======================\nTests: 23 (SUCCESSES: 21, FAILURES: 2)\nFailures: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)\n\nMEDIUM: Specify a tag in the 'FROM' statement for image 'alpine'\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nWhen using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.\n\nSee https://avd.aquasec.com/misconfig/ds001\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n Dockerfile:1\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 1 [ FROM alpine:latest\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\nHIGH: Last USER command in Dockerfile should not be 'root'\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.\n\nSee https://avd.aquasec.com/misconfig/ds002\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n Dockerfile:3\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 3 [ USER root\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\n\nID: DS001\nFile: Dockerfile\nNamespace: builtin.dockerfile.DS001\nQuery: data.builtin.dockerfile.DS001.deny\nMessage: Specify a tag in the 'FROM' statement for image 'alpine'\nTRACE Enter data.builtin.dockerfile.DS001.deny = _\nTRACE | Eval data.builtin.dockerfile.DS001.deny = _\nTRACE | Index data.builtin.dockerfile.DS001.deny (matched 1 rule)\nTRACE | Enter data.builtin.dockerfile.DS001.deny\nTRACE | | Eval output = data.builtin.dockerfile.DS001.fail_latest[_]\nTRACE | | Index data.builtin.dockerfile.DS001.fail_latest (matched 1 rule)\nTRACE | | Enter data.builtin.dockerfile.DS001.fail_latest\nTRACE | | | Eval output = data.builtin.dockerfile.DS001.image_tags[_]\nTRACE | | | Index data.builtin.dockerfile.DS001.image_tags (matched 2 rules)\nTRACE | | | Enter data.builtin.dockerfile.DS001.image_tags\nTRACE | | | | Eval from = data.lib.docker.from[_]\nTRACE | | | | Index data.lib.docker.from (matched 1 rule)\nTRACE | | | | Enter data.lib.docker.from\nTRACE | | | | | Eval instruction = input.stages[_][_]\nTRACE | | | | | Eval instruction.Cmd = \"from\"\nTRACE | | | | | Exit data.lib.docker.from\nTRACE | | | | Redo data.lib.docker.from\nTRACE | | | | | Redo instruction.Cmd = \"from\"\nTRACE | | | | | Redo instruction = input.stages[_][_]\nTRACE | | | | | Eval instruction.Cmd = \"from\"\nTRACE | | | | | Fail instruction.Cmd = \"from\"\nTRACE | | | | | Redo instruction = input.stages[_][_]\nTRACE | | | | | Eval instruction.Cmd = \"from\"\nTRACE | | | | | Fail instruction.Cmd = \"from\"\nTRACE | | | | | Redo instruction = input.stages[_][_]\nTRACE | | | | Eval name = from.Value[0]\nTRACE | | | | Eval not startswith(name, \"$\")\nTRACE | | | | Enter startswith(name, \"$\")\nTRACE | | | | | Eval startswith(name, \"$\")\nTRACE | | | | | Fail startswith(name, \"$\")\nTRACE | | | | Eval data.builtin.dockerfile.DS001.parse_tag(name, __local505__)\nTRACE | | | | Index data.builtin.dockerfile.DS001.parse_tag (matched 2 rules)\nTRACE | | | | Enter data.builtin.dockerfile.DS001.parse_tag\nTRACE | | | | | Eval split(name, \":\", __local504__)\nTRACE | | | | | Eval [img, tag] = __local504__\nTRACE | | | | | Exit data.builtin.dockerfile.DS001.parse_tag\nTRACE | | | | Eval [img, tag] = __local505__\nTRACE | | | | Eval output = {\"cmd\": from, \"img\": img, \"tag\": tag}\nTRACE | | | | Exit data.builtin.dockerfile.DS001.image_tags\nTRACE | | | Redo data.builtin.dockerfile.DS001.image_tags\nTRACE | | | | Redo output = {\"cmd\": from, \"img\": img, \"tag\": tag}\nTRACE | | | | Redo [img, tag] = __local505__\nTRACE | | | | Redo data.builtin.dockerfile.DS001.parse_tag(name, __local505__)\nTRACE | | | | Redo data.builtin.dockerfile.DS001.parse_tag\nTRACE | | | | | Redo [img, tag] = __local504__\nTRACE | | | | | Redo split(name, \":\", __local504__)\nTRACE | | | | Enter data.builtin.dockerfile.DS001.parse_tag\nTRACE | | | | | Eval tag = \"latest\"\nTRACE | | | | | Eval not contains(img, \":\")\nTRACE | | | | | Enter contains(img, \":\")\nTRACE | | | | | | Eval contains(img, \":\")\nTRACE | | | | | | Exit contains(img, \":\")\nTRACE | | | | | Redo contains(img, \":\")\nTRACE | | | | | | Redo contains(img, \":\")\nTRACE | | | | | Fail not contains(img, \":\")\nTRACE | | | | | Redo tag = \"latest\"\nTRACE | | | | Redo name = from.Value[0]\nTRACE | | | | Redo from = data.lib.docker.from[_]\nTRACE | | | Enter data.builtin.dockerfile.DS001.image_tags\nTRACE | | | | Eval from = data.lib.docker.from[i]\nTRACE | | | | Index data.lib.docker.from (matched 1 rule)\nTRACE | | | | Eval name = from.Value[0]\nTRACE | | | | Eval cmd_obj = input.stages[j][k]\nTRACE | | | | Eval possibilities = {\"arg\", \"env\"}\nTRACE | | | | Eval cmd_obj.Cmd = possibilities[l]\nTRACE | | | | Fail cmd_obj.Cmd = possibilities[l]\nTRACE | | | | Redo possibilities = {\"arg\", \"env\"}\nTRACE | | | | Redo cmd_obj = input.stages[j][k]\nTRACE | | | | Eval possibilities = {\"arg\", \"env\"}\nTRACE | | | | Eval cmd_obj.Cmd = possibilities[l]\nTRACE | | | | Fail cmd_obj.Cmd = possibilities[l]\nTRACE | | | | Redo possibilities = {\"arg\", \"env\"}\nTRACE | | | | Redo cmd_obj = input.stages[j][k]\nTRACE | | | | Eval possibilities = {\"arg\", \"env\"}\nTRACE | | | | Eval cmd_obj.Cmd = possibilities[l]\nTRACE | | | | Fail cmd_obj.Cmd = possibilities[l]\nTRACE | | | | Redo possibilities = {\"arg\", \"env\"}\nTRACE | | | | Redo cmd_obj = input.stages[j][k]\nTRACE | | | | Redo name = from.Value[0]\nTRACE | | | | Redo from = data.lib.docker.from[i]\nTRACE | | | Eval __local752__ = output.img\nTRACE | | | Eval neq(__local752__, \"scratch\")\nTRACE | | | Eval __local753__ = output.img\nTRACE | | | Eval not data.builtin.dockerfile.DS001.is_alias(__local753__)\nTRACE | | | Enter data.builtin.dockerfile.DS001.is_alias(__local753__)\nTRACE | | | | Eval data.builtin.dockerfile.DS001.is_alias(__local753__)\nTRACE | | | | Index data.builtin.dockerfile.DS001.is_alias (matched 1 rule, early exit)\nTRACE | | | | Enter data.builtin.dockerfile.DS001.is_alias\nTRACE | | | | | Eval img = data.builtin.dockerfile.DS001.get_aliases[_]\nTRACE | | | | | Index data.builtin.dockerfile.DS001.get_aliases (matched 1 rule)\nTRACE | | | | | Enter data.builtin.dockerfile.DS001.get_aliases\nTRACE | | | | | | Eval from_cmd = data.lib.docker.from[_]\nTRACE | | | | | | Index data.lib.docker.from (matched 1 rule)\nTRACE | | | | | | Eval __local749__ = from_cmd.Value\nTRACE | | | | | | Eval data.builtin.dockerfile.DS001.get_alias(__local749__, __local503__)\nTRACE | | | | | | Index data.builtin.dockerfile.DS001.get_alias (matched 1 rule)\nTRACE | | | | | | Enter data.builtin.dockerfile.DS001.get_alias\nTRACE | | | | | | | Eval __local748__ = values[i]\nTRACE | | | | | | | Eval lower(__local748__, __local501__)\nTRACE | | | | | | | Eval \"as\" = __local501__\nTRACE | | | | | | | Fail \"as\" = __local501__\nTRACE | | | | | | | Redo lower(__local748__, __local501__)\nTRACE | | | | | | | Redo __local748__ = values[i]\nTRACE | | | | | | Fail data.builtin.dockerfile.DS001.get_alias(__local749__, __local503__)\nTRACE | | | | | | Redo __local749__ = from_cmd.Value\nTRACE | | | | | | Redo from_cmd = data.lib.docker.from[_]\nTRACE | | | | | Fail img = data.builtin.dockerfile.DS001.get_aliases[_]\nTRACE | | | | Fail data.builtin.dockerfile.DS001.is_alias(__local753__)\nTRACE | | | Eval output.tag = \"latest\"\nTRACE | | | Exit data.builtin.dockerfile.DS001.fail_latest\nTRACE | | Redo data.builtin.dockerfile.DS001.fail_latest\nTRACE | | | Redo output.tag = \"latest\"\nTRACE | | | Redo __local753__ = output.img\nTRACE | | | Redo neq(__local752__, \"scratch\")\nTRACE | | | Redo __local752__ = output.img\nTRACE | | | Redo output = data.builtin.dockerfile.DS001.image_tags[_]\nTRACE | | Eval __local754__ = output.img\nTRACE | | Eval sprintf(\"Specify a tag in the 'FROM' statement for image '%s'\", [__local754__], __local509__)\nTRACE | | Eval msg = __local509__\nTRACE | | Eval __local755__ = output.cmd\nTRACE | | Eval data.lib.docker.result(msg, __local755__, __local510__)\nTRACE | | Index data.lib.docker.result (matched 1 rule)\nTRACE | | Enter data.lib.docker.result\nTRACE | | | Eval object.get(cmd, \"EndLine\", 0, __local470__)\nTRACE | | | Eval object.get(cmd, \"Path\", \"\", __local471__)\nTRACE | | | Eval object.get(cmd, \"StartLine\", 0, __local472__)\nTRACE | | | Eval result = {\"endline\": __local470__, \"filepath\": __local471__, \"msg\": msg, \"startline\": __local472__}\nTRACE | | | Exit data.lib.docker.result\nTRACE | | Eval res = __local510__\nTRACE | | Exit data.builtin.dockerfile.DS001.deny\nTRACE | Redo data.builtin.dockerfile.DS001.deny\nTRACE | | Redo res = __local510__\nTRACE | | Redo data.lib.docker.result(msg, __local755__, __local510__)\nTRACE | | Redo data.lib.docker.result\nTRACE | | | Redo result = {\"endline\": __local470__, \"filepath\": __local471__, \"msg\": msg, \"startline\": __local472__}\nTRACE | | | Redo object.get(cmd, \"StartLine\", 0, __local472__)\nTRACE | | | Redo object.get(cmd, \"Path\", \"\", __local471__)\nTRACE | | | Redo object.get(cmd, \"EndLine\", 0, __local470__)\nTRACE | | Redo __local755__ = output.cmd\nTRACE | | Redo msg = __local509__\nTRACE | | Redo sprintf(\"Specify a tag in the 'FROM' statement for image '%s'\", [__local754__], __local509__)\nTRACE | | Redo __local754__ = output.img\nTRACE | | Redo output = data.builtin.dockerfile.DS001.fail_latest[_]\nTRACE | Exit data.builtin.dockerfile.DS001.deny = _\nTRACE Redo data.builtin.dockerfile.DS001.deny = _\nTRACE | Redo data.builtin.dockerfile.DS001.deny = _\nTRACE\n\n\nID: DS002\nFile: Dockerfile\nNamespace: builtin.dockerfile.DS002\nQuery: data.builtin.dockerfile.DS002.deny\nMessage: Last USER command in Dockerfile should not be 'root'\nTRACE Enter data.builtin.dockerfile.DS002.deny = _\nTRACE | Eval data.builtin.dockerfile.DS002.deny = _\nTRACE | Index data.builtin.dockerfile.DS002.deny (matched 2 rules)\nTRACE | Enter data.builtin.dockerfile.DS002.deny\nTRACE | | Eval data.builtin.dockerfile.DS002.fail_user_count\nTRACE | | Index data.builtin.dockerfile.DS002.fail_user_count (matched 1 rule, early exit)\nTRACE | | Enter data.builtin.dockerfile.DS002.fail_user_count\nTRACE | | | Eval __local771__ = data.builtin.dockerfile.DS002.get_user\nTRACE | | | Index data.builtin.dockerfile.DS002.get_user (matched 1 rule)\nTRACE | | | Enter data.builtin.dockerfile.DS002.get_user\nTRACE | | | | Eval user = data.lib.docker.user[_]\nTRACE | | | | Index data.lib.docker.user (matched 1 rule)\nTRACE | | | | Enter data.lib.docker.user\nTRACE | | | | | Eval instruction = input.stages[_][_]\nTRACE | | | | | Eval instruction.Cmd = \"user\"\nTRACE | | | | | Fail instruction.Cmd = \"user\"\nTRACE | | | | | Redo instruction = input.stages[_][_]\nTRACE | | | | | Eval instruction.Cmd = \"user\"\nTRACE | | | | | Exit data.lib.docker.user\nTRACE | | | | Redo data.lib.docker.user\nTRACE | | | | | Redo instruction.Cmd = \"user\"\nTRACE | | | | | Redo instruction = input.stages[_][_]\nTRACE | | | | | Eval instruction.Cmd = \"user\"\nTRACE | | | | | Fail instruction.Cmd = \"user\"\nTRACE | | | | | Redo instruction = input.stages[_][_]\nTRACE | | | | Eval username = user.Value[_]\nTRACE | | | | Exit data.builtin.dockerfile.DS002.get_user\nTRACE | | | Redo data.builtin.dockerfile.DS002.get_user\nTRACE | | | | Redo username = user.Value[_]\nTRACE | | | | Redo user = data.lib.docker.user[_]\nTRACE | | | Eval count(__local771__, __local536__)\nTRACE | | | Eval lt(__local536__, 1)\nTRACE | | | Fail lt(__local536__, 1)\nTRACE | | | Redo count(__local771__, __local536__)\nTRACE | | | Redo __local771__ = data.builtin.dockerfile.DS002.get_user\nTRACE | | Fail data.builtin.dockerfile.DS002.fail_user_count\nTRACE | Enter data.builtin.dockerfile.DS002.deny\nTRACE | | Eval cmd = data.builtin.dockerfile.DS002.fail_last_user_root[_]\nTRACE | | Index data.builtin.dockerfile.DS002.fail_last_user_root (matched 1 rule)\nTRACE | | Enter data.builtin.dockerfile.DS002.fail_last_user_root\nTRACE | | | Eval stage_users = data.lib.docker.stage_user[_]\nTRACE | | | Index data.lib.docker.stage_user (matched 1 rule)\nTRACE | | | Enter data.lib.docker.stage_user\nTRACE | | | | Eval stage = input.stages[stage_name]\nTRACE | | | | Eval users = [cmd | cmd = stage[_]; cmd.Cmd = \"user\"]\nTRACE | | | | Enter cmd = stage[_]; cmd.Cmd = \"user\"\nTRACE | | | | | Eval cmd = stage[_]\nTRACE | | | | | Eval cmd.Cmd = \"user\"\nTRACE | | | | | Fail cmd.Cmd = \"user\"\nTRACE | | | | | Redo cmd = stage[_]\nTRACE | | | | | Eval cmd.Cmd = \"user\"\nTRACE | | | | | Exit cmd = stage[_]; cmd.Cmd = \"user\"\nTRACE | | | | Redo cmd = stage[_]; cmd.Cmd = \"user\"\nTRACE | | | | | Redo cmd.Cmd = \"user\"\nTRACE | | | | | Redo cmd = stage[_]\nTRACE | | | | | Eval cmd.Cmd = \"user\"\nTRACE | | | | | Fail cmd.Cmd = \"user\"\nTRACE | | | | | Redo cmd = stage[_]\nTRACE | | | | Exit data.lib.docker.stage_user\nTRACE | | | Redo data.lib.docker.stage_user\nTRACE | | | | Redo users = [cmd | cmd = stage[_]; cmd.Cmd = \"user\"]\nTRACE | | | | Redo stage = input.stages[stage_name]\nTRACE | | | Eval count(stage_users, __local537__)\nTRACE | | | Eval len = __local537__\nTRACE | | | Eval minus(len, 1, __local538__)\nTRACE | | | Eval last = stage_users[__local538__]\nTRACE | | | Eval user = last.Value[0]\nTRACE | | | Eval user = \"root\"\nTRACE | | | Exit data.builtin.dockerfile.DS002.fail_last_user_root\nTRACE | | Redo data.builtin.dockerfile.DS002.fail_last_user_root\nTRACE | | | Redo user = \"root\"\nTRACE | | | Redo user = last.Value[0]\nTRACE | | | Redo last = stage_users[__local538__]\nTRACE | | | Redo minus(len, 1, __local538__)\nTRACE | | | Redo len = __local537__\nTRACE | | | Redo count(stage_users, __local537__)\nTRACE | | | Redo stage_users = data.lib.docker.stage_user[_]\nTRACE | | Eval msg = \"Last USER command in Dockerfile should not be 'root'\"\nTRACE | | Eval data.lib.docker.result(msg, cmd, __local540__)\nTRACE | | Index data.lib.docker.result (matched 1 rule)\nTRACE | | Enter data.lib.docker.result\nTRACE | | | Eval object.get(cmd, \"EndLine\", 0, __local470__)\nTRACE | | | Eval object.get(cmd, \"Path\", \"\", __local471__)\nTRACE | | | Eval object.get(cmd, \"StartLine\", 0, __local472__)\nTRACE | | | Eval result = {\"endline\": __local470__, \"filepath\": __local471__, \"msg\": msg, \"startline\": __local472__}\nTRACE | | | Exit data.lib.docker.result\nTRACE | | Eval res = __local540__\nTRACE | | Exit data.builtin.dockerfile.DS002.deny\nTRACE | Redo data.builtin.dockerfile.DS002.deny\nTRACE | | Redo res = __local540__\nTRACE | | Redo data.lib.docker.result(msg, cmd, __local540__)\nTRACE | | Redo data.lib.docker.result\nTRACE | | | Redo result = {\"endline\": __local470__, \"filepath\": __local471__, \"msg\": msg, \"startline\": __local472__}\nTRACE | | | Redo object.get(cmd, \"StartLine\", 0, __local472__)\nTRACE | | | Redo object.get(cmd, \"Path\", \"\", __local471__)\nTRACE | | | Redo object.get(cmd, \"EndLine\", 0, __local470__)\nTRACE | | Redo msg = \"Last USER command in Dockerfile should not be 'root'\"\nTRACE | | Redo cmd = data.builtin.dockerfile.DS002.fail_last_user_root[_]\nTRACE | Exit data.builtin.dockerfile.DS002.deny = _\nTRACE Redo data.builtin.dockerfile.DS002.deny = _\nTRACE | Redo data.builtin.dockerfile.DS002.deny = _\nTRACE\n
"},{"location":"guide/scanner/misconfiguration/custom/schema/","title":"Input Schema","text":""},{"location":"guide/scanner/misconfiguration/custom/schema/#overview","title":"Overview","text":"Schemas are declarative documents that define the structure, data types and constraints of inputs being scanned. Trivy provides certain schemas out of the box as seen in the explorer here. You can also find the source code for the schemas here.
It is not required to pass in schemas, in order to scan inputs by Trivy but are required if type-checking is needed.
Checks can be defined with custom schemas that allow inputs to be verified against them. Adding an input schema enables Trivy to show more detailed error messages when an invalid input is encountered.
"},{"location":"guide/scanner/misconfiguration/custom/schema/#unified-schema","title":"Unified Schema","text":"One of the unique advantages of Trivy is to take a variety of inputs, such as IaC files (e.g. CloudFormation, Terraform etc.) and also live cloud scanning (e.g. Trivy AWS plugin) and normalize them into a standard structure, as defined by the schema.
An example of such an application would be scanning AWS resources. You can scan them prior to deployment via the Trivy misconfiguration scanner and also scan them after they've been deployed in the cloud with Trivy AWS scanning. Both scan methods should yield the same result as resources are gathered into a unified representation as defined by the Cloud schema.
"},{"location":"guide/scanner/misconfiguration/custom/schema/#supported-schemas","title":"Supported Schemas","text":"Currently out of the box the following schemas are supported natively:
- Docker
- Kubernetes
- Cloud
- Terraform Raw Format
You can interactively view these schemas with the Trivy Schema Explorer
"},{"location":"guide/scanner/misconfiguration/custom/schema/#example","title":"Example","text":"As mentioned earlier, amongst other built-in schemas, Trivy offers a built in-schema for scanning Dockerfiles. It is available here Without input schemas, a check would be as follows:
Example
# METADATA\npackage mypackage\n\ndeny {\n input.evil == \"foo bar\"\n}\n
If this check is run against an offending Dockerfile(s), there will not be any issues as the check will fail to evaluate. Although the check's failure to evaluate is legitimate, this should not result in a positive result for the scan.
For instance if we have a check that checks for misconfigurations in a Dockerfile, we could define the schema as such
Example
# METADATA\n# schemas:\n# - input: schema[\"dockerfile\"]\npackage mypackage\n\ndeny {\n input.evil == \"foo bar\"\n}\n
Here input: schema[\"dockerfile\"] points to a schema that expects a valid Dockerfile as input. An example of this can be found here.
Now if this check is evaluated against, a more descriptive error will be available to help fix the problem.
1 error occurred: testcheck.rego:8: rego_type_error: undefined ref: input.evil\n input.evil\n ^\n have: \"evil\"\n want (one of): [\"Stages\"]\n
"},{"location":"guide/scanner/misconfiguration/custom/schema/#custom-checks-with-custom-schemas","title":"Custom Checks with Custom Schemas","text":"You can also bring a custom check that defines one or more custom schema.
Example
# METADATA\n# schemas:\n# - input: schema[\"fooschema\"]\n# - input: schema[\"barschema\"]\npackage mypackage\n\ndeny {\n input.evil == \"foo bar\"\n}\n
The checks can be placed in a structure as follows
Example
/Users/user/my-custom-checks\n\u251c\u2500\u2500 my_check.rego\n\u2514\u2500\u2500 schemas\n \u2514\u2500\u2500 fooschema.json\n \u2514\u2500\u2500 barschema.json\n
To use such a check with Trivy, use the --config-check flag that points to the check file or to the directory where the schemas and checks are contained.
$ trivy --config-check=/Users/user/my-custom-checks <path/to/iac>\n
For more details on how to define schemas within Rego checks, please see the OPA guide that describes it in more detail.
"},{"location":"guide/scanner/misconfiguration/custom/schema/#scan-arbitrary-json-and-yaml-configurations","title":"Scan arbitrary JSON and YAML configurations","text":"By default, scanning JSON and YAML configurations is disabled, since Trivy does not contain built-in checks for these configurations. To enable it, pass the json or yaml to --misconfig-scanners. Trivy will pass each file as is to the checks input.
Example
$ cat iac/serverless.yaml\nservice: serverless-rest-api-with-pynamodb\n\nframeworkVersion: \">=2.24.0\"\n\nplugins:\n - serverless-python-requirements\n...\n\n$ cat serverless.rego\n# METADATA\n# title: Serverless Framework service name not starting with \"aws-\"\n# description: Ensure that Serverless Framework service names start with \"aws-\"\n# schemas:\n# - input: schema[\"serverless-schema\"]\n# custom:\n# id: SF001\n# severity: LOW\npackage user.serverless001\n\ndeny[res] {\n not startswith(input.service, \"aws-\")\n res := result.new(\n sprintf(\"Service name %q is not allowed\", [input.service]),\n input.service\n )\n}\n\n$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user ./iac\nserverless.yaml (yaml)\n\nTests: 4 (SUCCESSES: 3, FAILURES: 1)\nFailures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n\nLOW: Service name \"serverless-rest-api-with-pynamodb\" is not allowed\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nEnsure that Serverless Framework service names start with \"aws-\"\n
Note
In the case above, the custom check specified has a metadata annotation for the input schema input: schema[\"serverless-schema\"]. This allows Trivy to type check the input IaC files provided.
Optionally, you can also pass schemas using the config-file-schemas flag. Trivy will use these schemas for file filtering and type checking in Rego checks.
Example
$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user --config-file-schemas ./serverless-schema.json ./iac\n
If the --config-file-schemas flag is specified Trivy ensures that each input IaC config file being scanned is type-checked against the schema. If the input file does not match any of the passed schemas, it will be ignored.
If the schema is specified in the check metadata and is in the directory specified in the --config-check argument, it will be automatically loaded as specified here, and will only be used for type checking in Rego.
Note
If a user specifies the --config-file-schemas flag, all input IaC config files are ensured that they pass type-checking. It is not required to pass an input schema in case type checking is not required. This is helpful for scenarios where you simply want to write a Rego check and pass in IaC input for it. Such a use case could include scanning for a new service which Trivy might not support just yet.
Tip
It is also possible to specify multiple input schemas with --config-file-schema flag as it can accept a comma seperated list of file paths or a directory as input. In the case of multiple schemas being specified, all of them will be evaluated against all the input files.
"},{"location":"guide/scanner/misconfiguration/custom/selectors/","title":"Input Selectors","text":""},{"location":"guide/scanner/misconfiguration/custom/selectors/#overview","title":"Overview","text":"Sometimes you might want to limit a certain policy to only be run on certain resources. This can be achieved with input selectors.
"},{"location":"guide/scanner/misconfiguration/custom/selectors/#use-case","title":"Use case","text":"For instance, if you have a custom policy that you only want to be evaluated if a certain resource type is being scanned. In such a case you could utilize input selectors to limit its evaluation on only those resources.
Example
# METADATA\n # title: \"RDS Publicly Accessible\"\n # description: \"Ensures RDS instances are not launched into the public cloud.\"\n # custom:\n # input:\n # selector:\n # - type: cloud\n # subtypes:\n # - provider: aws\n # service: rds\n package builtin.aws.rds.aws0999\n\n deny[res] {\n instance := input.aws.rds.instances[_]\n instance.publicaccess.value\n res := result.new(\"Instance has Public Access enabled\", instance.publicaccess)\n
Observe the following subtypes defined:
# subtypes:\n # - provider: aws\n # service: rds\n
They will ensure that the policy is only run when the input to such a policy contains an RDS instance.
"},{"location":"guide/scanner/misconfiguration/custom/selectors/#enabling-selectors-and-subtypes","title":"Enabling selectors and subtypes","text":"Currently, the following are supported:
Selector Subtype fields required Example Cloud (AWS, Azure, etc.) provider, service provider: aws, service: rds Kubernetes type: kubernetes Dockerfile type: dockerfile"},{"location":"guide/scanner/misconfiguration/custom/selectors/#default-behaviour","title":"Default behaviour","text":"If no subtypes or selectors are specified, the policy will be evaluated regardless of input.
"},{"location":"guide/scanner/misconfiguration/custom/testing/","title":"Testing","text":"It is highly recommended to write tests for your custom checks.
"},{"location":"guide/scanner/misconfiguration/custom/testing/#rego-testing","title":"Rego testing","text":"To help you verify the correctness of your custom checks, OPA gives you a framework that you can use to write tests for your checks. By writing tests for your custom checks you can speed up the development process of new rules and reduce the amount of time it takes to modify rules as requirements evolve.
For more details, see Policy Testing.
Example
package user.dockerfile.ID002\n\ntest_add_denied {\n r := deny with input as {\"stages\": {\"alpine:3.13\": [\n {\"Cmd\": \"add\", \"Value\": [\"/target/resources.tar.gz\", \"resources.jar\"]},\n {\"Cmd\": \"add\", \"Value\": [\"/target/app.jar\", \"app.jar\"]},\n ]}}\n\n count(r) == 1\n r[_] == \"Consider using 'COPY /target/app.jar app.jar' command instead of 'ADD /target/app.jar app.jar'\"\n}\n
To write tests for custom checks, you can refer to existing tests under [trivy-checks][trivy-checks].
"},{"location":"guide/scanner/misconfiguration/custom/testing/#go-testing","title":"Go testing","text":"Fanal which is a core library of Trivy can be imported as a Go library. You can scan config files in Go and test your custom checks using Go's testing methods, such as table-driven tests. This allows you to use the actual configuration file as input, making it easy to prepare test data and ensure that your custom checks work in practice.
In particular, Dockerfile and HCL need to be converted to structural data as input, which may be different from the expected input format.
Tip
We recommend writing OPA and Go tests both since they have different roles, like unit tests and integration tests.
The following example stores allowed and denied configuration files in a directory. Successes contains the result of successes, and Failures contains the result of failures.
{\n name: \"disallowed ports\",\n input: \"configs/\",\n fields: fields{\n policyPaths: []string{\"policy\"},\n dataPaths: []string{\"data\"},\n namespaces: []string{\"user\"},\n },\n want: []types.Misconfiguration{\n {\n FileType: types.Dockerfile,\n FilePath: \"Dockerfile.allowed\",\n Successes: types.MisconfResults{\n {\n Namespace: \"user.dockerfile.ID002\",\n PolicyMetadata: types.PolicyMetadata{\n ID: \"ID002\",\n Type: \"Docker Custom Check\",\n Title: \"Disallowed ports exposed\",\n Severity: \"HIGH\",\n },\n },\n },\n },\n {\n FileType: types.Dockerfile,\n FilePath: \"Dockerfile.denied\",\n Failures: types.MisconfResults{\n {\n Namespace: \"user.dockerfile.ID002\",\n Message: \"Port 23 should not be exposed\",\n PolicyMetadata: types.PolicyMetadata{\n ID: \"ID002\",\n Type: \"Docker Custom Check\",\n Title: \"Disallowed ports exposed\",\n Severity: \"HIGH\",\n },\n },\n },\n },\n },\n},\n
Dockerfile.allowed has one successful result in Successes, while Dockerfile.denied has one failure result in Failures.
"},{"location":"guide/supply-chain/sbom/","title":"SBOM","text":""},{"location":"guide/supply-chain/sbom/#generating","title":"Generating","text":"Trivy can generate the following SBOM formats.
- CycloneDX
- SPDX
"},{"location":"guide/supply-chain/sbom/#cli-commands","title":"CLI commands","text":"To generate SBOM, you can use the --format option for each subcommand such as image, fs and vm.
$ trivy image --format spdx-json --output result.json alpine:3.15\n
$ trivy fs --format cyclonedx --output result.json /app/myproject\n
Result {\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.3\",\n \"serialNumber\": \"urn:uuid:2be5773d-7cd3-4b4b-90a5-e165474ddace\",\n \"version\": 1,\n \"metadata\": {\n \"timestamp\": \"2022-02-22T15:11:40.270597Z\",\n \"tools\": [\n {\n \"vendor\": \"aquasecurity\",\n \"name\": \"trivy\",\n \"version\": \"dev\"\n }\n ],\n \"component\": {\n \"bom-ref\": \"pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64\",\n \"type\": \"container\",\n \"name\": \"alpine:3.15\",\n \"version\": \"\",\n \"purl\": \"pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64\",\n \"properties\": [\n {\n \"name\": \"aquasecurity:trivy:SchemaVersion\",\n \"value\": \"2\"\n },\n {\n \"name\": \"aquasecurity:trivy:ImageID\",\n \"value\": \"sha256:c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18\"\n },\n {\n \"name\": \"aquasecurity:trivy:RepoDigest\",\n \"value\": \"alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300\"\n },\n {\n \"name\": \"aquasecurity:trivy:DiffID\",\n \"value\": \"sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759\"\n },\n {\n \"name\": \"aquasecurity:trivy:RepoTag\",\n \"value\": \"alpine:3.15\"\n }\n ]\n }\n },\n \"components\": [\n {\n \"bom-ref\": \"pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0\",\n \"type\": \"library\",\n \"name\": \"alpine-baselayout\",\n \"version\": \"3.2.0-r18\",\n \"licenses\": [\n {\n \"expression\": \"GPL-2.0-only\"\n }\n ],\n \"purl\": \"pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0\",\n \"properties\": [\n {\n \"name\": \"aquasecurity:trivy:SrcName\",\n \"value\": \"alpine-baselayout\"\n },\n {\n \"name\": \"aquasecurity:trivy:SrcVersion\",\n \"value\": \"3.2.0-r18\"\n },\n {\n \"name\": \"aquasecurity:trivy:LayerDigest\",\n \"value\": \"sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3\"\n },\n {\n \"name\": \"aquasecurity:trivy:LayerDiffID\",\n \"value\": \"sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759\"\n }\n ]\n },\n ...(snip)...\n {\n \"bom-ref\": \"pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0\",\n \"type\": \"library\",\n \"name\": \"zlib\",\n \"version\": \"1.2.11-r3\",\n \"licenses\": [\n {\n \"expression\": \"Zlib\"\n }\n ],\n \"purl\": \"pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0\",\n \"properties\": [\n {\n \"name\": \"aquasecurity:trivy:SrcName\",\n \"value\": \"zlib\"\n },\n {\n \"name\": \"aquasecurity:trivy:SrcVersion\",\n \"value\": \"1.2.11-r3\"\n },\n {\n \"name\": \"aquasecurity:trivy:LayerDigest\",\n \"value\": \"sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3\"\n },\n {\n \"name\": \"aquasecurity:trivy:LayerDiffID\",\n \"value\": \"sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759\"\n }\n ]\n },\n {\n \"bom-ref\": \"3da6a469-964d-4b4e-b67d-e94ec7c88d37\",\n \"type\": \"operating-system\",\n \"name\": \"alpine\",\n \"version\": \"3.15.0\",\n \"properties\": [\n {\n \"name\": \"aquasecurity:trivy:Type\",\n \"value\": \"alpine\"\n },\n {\n \"name\": \"aquasecurity:trivy:Class\",\n \"value\": \"os-pkgs\"\n }\n ]\n }\n ],\n \"dependencies\": [\n {\n \"ref\": \"3da6a469-964d-4b4e-b67d-e94ec7c88d37\",\n \"dependsOn\": [\n \"pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0\",\n \"pkg:apk/alpine/alpine-keys@2.4-r1?distro=3.15.0\",\n \"pkg:apk/alpine/apk-tools@2.12.7-r3?distro=3.15.0\",\n \"pkg:apk/alpine/busybox@1.34.1-r3?distro=3.15.0\",\n \"pkg:apk/alpine/ca-certificates-bundle@20191127-r7?distro=3.15.0\",\n \"pkg:apk/alpine/libc-utils@0.7.2-r3?distro=3.15.0\",\n \"pkg:apk/alpine/libcrypto1.1@1.1.1l-r7?distro=3.15.0\",\n \"pkg:apk/alpine/libretls@3.3.4-r2?distro=3.15.0\",\n \"pkg:apk/alpine/libssl1.1@1.1.1l-r7?distro=3.15.0\",\n \"pkg:apk/alpine/musl@1.2.2-r7?distro=3.15.0\",\n \"pkg:apk/alpine/musl-utils@1.2.2-r7?distro=3.15.0\",\n \"pkg:apk/alpine/scanelf@1.3.3-r0?distro=3.15.0\",\n \"pkg:apk/alpine/ssl_client@1.34.1-r3?distro=3.15.0\",\n \"pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0\"\n ]\n },\n {\n \"ref\": \"pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64\",\n \"dependsOn\": [\n \"3da6a469-964d-4b4e-b67d-e94ec7c88d37\"\n ]\n }\n ]\n}\n
"},{"location":"guide/supply-chain/sbom/#supported-packages","title":"Supported packages","text":"Trivy supports the following packages.
- OS packages
- Language-specific packages
Trivy has a specific logic for package detection. See the package detection section for more information.
"},{"location":"guide/supply-chain/sbom/#formats","title":"Formats","text":""},{"location":"guide/supply-chain/sbom/#cyclonedx","title":"CycloneDX","text":"Trivy can generate SBOM in the CycloneDX format. Note that XML format is not supported at the moment.
You can use the regular subcommands (like image, fs and rootfs) and specify cyclonedx with the --format option.
CycloneDX can represent either or both SBOM or BOV.
- Software Bill of Materials (SBOM)
- Bill of Vulnerabilities (BOV)
By default, --format cyclonedx represents SBOM and doesn't include vulnerabilities in the CycloneDX output.
$ trivy image --format cyclonedx --output result.json alpine:3.15\n2022-07-19T07:47:27.624Z INFO \"--format cyclonedx\" disables security scanning. Specify \"--scanners vuln\" explicitly if you want to include vulnerabilities in the CycloneDX report.\n
Result $ cat result.json | jq .\n{\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"serialNumber\": \"urn:uuid:2be5773d-7cd3-4b4b-90a5-e165474ddace\",\n \"version\": 1,\n \"metadata\": {\n \"timestamp\": \"2022-02-22T15:11:40.270597Z\",\n \"tools\": {\n \"components\": [\n {\n \"type\": \"application\",\n \"group\": \"aquasecurity\",\n \"name\": \"trivy\",\n \"version\": \"dev\"\n }\n ]\n },\n \"component\": {\n \"bom-ref\": \"pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64\",\n \"type\": \"container\",\n \"name\": \"alpine:3.15\",\n \"version\": \"\",\n \"purl\": \"pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64\",\n \"properties\": [\n {\n \"name\": \"aquasecurity:trivy:SchemaVersion\",\n \"value\": \"2\"\n },\n {\n \"name\": \"aquasecurity:trivy:ImageID\",\n \"value\": \"sha256:c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18\"\n },\n {\n \"name\": \"aquasecurity:trivy:RepoDigest\",\n \"value\": \"alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300\"\n },\n {\n \"name\": \"aquasecurity:trivy:DiffID\",\n \"value\": \"sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759\"\n },\n {\n \"name\": \"aquasecurity:trivy:RepoTag\",\n \"value\": \"alpine:3.15\"\n }\n ]\n }\n },\n \"components\": [\n {\n \"bom-ref\": \"pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0\",\n \"type\": \"library\",\n \"name\": \"alpine-baselayout\",\n \"version\": \"3.2.0-r18\",\n \"licenses\": [\n {\n \"expression\": \"GPL-2.0-only\"\n }\n ],\n \"purl\": \"pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0\",\n \"properties\": [\n {\n \"name\": \"aquasecurity:trivy:SrcName\",\n \"value\": \"alpine-baselayout\"\n },\n {\n \"name\": \"aquasecurity:trivy:SrcVersion\",\n \"value\": \"3.2.0-r18\"\n },\n {\n \"name\": \"aquasecurity:trivy:LayerDigest\",\n \"value\": \"sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3\"\n },\n {\n \"name\": \"aquasecurity:trivy:LayerDiffID\",\n \"value\": \"sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759\"\n }\n ]\n },\n ...(snip)...\n {\n \"bom-ref\": \"pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0\",\n \"type\": \"library\",\n \"name\": \"zlib\",\n \"version\": \"1.2.11-r3\",\n \"licenses\": [\n {\n \"expression\": \"Zlib\"\n }\n ],\n \"purl\": \"pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0\",\n \"properties\": [\n {\n \"name\": \"aquasecurity:trivy:SrcName\",\n \"value\": \"zlib\"\n },\n {\n \"name\": \"aquasecurity:trivy:SrcVersion\",\n \"value\": \"1.2.11-r3\"\n },\n {\n \"name\": \"aquasecurity:trivy:LayerDigest\",\n \"value\": \"sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3\"\n },\n {\n \"name\": \"aquasecurity:trivy:LayerDiffID\",\n \"value\": \"sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759\"\n }\n ]\n },\n {\n \"bom-ref\": \"3da6a469-964d-4b4e-b67d-e94ec7c88d37\",\n \"type\": \"operating-system\",\n \"name\": \"alpine\",\n \"version\": \"3.15.0\",\n \"properties\": [\n {\n \"name\": \"aquasecurity:trivy:Type\",\n \"value\": \"alpine\"\n },\n {\n \"name\": \"aquasecurity:trivy:Class\",\n \"value\": \"os-pkgs\"\n }\n ]\n }\n ],\n \"dependencies\": [\n {\n \"ref\": \"3da6a469-964d-4b4e-b67d-e94ec7c88d37\",\n \"dependsOn\": [\n \"pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0\",\n \"pkg:apk/alpine/alpine-keys@2.4-r1?distro=3.15.0\",\n \"pkg:apk/alpine/apk-tools@2.12.7-r3?distro=3.15.0\",\n \"pkg:apk/alpine/busybox@1.34.1-r3?distro=3.15.0\",\n \"pkg:apk/alpine/ca-certificates-bundle@20191127-r7?distro=3.15.0\",\n \"pkg:apk/alpine/libc-utils@0.7.2-r3?distro=3.15.0\",\n \"pkg:apk/alpine/libcrypto1.1@1.1.1l-r7?distro=3.15.0\",\n \"pkg:apk/alpine/libretls@3.3.4-r2?distro=3.15.0\",\n \"pkg:apk/alpine/libssl1.1@1.1.1l-r7?distro=3.15.0\",\n \"pkg:apk/alpine/musl@1.2.2-r7?distro=3.15.0\",\n \"pkg:apk/alpine/musl-utils@1.2.2-r7?distro=3.15.0\",\n \"pkg:apk/alpine/scanelf@1.3.3-r0?distro=3.15.0\",\n \"pkg:apk/alpine/ssl_client@1.34.1-r3?distro=3.15.0\",\n \"pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0\"\n ]\n },\n {\n \"ref\": \"pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64\",\n \"dependsOn\": [\n \"3da6a469-964d-4b4e-b67d-e94ec7c88d37\"\n ]\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"CVE-2021-42386\",\n \"source\": {\n \"name\": \"alpine\",\n \"url\": \"https://secdb.alpinelinux.org/\"\n },\n \"ratings\": [\n {\n \"source\": {\n \"name\": \"nvd\"\n },\n \"score\": 7.2,\n \"severity\": \"high\",\n \"method\": \"CVSSv31\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\"\n },\n {\n \"source\": {\n \"name\": \"nvd\"\n },\n \"score\": 6.5,\n \"severity\": \"medium\",\n \"method\": \"CVSSv2\",\n \"vector\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\"\n },\n {\n \"source\": {\n \"name\": \"redhat\"\n },\n \"score\": 6.6,\n \"severity\": \"medium\",\n \"method\": \"CVSSv31\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"cwes\": [\n 416\n ],\n \"description\": \"A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function\",\n \"advisories\": [\n {\n \"url\": \"https://access.redhat.com/security/cve/CVE-2021-42386\"\n },\n {\n \"url\": \"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42386\"\n }\n ],\n \"published\": \"2021-11-15 21:15:00 +0000 UTC\",\n \"updated\": \"2022-01-04 17:14:00 +0000 UTC\",\n \"affects\": [\n {\n \"ref\": \"pkg:apk/alpine/busybox@1.33.1-r3?distro=3.14.2\"\n },\n {\n \"ref\": \"pkg:apk/alpine/ssl_client@1.33.1-r3?distro=3.14.2\"\n }\n ]\n }\n ]\n}\n
If you want to include vulnerabilities, you can enable vulnerability scanning via --scanners vuln.
$ trivy image --scanners vuln --format cyclonedx --output result.json alpine:3.15\n
"},{"location":"guide/supply-chain/sbom/#spdx","title":"SPDX","text":"Trivy can generate SBOM in the SPDX format.
You can use the regular subcommands (like image, fs and rootfs) and specify spdx or spdx-json with the --format option.
$ trivy image --format spdx --output result.spdx alpine:3.15\n
Result SPDXVersion: SPDX-2.3\nDataLicense: CC0-1.0\nSPDXID: SPDXRef-DOCUMENT\nDocumentName: alpine:3.15\nDocumentNamespace: http://trivy.dev/container_image/alpine:3.15-12db86e1-4aa4-40ec-900b-5aaa5d82461b\nCreator: Organization: aquasecurity\nCreator: Tool: trivy-0.58.0\nCreated: 2025-02-11T07:43:38Z\n\n##### Package: alpine:3.15\n\nPackageName: alpine:3.15\nSPDXID: SPDXRef-ContainerImage-d8b2a386253047e7\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: CONTAINER\nFilesAnalyzed: false\nExternalRef: PACKAGE-MANAGER purl pkg:oci/alpine@sha256%3A19b4bcc4f60e99dd5ebdca0cbce22c503bbcff197549d7e19dab4f22254dc864?arch=amd64&repository_url=index.docker.io%2Flibrary%2Falpine\n\n##### Package: alpine\n\nPackageName: alpine\nSPDXID: SPDXRef-OperatingSystem-c24750c3b737d897\nPackageVersion: 3.15.11\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: OPERATING-SYSTEM\nFilesAnalyzed: false\n\n##### Package: libretls\n\nPackageName: libretls\nSPDXID: SPDXRef-Package-343391d704e00fbd\nPackageVersion: 3.3.4-r3\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: 67dfefe5456c45192b60d76ade98c501b0ae814f\nPackageSourceInfo: built package from: libretls 3.3.4-r3\nPackageLicenseConcluded: ISC AND BSD-3-Clause AND MIT\nPackageLicenseDeclared: ISC AND BSD-3-Clause AND MIT\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/libretls@3.3.4-r3?arch=x86_64&distro=3.15.11\n\n##### Package: libc-utils\n\nPackageName: libc-utils\nSPDXID: SPDXRef-Package-43343abe5c1a0439\nPackageVersion: 0.7.2-r3\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: 798de3ebb57f3e28f408080746935f213a099722\nPackageSourceInfo: built package from: libc-dev 0.7.2-r3\nPackageLicenseConcluded: BSD-2-Clause AND BSD-3-Clause\nPackageLicenseDeclared: BSD-2-Clause AND BSD-3-Clause\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&distro=3.15.11\n\n##### Package: alpine-baselayout\n\nPackageName: alpine-baselayout\nSPDXID: SPDXRef-Package-64b7e662458dcd5f\nPackageVersion: 3.2.0-r18\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: 132992eab020986b3b5d886a77212889680467a0\nPackageSourceInfo: built package from: alpine-baselayout 3.2.0-r18\nPackageLicenseConcluded: GPL-2.0-only\nPackageLicenseDeclared: GPL-2.0-only\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/alpine-baselayout@3.2.0-r18?arch=x86_64&distro=3.15.11\n\n##### Package: busybox\n\nPackageName: busybox\nSPDXID: SPDXRef-Package-6c7c9dac75e301b7\nPackageVersion: 1.34.1-r7\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: 21f9265e7a34c795fba4e99c8ae37b57f31cd1a2\nPackageSourceInfo: built package from: busybox 1.34.1-r7\nPackageLicenseConcluded: GPL-2.0-only\nPackageLicenseDeclared: GPL-2.0-only\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/busybox@1.34.1-r7?arch=x86_64&distro=3.15.11\n\n##### Package: ca-certificates-bundle\n\nPackageName: ca-certificates-bundle\nSPDXID: SPDXRef-Package-702c9bf0cfddb42e\nPackageVersion: 20230506-r0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: 99894c0b834a3f5955e6e5d5f0d804943f05ff52\nPackageSourceInfo: built package from: ca-certificates 20230506-r0\nPackageLicenseConcluded: MPL-2.0 AND MIT\nPackageLicenseDeclared: MPL-2.0 AND MIT\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/ca-certificates-bundle@20230506-r0?arch=x86_64&distro=3.15.11\n\n##### Package: musl-utils\n\nPackageName: musl-utils\nSPDXID: SPDXRef-Package-92eb9ab29b057905\nPackageVersion: 1.2.2-r9\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: f69aa6d6a57c90358005ce61ccb4ad96cdc303f4\nPackageSourceInfo: built package from: musl 1.2.2-r9\nPackageLicenseConcluded: MIT AND BSD-3-Clause AND GPL-2.0-or-later\nPackageLicenseDeclared: MIT AND BSD-3-Clause AND GPL-2.0-or-later\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/musl-utils@1.2.2-r9?arch=x86_64&distro=3.15.11\n\n##### Package: scanelf\n\nPackageName: scanelf\nSPDXID: SPDXRef-Package-988bca2f70cf58f6\nPackageVersion: 1.3.3-r0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: d7f7590e450870a4f79671c2369b31b5bb07349a\nPackageSourceInfo: built package from: pax-utils 1.3.3-r0\nPackageLicenseConcluded: GPL-2.0-only\nPackageLicenseDeclared: GPL-2.0-only\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/scanelf@1.3.3-r0?arch=x86_64&distro=3.15.11\n\n##### Package: apk-tools\n\nPackageName: apk-tools\nSPDXID: SPDXRef-Package-aa2e51a695e95cb9\nPackageVersion: 2.12.7-r3\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: ddf3ddf8545768bc323649559feaae1560f29273\nPackageSourceInfo: built package from: apk-tools 2.12.7-r3\nPackageLicenseConcluded: GPL-2.0-only\nPackageLicenseDeclared: GPL-2.0-only\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/apk-tools@2.12.7-r3?arch=x86_64&distro=3.15.11\n\n##### Package: libcrypto1.1\n\nPackageName: libcrypto1.1\nSPDXID: SPDXRef-Package-ba5f079c5c32fc8\nPackageVersion: 1.1.1w-r1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: e378634f5c8af32ca75ac56f41ecf4e8d49584a0\nPackageSourceInfo: built package from: openssl 1.1.1w-r1\nPackageLicenseConcluded: OpenSSL\nPackageLicenseDeclared: OpenSSL\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/libcrypto1.1@1.1.1w-r1?arch=x86_64&distro=3.15.11\n\n##### Package: alpine-keys\n\nPackageName: alpine-keys\nSPDXID: SPDXRef-Package-be18726b6be779d1\nPackageVersion: 2.4-r1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: 903176b2d2a8ddefd1ba6940f19ad17c2c1d4aff\nPackageSourceInfo: built package from: alpine-keys 2.4-r1\nPackageLicenseConcluded: MIT\nPackageLicenseDeclared: MIT\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.15.11\n\n##### Package: ssl_client\n\nPackageName: ssl_client\nSPDXID: SPDXRef-Package-d9ad92ed9413c93b\nPackageVersion: 1.34.1-r7\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: dddfa62dd51bd8807ee1d8660e860574a9dd78ed\nPackageSourceInfo: built package from: busybox 1.34.1-r7\nPackageLicenseConcluded: GPL-2.0-only\nPackageLicenseDeclared: GPL-2.0-only\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/ssl_client@1.34.1-r7?arch=x86_64&distro=3.15.11\n\n##### Package: musl\n\nPackageName: musl\nSPDXID: SPDXRef-Package-ee9b5186331e7a76\nPackageVersion: 1.2.2-r9\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: 7ebdef6cf7f9b58c0e213b333db946d22b00b777\nPackageSourceInfo: built package from: musl 1.2.2-r9\nPackageLicenseConcluded: MIT\nPackageLicenseDeclared: MIT\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/musl@1.2.2-r9?arch=x86_64&distro=3.15.11\n\n##### Package: libssl1.1\n\nPackageName: libssl1.1\nSPDXID: SPDXRef-Package-f00669065070476c\nPackageVersion: 1.1.1w-r1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: 9306ed15b3bdfc7553d5c14c472d87a41fef8541\nPackageSourceInfo: built package from: openssl 1.1.1w-r1\nPackageLicenseConcluded: OpenSSL\nPackageLicenseDeclared: OpenSSL\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/libssl1.1@1.1.1w-r1?arch=x86_64&distro=3.15.11\n\n##### Package: zlib\n\nPackageName: zlib\nSPDXID: SPDXRef-Package-fcb106f21773cad3\nPackageVersion: 1.2.12-r3\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: ab98d0416bf1dcd245c7b0800f99cbceacfa48b3\nPackageSourceInfo: built package from: zlib 1.2.12-r3\nPackageLicenseConcluded: Zlib\nPackageLicenseDeclared: Zlib\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/zlib@1.2.12-r3?arch=x86_64&distro=3.15.11\n\n##### Relationships\n\nRelationship: SPDXRef-ContainerImage-d8b2a386253047e7 CONTAINS SPDXRef-OperatingSystem-c24750c3b737d897\nRelationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-ContainerImage-d8b2a386253047e7\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-343391d704e00fbd\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-43343abe5c1a0439\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-64b7e662458dcd5f\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-6c7c9dac75e301b7\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-702c9bf0cfddb42e\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-92eb9ab29b057905\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-988bca2f70cf58f6\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-aa2e51a695e95cb9\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-ba5f079c5c32fc8\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-be18726b6be779d1\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-d9ad92ed9413c93b\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-ee9b5186331e7a76\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-f00669065070476c\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-fcb106f21773cad3\nRelationship: SPDXRef-Package-343391d704e00fbd DEPENDS_ON SPDXRef-Package-702c9bf0cfddb42e\nRelationship: SPDXRef-Package-343391d704e00fbd DEPENDS_ON SPDXRef-Package-ba5f079c5c32fc8\nRelationship: SPDXRef-Package-343391d704e00fbd DEPENDS_ON SPDXRef-Package-ee9b5186331e7a76\nRelationship: SPDXRef-Package-343391d704e00fbd DEPENDS_ON SPDXRef-Package-f00669065070476c\nRelationship: SPDXRef-Package-43343abe5c1a0439 DEPENDS_ON SPDXRef-Package-92eb9ab29b057905\nRelationship: SPDXRef-Package-64b7e662458dcd5f DEPENDS_ON SPDXRef-Package-6c7c9dac75e301b7\nRelationship: SPDXRef-Package-64b7e662458dcd5f DEPENDS_ON SPDXRef-Package-ee9b5186331e7a76\nRelationship: SPDXRef-Package-6c7c9dac75e301b7 DEPENDS_ON SPDXRef-Package-ee9b5186331e7a76\nRelationship: SPDXRef-Package-92eb9ab29b057905 DEPENDS_ON SPDXRef-Package-988bca2f70cf58f6\nRelationship: SPDXRef-Package-92eb9ab29b057905 DEPENDS_ON SPDXRef-Package-ee9b5186331e7a76\nRelationship: SPDXRef-Package-988bca2f70cf58f6 DEPENDS_ON SPDXRef-Package-ee9b5186331e7a76\nRelationship: SPDXRef-Package-aa2e51a695e95cb9 DEPENDS_ON SPDXRef-Package-702c9bf0cfddb42e\nRelationship: SPDXRef-Package-aa2e51a695e95cb9 DEPENDS_ON SPDXRef-Package-ba5f079c5c32fc8\nRelationship: SPDXRef-Package-aa2e51a695e95cb9 DEPENDS_ON SPDXRef-Package-ee9b5186331e7a76\nRelationship: SPDXRef-Package-aa2e51a695e95cb9 DEPENDS_ON SPDXRef-Package-f00669065070476c\nRelationship: SPDXRef-Package-aa2e51a695e95cb9 DEPENDS_ON SPDXRef-Package-fcb106f21773cad3\nRelationship: SPDXRef-Package-ba5f079c5c32fc8 DEPENDS_ON SPDXRef-Package-ee9b5186331e7a76\nRelationship: SPDXRef-Package-d9ad92ed9413c93b DEPENDS_ON SPDXRef-Package-343391d704e00fbd\nRelationship: SPDXRef-Package-d9ad92ed9413c93b DEPENDS_ON SPDXRef-Package-ee9b5186331e7a76\nRelationship: SPDXRef-Package-f00669065070476c DEPENDS_ON SPDXRef-Package-ba5f079c5c32fc8\nRelationship: SPDXRef-Package-f00669065070476c DEPENDS_ON SPDXRef-Package-ee9b5186331e7a76\nRelationship: SPDXRef-Package-fcb106f21773cad3 DEPENDS_ON SPDXRef-Package-ee9b5186331e7a76\n
$ trivy image --format spdx-json --output result.spdx alpine:3.15\n
Result {\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"alpine:3.15\",\n \"documentNamespace\": \"http://trivy.dev/container_image/alpine:3.15-bbe0096f-0ed0-47b4-bbea-82121a9201f1\",\n \"creationInfo\": {\n \"creators\": [\n \"Organization: aquasecurity\",\n \"Tool: trivy-0.58.0\"\n ],\n \"created\": \"2025-02-13T12:22:22Z\"\n },\n \"packages\": [\n {\n \"name\": \"alpine:3.15\",\n \"SPDXID\": \"SPDXRef-ContainerImage-d8b2a386253047e7\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:oci/alpine@sha256%3A19b4bcc4f60e99dd5ebdca0cbce22c503bbcff197549d7e19dab4f22254dc864?arch=amd64\\u0026repository_url=index.docker.io%2Flibrary%2Falpine\"\n }\n ],\n \"primaryPackagePurpose\": \"CONTAINER\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"DiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"ImageID: sha256:32b91e3161c8fc2e3baf2732a594305ca5093c82ff4e0c9f6ebbd2a879468e1d\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"RepoDigest: alpine@sha256:19b4bcc4f60e99dd5ebdca0cbce22c503bbcff197549d7e19dab4f22254dc864\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"RepoTag: alpine:3.15\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"SchemaVersion: 2\"\n }\n ]\n },\n {\n \"name\": \"alpine-baselayout\",\n \"SPDXID\": \"SPDXRef-Package-64b7e662458dcd5f\",\n \"versionInfo\": \"3.2.0-r18\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"132992eab020986b3b5d886a77212889680467a0\"\n }\n ],\n \"sourceInfo\": \"built package from: alpine-baselayout 3.2.0-r18\",\n \"licenseConcluded\": \"GPL-2.0-only\",\n \"licenseDeclared\": \"GPL-2.0-only\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/alpine-baselayout@3.2.0-r18?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: alpine-baselayout@3.2.0-r18\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"alpine-keys\",\n \"SPDXID\": \"SPDXRef-Package-be18726b6be779d1\",\n \"versionInfo\": \"2.4-r1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"903176b2d2a8ddefd1ba6940f19ad17c2c1d4aff\"\n }\n ],\n \"sourceInfo\": \"built package from: alpine-keys 2.4-r1\",\n \"licenseConcluded\": \"MIT\",\n \"licenseDeclared\": \"MIT\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: alpine-keys@2.4-r1\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"apk-tools\",\n \"SPDXID\": \"SPDXRef-Package-aa2e51a695e95cb9\",\n \"versionInfo\": \"2.12.7-r3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"ddf3ddf8545768bc323649559feaae1560f29273\"\n }\n ],\n \"sourceInfo\": \"built package from: apk-tools 2.12.7-r3\",\n \"licenseConcluded\": \"GPL-2.0-only\",\n \"licenseDeclared\": \"GPL-2.0-only\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/apk-tools@2.12.7-r3?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: apk-tools@2.12.7-r3\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"busybox\",\n \"SPDXID\": \"SPDXRef-Package-6c7c9dac75e301b7\",\n \"versionInfo\": \"1.34.1-r7\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"21f9265e7a34c795fba4e99c8ae37b57f31cd1a2\"\n }\n ],\n \"sourceInfo\": \"built package from: busybox 1.34.1-r7\",\n \"licenseConcluded\": \"GPL-2.0-only\",\n \"licenseDeclared\": \"GPL-2.0-only\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/busybox@1.34.1-r7?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: busybox@1.34.1-r7\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"ca-certificates-bundle\",\n \"SPDXID\": \"SPDXRef-Package-702c9bf0cfddb42e\",\n \"versionInfo\": \"20230506-r0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"99894c0b834a3f5955e6e5d5f0d804943f05ff52\"\n }\n ],\n \"sourceInfo\": \"built package from: ca-certificates 20230506-r0\",\n \"licenseConcluded\": \"MPL-2.0 AND MIT\",\n \"licenseDeclared\": \"MPL-2.0 AND MIT\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/ca-certificates-bundle@20230506-r0?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: ca-certificates-bundle@20230506-r0\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"libc-utils\",\n \"SPDXID\": \"SPDXRef-Package-43343abe5c1a0439\",\n \"versionInfo\": \"0.7.2-r3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"798de3ebb57f3e28f408080746935f213a099722\"\n }\n ],\n \"sourceInfo\": \"built package from: libc-dev 0.7.2-r3\",\n \"licenseConcluded\": \"BSD-2-Clause AND BSD-3-Clause\",\n \"licenseDeclared\": \"BSD-2-Clause AND BSD-3-Clause\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: libc-utils@0.7.2-r3\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"libcrypto1.1\",\n \"SPDXID\": \"SPDXRef-Package-ba5f079c5c32fc8\",\n \"versionInfo\": \"1.1.1w-r1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"e378634f5c8af32ca75ac56f41ecf4e8d49584a0\"\n }\n ],\n \"sourceInfo\": \"built package from: openssl 1.1.1w-r1\",\n \"licenseConcluded\": \"OpenSSL\",\n \"licenseDeclared\": \"OpenSSL\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/libcrypto1.1@1.1.1w-r1?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: libcrypto1.1@1.1.1w-r1\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"libretls\",\n \"SPDXID\": \"SPDXRef-Package-343391d704e00fbd\",\n \"versionInfo\": \"3.3.4-r3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"67dfefe5456c45192b60d76ade98c501b0ae814f\"\n }\n ],\n \"sourceInfo\": \"built package from: libretls 3.3.4-r3\",\n \"licenseConcluded\": \"ISC AND BSD-3-Clause AND MIT\",\n \"licenseDeclared\": \"ISC AND BSD-3-Clause AND MIT\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/libretls@3.3.4-r3?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: libretls@3.3.4-r3\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"libssl1.1\",\n \"SPDXID\": \"SPDXRef-Package-f00669065070476c\",\n \"versionInfo\": \"1.1.1w-r1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"9306ed15b3bdfc7553d5c14c472d87a41fef8541\"\n }\n ],\n \"sourceInfo\": \"built package from: openssl 1.1.1w-r1\",\n \"licenseConcluded\": \"OpenSSL\",\n \"licenseDeclared\": \"OpenSSL\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/libssl1.1@1.1.1w-r1?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: libssl1.1@1.1.1w-r1\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"musl\",\n \"SPDXID\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"versionInfo\": \"1.2.2-r9\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"7ebdef6cf7f9b58c0e213b333db946d22b00b777\"\n }\n ],\n \"sourceInfo\": \"built package from: musl 1.2.2-r9\",\n \"licenseConcluded\": \"MIT\",\n \"licenseDeclared\": \"MIT\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/musl@1.2.2-r9?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: musl@1.2.2-r9\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"musl-utils\",\n \"SPDXID\": \"SPDXRef-Package-92eb9ab29b057905\",\n \"versionInfo\": \"1.2.2-r9\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"f69aa6d6a57c90358005ce61ccb4ad96cdc303f4\"\n }\n ],\n \"sourceInfo\": \"built package from: musl 1.2.2-r9\",\n \"licenseConcluded\": \"MIT AND BSD-3-Clause AND GPL-2.0-or-later\",\n \"licenseDeclared\": \"MIT AND BSD-3-Clause AND GPL-2.0-or-later\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/musl-utils@1.2.2-r9?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: musl-utils@1.2.2-r9\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"scanelf\",\n \"SPDXID\": \"SPDXRef-Package-988bca2f70cf58f6\",\n \"versionInfo\": \"1.3.3-r0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"d7f7590e450870a4f79671c2369b31b5bb07349a\"\n }\n ],\n \"sourceInfo\": \"built package from: pax-utils 1.3.3-r0\",\n \"licenseConcluded\": \"GPL-2.0-only\",\n \"licenseDeclared\": \"GPL-2.0-only\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/scanelf@1.3.3-r0?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: scanelf@1.3.3-r0\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"ssl_client\",\n \"SPDXID\": \"SPDXRef-Package-d9ad92ed9413c93b\",\n \"versionInfo\": \"1.34.1-r7\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"dddfa62dd51bd8807ee1d8660e860574a9dd78ed\"\n }\n ],\n \"sourceInfo\": \"built package from: busybox 1.34.1-r7\",\n \"licenseConcluded\": \"GPL-2.0-only\",\n \"licenseDeclared\": \"GPL-2.0-only\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/ssl_client@1.34.1-r7?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: ssl_client@1.34.1-r7\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"zlib\",\n \"SPDXID\": \"SPDXRef-Package-fcb106f21773cad3\",\n \"versionInfo\": \"1.2.12-r3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"ab98d0416bf1dcd245c7b0800f99cbceacfa48b3\"\n }\n ],\n \"sourceInfo\": \"built package from: zlib 1.2.12-r3\",\n \"licenseConcluded\": \"Zlib\",\n \"licenseDeclared\": \"Zlib\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/zlib@1.2.12-r3?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: zlib@1.2.12-r3\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"alpine\",\n \"SPDXID\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"versionInfo\": \"3.15.11\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"primaryPackagePurpose\": \"OPERATING-SYSTEM\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"Class: os-pkgs\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"Type: alpine\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-ContainerImage-d8b2a386253047e7\",\n \"relatedSpdxElement\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-ContainerImage-d8b2a386253047e7\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-343391d704e00fbd\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-43343abe5c1a0439\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-64b7e662458dcd5f\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-6c7c9dac75e301b7\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-702c9bf0cfddb42e\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-92eb9ab29b057905\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-988bca2f70cf58f6\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-aa2e51a695e95cb9\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ba5f079c5c32fc8\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-be18726b6be779d1\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-d9ad92ed9413c93b\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-f00669065070476c\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-fcb106f21773cad3\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-343391d704e00fbd\",\n \"relatedSpdxElement\": \"SPDXRef-Package-702c9bf0cfddb42e\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-343391d704e00fbd\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ba5f079c5c32fc8\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-343391d704e00fbd\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-343391d704e00fbd\",\n \"relatedSpdxElement\": \"SPDXRef-Package-f00669065070476c\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-43343abe5c1a0439\",\n \"relatedSpdxElement\": \"SPDXRef-Package-92eb9ab29b057905\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-64b7e662458dcd5f\",\n \"relatedSpdxElement\": \"SPDXRef-Package-6c7c9dac75e301b7\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-64b7e662458dcd5f\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-6c7c9dac75e301b7\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-92eb9ab29b057905\",\n \"relatedSpdxElement\": \"SPDXRef-Package-988bca2f70cf58f6\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-92eb9ab29b057905\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-988bca2f70cf58f6\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-aa2e51a695e95cb9\",\n \"relatedSpdxElement\": \"SPDXRef-Package-702c9bf0cfddb42e\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-aa2e51a695e95cb9\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ba5f079c5c32fc8\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-aa2e51a695e95cb9\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-aa2e51a695e95cb9\",\n \"relatedSpdxElement\": \"SPDXRef-Package-f00669065070476c\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-aa2e51a695e95cb9\",\n \"relatedSpdxElement\": \"SPDXRef-Package-fcb106f21773cad3\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-ba5f079c5c32fc8\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-d9ad92ed9413c93b\",\n \"relatedSpdxElement\": \"SPDXRef-Package-343391d704e00fbd\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-d9ad92ed9413c93b\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-f00669065070476c\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ba5f079c5c32fc8\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-f00669065070476c\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-fcb106f21773cad3\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"DEPENDS_ON\"\n }\n ]\n}\n
"},{"location":"guide/supply-chain/sbom/#scanning","title":"Scanning","text":""},{"location":"guide/supply-chain/sbom/#sbom-as-target","title":"SBOM as Target","text":"Trivy can take SBOM documents as input for scanning, e.g trivy sbom ./sbom.spdx. See here for more details.
"},{"location":"guide/supply-chain/sbom/#sbom-detection-inside-targets","title":"SBOM Detection inside Targets","text":"Trivy searches for SBOM files in container images with the following extensions:
.spdx.spdx.json.cdx.cdx.json
In addition, Trivy automatically detects SBOM files in Bitnami images, see here for more details.
It is enabled in the following targets.
Target Enabled Container Image \u2713 Filesystem Rootfs \u2713 Git Repository VM Image \u2713 Kubernetes AWS SBOM"},{"location":"guide/supply-chain/sbom/#sbom-discovery-for-container-images","title":"SBOM Discovery for Container Images","text":"When scanning container images, Trivy can discover SBOM for those images. See here for more details.
"},{"location":"guide/supply-chain/attestation/rekor/","title":"Scan SBOM attestation in Rekor","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
"},{"location":"guide/supply-chain/attestation/rekor/#container-images","title":"Container images","text":"Trivy can retrieve SBOM attestation of the specified container image in the Rekor instance and scan it for vulnerabilities.
"},{"location":"guide/supply-chain/attestation/rekor/#prerequisites","title":"Prerequisites","text":" - SBOM attestation stored in Rekor
- See the \"Keyless signing\" section if you want to upload your SBOM attestation to Rekor.
"},{"location":"guide/supply-chain/attestation/rekor/#scanning","title":"Scanning","text":"You need to pass --sbom-sources rekor so that Trivy will look for SBOM attestation in Rekor.
Note
--sbom-sources can be used only with trivy image at the moment.
$ trivy image --sbom-sources rekor otms61/alpine:3.7.3 [~/src/github.com/aquasecurity/trivy]\n2022-09-16T17:37:13.258+0900 INFO Vulnerability scanning is enabled\n2022-09-16T17:37:13.258+0900 INFO Secret scanning is enabled\n2022-09-16T17:37:13.258+0900 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning\n2022-09-16T17:37:13.258+0900 INFO Please see also https://trivy.dev/dev/docs/secret/scanning/#recommendation for faster secret detection\n2022-09-16T17:37:14.827+0900 INFO Detected SBOM format: cyclonedx-json\n2022-09-16T17:37:14.901+0900 INFO Found SBOM (cyclonedx) attestation in Rekor\n2022-09-16T17:37:14.903+0900 INFO Detected OS: alpine\n2022-09-16T17:37:14.903+0900 INFO Detecting Alpine vulnerabilities...\n2022-09-16T17:37:14.907+0900 INFO Number of language-specific files: 0\n2022-09-16T17:37:14.908+0900 WARN This OS version is no longer supported by the distribution: alpine 3.7.3\n2022-09-16T17:37:14.908+0900 WARN The vulnerability detection may be insufficient because security updates are not provided\n\notms61/alpine:3.7.3 (alpine 3.7.3)\n==================================\nTotal: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 musl \u2502 CVE-2019-14697 \u2502 CRITICAL \u2502 1.1.18-r3 \u2502 1.1.18-r4 \u2502 musl libc through 1.1.23 has an x87 floating-point stack \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 adjustment im ...... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2019-14697 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 musl-utils \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
If you have your own Rekor instance, you can specify the URL via --rekor-url.
$ trivy image --sbom-sources rekor --rekor-url https://my-rekor.dev otms61/alpine:3.7.3\n
"},{"location":"guide/supply-chain/attestation/rekor/#non-packaged-binaries","title":"Non-packaged binaries","text":"Trivy can retrieve SBOM attestation of non-packaged binaries in the Rekor instance and scan it for vulnerabilities.
"},{"location":"guide/supply-chain/attestation/rekor/#prerequisites_1","title":"Prerequisites","text":" - SBOM attestation stored in Rekor
- See the \"Keyless signing\" section if you want to upload your SBOM attestation to Rekor.
Cosign currently does not support keyless signing for blob attestation, so use our plugin at the moment. This example uses a cat clone bat written in Rust. You need to generate SBOM from lock files like Cargo.lock at first.
$ git clone -b v0.20.0 https://github.com/sharkdp/bat\n$ trivy fs --format cyclonedx --output bat.cdx ./bat/Cargo.lock\n
Then our attestation plugin allows you to store the SBOM attestation linking to a bat binary in the Rekor instance.
$ wget https://github.com/sharkdp/bat/releases/download/v0.20.0/bat-v0.20.0-x86_64-apple-darwin.tar.gz\n$ tar xvf bat-v0.20.0-x86_64-apple-darwin.tar.gz\n$ trivy plugin install github.com/aquasecurity/trivy-plugin-attest\n$ trivy attest --predicate ./bat.cdx --type cyclonedx ./bat-v0.20.0-x86_64-apple-darwin/bat\n
Note
The public instance of the Rekor maintained by the Sigstore team limits the attestation size. If you are using the public instance, please make sure that your SBOM is small enough. To get more detail, please refer to the Rekor project's documentation.
"},{"location":"guide/supply-chain/attestation/rekor/#scan-a-non-packaged-binary","title":"Scan a non-packaged binary","text":"Trivy calculates the digest of the bat binary and searches for the SBOM attestation by the digest in Rekor. If it is found, Trivy uses that for vulnerability scanning.
$ trivy fs --sbom-sources rekor ./bat-v0.20.0-x86_64-apple-darwin/bat\n2022-10-25T13:27:25.950+0300 INFO Found SBOM attestation in Rekor: bat\n2022-10-25T13:27:25.993+0300 INFO Number of language-specific files: 1\n2022-10-25T13:27:25.993+0300 INFO Detecting cargo vulnerabilities...\n\nbat (cargo)\n===========\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 regex \u2502 CVE-2022-24713 \u2502 HIGH \u2502 1.5.4 \u2502 1.5.5 \u2502 Mozilla: Denial of Service via complex regular expressions \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2022-24713 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
Also, it is applied to non-packaged binaries even in container images.
$ trivy image --sbom-sources rekor --scanners vuln alpine-with-bat\n2022-10-25T13:40:14.920+0300 INFO Vulnerability scanning is enabled\n2022-10-25T13:40:18.047+0300 INFO Found SBOM attestation in Rekor: bat\n2022-10-25T13:40:18.186+0300 INFO Detected OS: alpine\n2022-10-25T13:40:18.186+0300 INFO Detecting Alpine vulnerabilities...\n2022-10-25T13:40:18.199+0300 INFO Number of language-specific files: 1\n2022-10-25T13:40:18.199+0300 INFO Detecting cargo vulnerabilities...\n\nalpine-with-bat (alpine 3.15.6)\n===============================\nTotal: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n\n\nbat (cargo)\n===========\nTotal: 4 (UNKNOWN: 3, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 regex \u2502 CVE-2022-24713 \u2502 HIGH \u2502 1.5.4 \u2502 1.5.5 \u2502 Mozilla: Denial of Service via complex regular expressions \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2022-24713 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
Note
The --sbom-sources rekor flag slows down the scanning as it queries Rekor on the Internet for all non-packaged binaries.
"},{"location":"guide/supply-chain/attestation/sbom/","title":"SBOM attestation","text":"Cosign supports generating and verifying in-toto attestations. This tool enables you to sign and verify SBOM attestation. And, Trivy can take an SBOM attestation as input and scan for vulnerabilities
Note
In the following examples, the cosign command will write an attestation to a target OCI registry, so you must have permission to write. If you want to avoid writing an OCI registry and only want to see an attestation, add the --no-upload option to the cosign command.
"},{"location":"guide/supply-chain/attestation/sbom/#sign-with-a-local-key-pair","title":"Sign with a local key pair","text":"Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about how to generate key pairs.
$ cosign generate-key-pair\n
In the following example, Trivy generates an SBOM in the CycloneDX format, and then Cosign attaches an attestation of the SBOM to a container image with a local key pair.
# The cyclonedx type is supported in Cosign v1.10.0 or later.\n$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>\n$ cosign attest --key /path/to/cosign.key --type cyclonedx --predicate sbom.cdx.json <IMAGE>\n
Then, you can verify attestations on the image.
$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE>\n
You can also create attestations of other formatted SBOM.
# spdx\n$ trivy image --format spdx -o sbom.spdx <IMAGE>\n$ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx <IMAGE>\n\n# spdx-json\n$ trivy image --format spdx-json -o sbom.spdx.json <IMAGE>\n$ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx.json <IMAGE>\n
"},{"location":"guide/supply-chain/attestation/sbom/#keyless-signing","title":"Keyless signing","text":"You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
# The cyclonedx type is supported in Cosign v1.10.0 or later.\n$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>\n# The following command uploads SBOM attestation to the public Rekor instance.\n$ COSIGN_EXPERIMENTAL=1 cosign attest --type cyclonedx --predicate sbom.cdx.json <IMAGE>\n
You can verify attestations.
$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type cyclonedx <IMAGE>\n
"},{"location":"guide/supply-chain/attestation/sbom/#scanning","title":"Scanning","text":"Trivy can take an SBOM attestation as input and scan for vulnerabilities. Currently, Trivy supports CycloneDX-type attestation.
In the following example, Cosign can get an CycloneDX-type attestation and trivy scan it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the Sign with a local key pair section.
$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl\n$ trivy sbom ./sbom.cdx.intoto.jsonl\n\nsbom.cdx.intoto.jsonl (alpine 3.7.3)\n=========================\nTotal: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 musl \u2502 CVE-2019-14697 \u2502 CRITICAL \u2502 1.1.18-r3 \u2502 1.1.18-r4 \u2502 musl libc through 1.1.23 has an x87 floating-point stack \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 adjustment im ...... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2019-14697 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 musl-utils \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/supply-chain/attestation/vuln/","title":"Cosign Vulnerability Attestation","text":""},{"location":"guide/supply-chain/attestation/vuln/#generate-cosign-vulnerability-scan-record","title":"Generate Cosign Vulnerability Scan Record","text":"Trivy generates reports in the Cosign vulnerability scan record format.
You can use the regular subcommands (like image, fs and rootfs) and specify cosign-vuln with the --format option.
$ trivy image --format cosign-vuln --output vuln.json alpine:3.10\n
Result {\n \"invocation\": {\n \"parameters\": null,\n \"uri\": \"\",\n \"event_id\": \"\",\n \"builder.id\": \"\"\n },\n \"scanner\": {\n \"uri\": \"pkg:github/aquasecurity/trivy@v0.30.1-8-gf9cb8a28\",\n \"version\": \"v0.30.1-8-gf9cb8a28\",\n \"db\": {\n \"uri\": \"\",\n \"version\": \"\"\n },\n \"result\": {\n \"SchemaVersion\": 2,\n \"CreatedAt\": 1629894030,\n \"ArtifactName\": \"alpine:3.10\",\n \"ArtifactType\": \"container_image\",\n \"Metadata\": {\n \"OS\": {\n \"Family\": \"alpine\",\n \"Name\": \"3.10.9\",\n \"EOSL\": true\n },\n \"ImageID\": \"sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a\",\n \"DiffIDs\": [\n \"sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635\"\n ],\n \"RepoTags\": [\n \"alpine:3.10\"\n ],\n \"RepoDigests\": [\n \"alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98\"\n ],\n \"ImageConfig\": {\n \"architecture\": \"amd64\",\n \"container\": \"fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4\",\n \"created\": \"2021-04-14T19:20:05.338397761Z\",\n \"docker_version\": \"19.03.12\",\n \"history\": [\n {\n \"created\": \"2021-04-14T19:20:04.987219124Z\",\n \"created_by\": \"/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / \"\n },\n {\n \"created\": \"2021-04-14T19:20:05.338397761Z\",\n \"created_by\": \"/bin/sh -c #(nop) CMD [\\\"/bin/sh\\\"]\",\n \"empty_layer\": true\n }\n ],\n \"os\": \"linux\",\n \"rootfs\": {\n \"type\": \"layers\",\n \"diff_ids\": [\n \"sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635\"\n ]\n },\n \"config\": {\n \"Cmd\": [\n \"/bin/sh\"\n ],\n \"Env\": [\n \"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"\n ],\n \"Image\": \"sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8\"\n }\n }\n },\n \"Results\": [\n {\n \"Target\": \"alpine:3.10 (alpine 3.10.9)\",\n \"Class\": \"os-pkgs\",\n \"Type\": \"alpine\",\n \"Vulnerabilities\": [\n {\n \"VulnerabilityID\": \"CVE-2021-36159\",\n \"PkgName\": \"apk-tools\",\n \"InstalledVersion\": \"2.10.6-r0\",\n \"FixedVersion\": \"2.10.7-r0\",\n \"Layer\": {\n \"Digest\": \"sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5\",\n \"DiffID\": \"sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635\"\n },\n \"SeveritySource\": \"nvd\",\n \"PrimaryURL\": \"https://avd.aquasec.com/nvd/cve-2021-36159\",\n \"DataSource\": {\n \"ID\": \"alpine\",\n \"Name\": \"Alpine Secdb\",\n \"URL\": \"https://secdb.alpinelinux.org/\"\n },\n \"Description\": \"libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\\\0' terminator one byte too late.\",\n \"Severity\": \"CRITICAL\",\n \"CweIDs\": [\n \"CWE-125\"\n ],\n \"CVSS\": {\n \"nvd\": {\n \"V2Vector\": \"AV:N/AC:L/Au:N/C:P/I:N/A:P\",\n \"V3Vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"V2Score\": 6.4,\n \"V3Score\": 9.1\n }\n },\n \"References\": [\n \"https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch\",\n \"https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749\",\n \"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E\",\n \"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E\",\n \"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E\",\n \"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E\"\n ],\n \"PublishedDate\": \"2021-08-03T14:15:00Z\",\n \"LastModifiedDate\": \"2021-10-18T12:19:00Z\"\n }\n ]\n }\n ]\n }\n },\n \"metadata\": {\n \"scanStartedOn\": \"2022-07-24T17:14:04.864682+09:00\",\n \"scanFinishedOn\": \"2022-07-24T17:14:04.864682+09:00\"\n }\n}\n
"},{"location":"guide/supply-chain/attestation/vuln/#create-cosign-vulnerability-attestation","title":"Create Cosign Vulnerability Attestation","text":"Cosign supports generating and verifying in-toto attestations. This tool enables you to sign and verify Cosign vulnerability attestation.
Note
In the following examples, the cosign command will write an attestation to a target OCI registry, so you must have permission to write. If you want to avoid writing an OCI registry and only want to see an attestation, add the --no-upload option to the cosign command.
"},{"location":"guide/supply-chain/attestation/vuln/#sign-with-a-local-key-pair","title":"Sign with a local key pair","text":"Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about how to generate key pairs.
$ cosign generate-key-pair\n
In the following example, Trivy generates a cosign vulnerability scan record, and then Cosign attaches an attestation of it to a container image with a local key pair.
$ trivy image --format cosign-vuln --output vuln.json <IMAGE>\n$ cosign attest --key /path/to/cosign.key --type vuln --predicate vuln.json <IMAGE>\n
Then, you can verify attestations on the image.
$ cosign verify-attestation --key /path/to/cosign.pub --type vuln <IMAGE>\n
"},{"location":"guide/supply-chain/attestation/vuln/#keyless-signing","title":"Keyless signing","text":"You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
$ trivy image --format cosign-vuln -o vuln.json <IMAGE>\n$ cosign attest --type vuln --predicate vuln.json <IMAGE>\n
This will provide a certificate in the output section. You can verify attestations:
$ cosign verify-attestation --certificate=path-to-the-certificate --type vuln --certificate-identity Email-used-to-sign --certificate-oidc-issuer='the-issuer-used' <IMAGE>\n
"},{"location":"guide/supply-chain/vex/","title":"Vulnerability Exploitability Exchange (VEX)","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy supports filtering detected vulnerabilities using the Vulnerability Exploitability eXchange (VEX), a standardized format for sharing and exchanging information about vulnerabilities. By providing VEX during scanning, it is possible to filter vulnerabilities based on their status.
"},{"location":"guide/supply-chain/vex/#vex-usage-methods","title":"VEX Usage Methods","text":"Trivy currently supports four methods for utilizing VEX:
- VEX Repository
- Local VEX Files
- VEX Attestation
- SBOM Reference
"},{"location":"guide/supply-chain/vex/#enabling-vex","title":"Enabling VEX","text":"To enable VEX, use the --vex option. You can specify the method to use:
- To enable the VEX Repository:
--vex repo - To use a local VEX file:
--vex /path/to/vex-document.json - To enable VEX attestation discovery in OCI registry:
--vex oci - To use remote VEX files referenced in SBOMs:
--vex sbom-ref
$ trivy image ghcr.io/aquasecurity/trivy:0.52.0 --vex repo\n
You can enable these methods simultaneously. The order of specification determines the priority:
--vex repo --vex /path/to/vex-document.json: VEX Repository has priority--vex /path/to/vex-document.json --vex repo: Local file has priority
For detailed information on each method, please refer to each page.
"},{"location":"guide/supply-chain/vex/file/","title":"Local VEX Files","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
In addition to VEX repositories, Trivy also supports the use of local VEX files for vulnerability filtering. This method is useful when you have specific VEX documents that you want to apply to your scans. Currently, Trivy supports the following formats:
- CycloneDX
- OpenVEX
- CSAF
"},{"location":"guide/supply-chain/vex/file/#cyclonedx","title":"CycloneDX","text":"Target Supported Container Image Filesystem Code Repository VM Image Kubernetes SBOM \u2705 There are two VEX formats for CycloneDX:
- Independent BOM and VEX BOM
- BOM With Embedded VEX
Trivy only supports the Independent BOM and VEX BOM format, so you need to provide a separate VEX file alongside the SBOM. The input SBOM format must be in CycloneDX format.
The following steps are required:
- Generate a CycloneDX SBOM
- Create a VEX based on the SBOM generated in step 1
- Provide the VEX when scanning the CycloneDX SBOM
"},{"location":"guide/supply-chain/vex/file/#generate-the-sbom","title":"Generate the SBOM","text":"You can generate a CycloneDX SBOM with Trivy as follows:
$ trivy image --format cyclonedx --output debian11.sbom.cdx debian:11\n
"},{"location":"guide/supply-chain/vex/file/#create-the-vex","title":"Create the VEX","text":"Next, create a VEX based on the generated SBOM. Multiple vulnerability statuses can be defined under vulnerabilities. Take a look at the example below.
$ cat <<EOF > trivy.vex.cdx\n{\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"vulnerabilities\": [\n {\n \"id\": \"CVE-2020-8911\",\n \"analysis\": {\n \"state\": \"not_affected\",\n \"justification\": \"code_not_reachable\",\n \"response\": [\"will_not_fix\", \"update\"],\n \"detail\": \"The vulnerable function is not called\"\n },\n \"affects\": [\n {\n \"ref\": \"urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:golang/github.com/aws/aws-sdk-go@v1.44.234\"\n }\n ]\n }\n ]\n}\nEOF\n
This is a VEX document in the CycloneDX format. The vulnerability ID, such as a CVE-ID or GHSA-ID, should be placed in vulnerabilities.id. When the analysis.state is set to not_affected, Trivy will not detect the vulnerability.
BOM-Links must be placed in affects.ref. The BOM-Link has the following syntax and consists of three elements:
urn:cdx:serialNumber/version#bom-ref\n
- serialNumber
- version
- bom-ref
These values must be obtained from the CycloneDX SBOM. Please note that while the serialNumber starts with urn:uuid:, the BOM-Link starts with urn:cdx:.
The bom-ref must contain the BOM-Ref of the package affected by the vulnerability. In the example above, since the Go package github.com/aws/aws-sdk-go is affected by CVE-2020-8911, it was necessary to specify the SBOM's BOM-Ref, pkg:golang/github.com/aws/aws-sdk-go@1.44.234.
For more details on CycloneDX VEX and BOM-Link, please refer to the following links:
- CycloneDX VEX
- BOM-Link
- Examples
"},{"location":"guide/supply-chain/vex/file/#scan-sbom-with-vex","title":"Scan SBOM with VEX","text":"Provide the VEX when scanning the CycloneDX SBOM.
$ trivy sbom trivy.sbom.cdx --vex trivy.vex.cdx\n...\n2023-04-13T12:55:44.838+0300 INFO Filtered out the detected vulnerability {\"VEX format\": \"CycloneDX\", \"vulnerability-id\": \"CVE-2020-8911\", \"status\": \"not_affected\", \"justification\": \"code_not_reachable\"}\n\ngo.mod (gomod)\n==============\nTotal: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 github.com/aws/aws-sdk-go \u2502 CVE-2020-8912 \u2502 LOW \u2502 v1.44.234 \u2502 \u2502 aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 SDK for golang... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2020-8912 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
CVE-2020-8911 is no longer shown as it is filtered out according to the given CycloneDX VEX document.
"},{"location":"guide/supply-chain/vex/file/#openvex","title":"OpenVEX","text":"Target Supported Container Image \u2705 Filesystem \u2705 Code Repository \u2705 VM Image \u2705 Kubernetes \u2705 SBOM \u2705 Trivy also supports OpenVEX that is designed to be minimal, compliant, interoperable, and embeddable. OpenVEX can be used in all Trivy targets, unlike CycloneDX VEX.
The following steps are required:
- Create a VEX document
- Provide the VEX when scanning your target
"},{"location":"guide/supply-chain/vex/file/#create-the-vex-document","title":"Create the VEX document","text":"Please see also the example. Trivy requires the Package URL (PURL) as the product identifier.
$ cat <<EOF > debian11.openvex.json\n{\n \"@context\": \"https://openvex.dev/ns/v0.2.0\",\n \"@id\": \"https://openvex.dev/docs/public/vex-2e67563e128250cbcb3e98930df948dd053e43271d70dc50cfa22d57e03fe96f\",\n \"author\": \"Aqua Security\",\n \"timestamp\": \"2023-08-29T19:07:16.853479631-06:00\",\n \"version\": 1,\n \"statements\": [\n {\n \"vulnerability\": {\"name\": \"CVE-2019-8457\"},\n \"products\": [\n {\"@id\": \"pkg:deb/debian/libdb5.3@5.3.28+dfsg1-0.8\"}\n ],\n \"status\": \"not_affected\",\n \"justification\": \"vulnerable_code_not_in_execute_path\"\n }\n ]\n}\nEOF\n
In the above example, PURLs, pkg:deb/debian/libdb5.3@5.3.28+dfsg1-0.8 are used for the product identifier. You can find PURLs in the JSON report generated by Trivy. This VEX statement is applied if the PURL specified in the VEX matches the PURL found during the scan. See here for more details of PURL matching.
Trivy also supports OpenVEX subcomponents, which allow for more precise specification of the scope of a VEX statement, reducing the risk of incorrect filtering. Let's say you want to suppress vulnerabilities within a container image. If you only specify the PURL of the container image as the product, the resulting VEX would look like this:
OpenVEX products only \"statements\": [\n {\n \"vulnerability\": {\"name\": \"CVE-2024-32002\"},\n \"products\": [\n {\"@id\": \"pkg:oci/trivy?repository_url=ghcr.io%2Faquasecurity%2Ftrivy\"}\n ],\n \"status\": \"not_affected\",\n \"justification\": \"vulnerable_code_not_in_execute_path\"\n }\n]\n
However, this approach would suppress all instances of CVE-2024-32002 within the container image. If the intention is to declare that the git package distributed by Alpine Linux within this image is not affected, subcomponents can be utilized as follows:
OpenVEX subcomponents \"statements\": [\n {\n \"vulnerability\": {\"name\": \"CVE-2024-32002\"},\n \"products\": [\n {\n \"@id\": \"pkg:oci/trivy?repository_url=ghcr.io%2Faquasecurity%2Ftrivy\",\n \"subcomponents\": [\n {\"@id\": \"pkg:apk/alpine/git\"}\n ]\n }\n ],\n \"status\": \"not_affected\",\n \"justification\": \"vulnerable_code_not_in_execute_path\"\n }\n]\n
By declaring the subcomponent in this manner, Trivy will filter the results, considering only the git package within the ghcr.io/aquasecurity/trivy container image as not affected. Omitting the version in the PURL applies the statement to all versions of the package. More details about PURL matching can be found here.
Furthermore, the product specified in a VEX statement does not necessarily need to be the target of the scan. It is possible to specify a component that is included in the scan target as the product. For example, you can designate a specific Go project as the product and its dependent modules as subcomponents.
In the following example, the VEX statement declares that the github.com/docker/docker module, which is a dependency of the github.com/aquasecurity/trivy Go project, is not affected by CVE-2024-29018.
OpenVEX intermediate components \"statements\": [\n {\n \"vulnerability\": {\"name\": \"CVE-2024-29018\"},\n \"products\": [\n {\n \"@id\": \"pkg:golang/github.com/aquasecurity/trivy\",\n \"subcomponents\": [\n { \"@id\": \"pkg:golang/github.com/docker/docker\" }\n ]\n }\n ],\n \"status\": \"not_affected\",\n \"justification\": \"vulnerable_code_not_in_execute_path\"\n }\n]\n
This VEX document can be used when scanning a container image as well as other targets. The VEX statement will be applied when Trivy finds the Go binary within the container image.
$ trivy image ghcr.io/aquasecurity/trivy:0.50.0 --vex trivy.openvex.json\n
VEX documents can indeed be reused across different container images, eliminating the need to issue separate VEX documents for each image. This is particularly useful when there is a common component or library that is used across multiple projects or container images.
You can see the appendix for more details on how VEX is applied in Trivy.
"},{"location":"guide/supply-chain/vex/file/#scan-with-vex","title":"Scan with VEX","text":"Provide the VEX when scanning your target.
$ trivy image debian:11.6 --vex debian11.openvex.json\n...\n2023-04-26T17:56:05.358+0300 INFO Filtered out the detected vulnerability {\"VEX format\": \"OpenVEX\", \"vulnerability-id\": \"CVE-2019-8457\", \"status\": \"not_affected\", \"justification\": \"vulnerable_code_not_in_execute_path\"}\n\ndebian:11.6 (debian 11.6)\n\nTotal: 176 (UNKNOWN: 1, LOW: 82, MEDIUM: 46, HIGH: 41, CRITICAL: 5)\n
CVE-2019-8457 is no longer shown as it is filtered out according to the given OpenVEX document.
"},{"location":"guide/supply-chain/vex/file/#csaf","title":"CSAF","text":"Target Supported Container Image \u2705 Filesystem \u2705 Code Repository \u2705 VM Image \u2705 Kubernetes \u2705 SBOM \u2705 Trivy also supports CSAF format for VEX. Since CSAF aims to be SBOM format agnostic, both CycloneDX and SPDX formats are available for use as input SBOMs in Trivy.
The following steps are required:
- Create a CSAF document
- Provide the CSAF when scanning your target
"},{"location":"guide/supply-chain/vex/file/#create-the-csaf-document","title":"Create the CSAF document","text":"Create a CSAF document in JSON format as follows:
CSAF VEX $ cat <<EOF > debian11.vex.csaf\n{\n \"document\": {\n \"category\": \"csaf_vex\",\n \"csaf_version\": \"2.0\",\n \"notes\": [\n {\n \"category\": \"summary\",\n \"text\": \"Example Company VEX document. Unofficial content for demonstration purposes only.\",\n \"title\": \"Author comment\"\n }\n ],\n \"publisher\": {\n \"category\": \"vendor\",\n \"name\": \"Example Company ProductCERT\",\n \"namespace\": \"https://psirt.example.com\"\n },\n \"title\": \"AquaSecurity example VEX document\",\n \"tracking\": {\n \"current_release_date\": \"2024-01-01T11:00:00.000Z\",\n \"generator\": {\n \"date\": \"2024-01-01T11:00:00.000Z\",\n \"engine\": {\n \"name\": \"Secvisogram\",\n \"version\": \"1.11.0\"\n }\n },\n \"id\": \"2024-EVD-UC-01-A-001\",\n \"initial_release_date\": \"2024-01-01T11:00:00.000Z\",\n \"revision_history\": [\n {\n \"date\": \"2024-01-01T11:00:00.000Z\",\n \"number\": \"1\",\n \"summary\": \"Initial version.\"\n }\n ],\n \"status\": \"final\",\n \"version\": \"1\"\n }\n },\n \"product_tree\": {\n \"branches\": [\n {\n \"branches\": [\n {\n \"branches\": [\n {\n \"category\": \"product_version\",\n \"name\": \"5.3\",\n \"product\": {\n \"name\": \"Database Libraries 5.3\",\n \"product_id\": \"LIBDB-5328\",\n \"product_identification_helper\": {\n \"purl\": \"pkg:deb/debian/libdb5.3@5.3.28%2Bdfsg1-0.8?arch=amd64\\u0026distro=debian-11.8\"\n }\n }\n }\n ],\n \"category\": \"product_name\",\n \"name\": \"Database Libraries\"\n }\n ],\n \"category\": \"vendor\",\n \"name\": \"Debian\"\n }\n ]\n },\n \"vulnerabilities\": [\n {\n \"cve\": \"CVE-2019-8457\",\n \"notes\": [\n {\n \"category\": \"description\",\n \"text\": \"SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.\",\n \"title\": \"CVE description\"\n }\n ],\n \"product_status\": {\n \"known_not_affected\": [\n \"LIBDB-5328\"\n ]\n },\n \"threats\": [\n {\n \"category\": \"impact\",\n \"details\": \"Vulnerable code not in execute path.\",\n \"product_ids\": [\n \"LIBDB-5328\"\n ]\n }\n ]\n }\n ]\n}\nEOF\n
Trivy also supports CSAF relationships, reducing the risk of incorrect filtering. It works in the same way as OpenVEX subcomponents. At present, the specified relationship category is not taken into account and all the following categories are treated internally as \"depends_on\".
- default_component_of
- installed_on
- installed_with
You can see the appendix for more details on how VEX is applied in Trivy.
"},{"location":"guide/supply-chain/vex/file/#scan-with-csaf-vex","title":"Scan with CSAF VEX","text":"Provide the CSAF document when scanning your target.
$ trivy image debian:11.8 --vex debian11.vex.csaf\n...\n2024-01-02T10:28:26.704+0100 INFO Filtered out the detected vulnerability {\"VEX format\": \"CSAF\", \"vulnerability-id\": \"CVE-2019-8457\", \"status\": \"not_affected\"}\n\ndebian:11.8 (debian 11.8)\n\nTotal: 153 (UNKNOWN: 1, LOW: 82, MEDIUM: 33, HIGH: 32, CRITICAL: 5)\n
CVE-2019-8457 is no longer shown as it is filtered out according to the given CSAF document.
"},{"location":"guide/supply-chain/vex/file/#appendix","title":"Appendix","text":""},{"location":"guide/supply-chain/vex/file/#purl-matching","title":"PURL matching","text":"In the context of VEX, Package URLs (PURLs) are utilized to identify specific software packages and their versions. The PURL matching specification outlines how PURLs are interpreted for vulnerability exception processing, ensuring precise identification and broad coverage of software packages.
Note
The following PURL matching rules are not formally defined within the current official PURL specification. Instead, they represent a community consensus on how to interpret PURLs.
Below are the key aspects of the PURL matching rules:
"},{"location":"guide/supply-chain/vex/file/#matching-without-version","title":"Matching Without Version","text":"A PURL without a specified version (e.g., pkg:maven/com.google.guava/guava) matches all versions of that package. This rule simplifies the application of vulnerability exceptions to all versions of a package.
Example: pkg:maven/com.google.guava/guava matches:
- All versions of
guava, such as com.google.guava:guava:24.1.1, com.google.guava:guava:30.0.
"},{"location":"guide/supply-chain/vex/file/#matching-without-qualifiers","title":"Matching Without Qualifiers","text":"A PURL without any qualifiers (e.g., pkg:maven/com.google.guava/guava@24.1.1) matches any variation of that package, irrespective of qualifiers. This approach ensures broad matching capabilities, covering all architectural or platform-specific variations of a package version.
Example: pkg:maven/com.google.guava/guava@24.1.1 matches:
pkg:maven/com.google.guava/guava@24.1.1?classifier=x86pkg:maven/com.google.guava/guava@24.1.1?type=pom
"},{"location":"guide/supply-chain/vex/file/#matching-with-specific-qualifiers","title":"Matching With Specific Qualifiers","text":"A PURL that includes specific qualifiers (e.g., pkg:maven/com.google.guava/guava@24.1.1?classifier=x86) matches only those package versions that include the same qualifiers.
Example: pkg:maven/com.google.guava/guava@24.1.1?classifier=x86 matches:
pkg:maven/com.google.guava/guava@24.1.1?classifier=x86&type=dll - Extra qualifiers (e.g.,
type=dll) are ignored.
does not match:
pkg:maven/com.google.guava/guava@24.1.1 classifier=x86 is missing.
pkg:maven/com.google.guava/guava@24.1.1?classifier=sources classifier must have the same value.
"},{"location":"guide/supply-chain/vex/file/#applying-vex-to-dependency-trees","title":"Applying VEX to Dependency Trees","text":"Trivy internally generates a dependency tree and applies VEX statements to this graph. Let's consider a project with the following dependency tree, where Module C v2.0.0 is assumed to have a vulnerability CVE-XXXX-YYYY:
graph TD;\n modRootA(Module Root A v1.0.0)\n modB(Module B v1.0.0) \n modC(Module C v2.0.0)\n\n modRootA-->modB\n modB-->modC
Now, suppose a VEX statement is issued for Module B as follows:
\"statements\": [\n {\n \"vulnerability\": {\"name\": \"CVE-XXXX-YYYY\"},\n \"products\": [\n {\n \"@id\": \"pkg:golang/module-b@v1.0.0\",\n \"subcomponents\": [\n { \"@id\": \"pkg:golang/module-c@v2.0.0\" }\n ]\n }\n ],\n \"status\": \"not_affected\",\n \"justification\": \"vulnerable_code_not_in_execute_path\" \n }\n]\n
It declares that Module B is not affected by CVE-XXXX-YYYY on Module C.
Note
The VEX in this example defines the relationship between Module B and Module C. However, as Trivy traverses all parents from vulnerable packages, it is also possible to define a VEX for the relationship between a vulnerable package and any parent, such as Module A and Module C, etc.
Mapping this VEX onto the dependency tree would look like this:
graph TD;\n modRootA(Module Root A v1.0.0)\n\n subgraph \"VEX (Not Affected)\"\n modB(Module B v1.0.0)\n modC(Module C v2.0.0)\n end\n\n modRootA-->modB\n modB-->modC
In this case, it's clear that Module Root A is also not affected by CVE-XXXX-YYYY, so this vulnerability is suppressed.
Now, let's consider another project:
graph TD;\n modRootZ(Module Root Z v1.0.0)\n modB'(Module B v1.0.0)\n modC'(Module C v2.0.0)\n modD'(Module D v3.0.0)\n\n modRootZ-->modB'\n modRootZ-->modD'\n modB'-->modC'\n modD'-->modC'
Assuming the same VEX as before, applying it to this dependency tree would look like:
graph TD;\n modRootZ(Module Root Z v1.0.0)\n\n subgraph \"VEX (Not Affected)\"\n modB'(Module B v1.0.0)\n modC'(Module C v2.0.0)\n end\n\n modD'(Module D v3.0.0)\n\n modRootZ-->modB'\n modRootZ-->modD'\n modB'-->modC'\n modD'-->modC'
Module Root Z depends on Module C via multiple paths. While the VEX tells us that Module B is not affected by the vulnerability, Module D might be. In the absence of a VEX, the default assumption is that it is affected. Taking all of this into account, Trivy determines that Module Root Z is affected by this vulnerability.
"},{"location":"guide/supply-chain/vex/oci/","title":"Discover VEX Attestation in OCI Registry","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy can discover VEX attestations for container images. This feature allows you to automatically use VEX during container image scanning.
"},{"location":"guide/supply-chain/vex/oci/#how-it-works","title":"How It Works","text":"Trivy can automatically discover and utilize VEX attestations for container images during scanning by using the --vex oci flag. This process enhances vulnerability detection results by incorporating the information from the VEX attestation.
To use this feature, follow these three steps:
- Create a VEX document
- Generate and upload a VEX attestation to an OCI registry
- Use the VEX attestation with Trivy
Steps 1 and 2 are not necessary if you are trying to scan a third-party container image and already have VEX attestation attached.
Let's go through each step in detail.
Note
In the following examples, the cosign command will write an attestation to a target OCI registry, so you must have permission to write. If you want to avoid writing an OCI registry and only want to see an attestation, add the --no-upload option to the cosign command.
"},{"location":"guide/supply-chain/vex/oci/#step-1-create-a-vex-document","title":"Step 1: Create a VEX Document","text":"Currently, Trivy does not have a built-in feature to create VEX documents, so you need to create them manually. You can refer to the OpenVEX section for guidance on creating VEX files.
For container image vulnerabilities, the product ID should be the OCI type in the PURL format. For example:
pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy\n
This product ID applies the VEX statement to all tags of the ghcr.io/aquasecurity/trivy container image. If you want to declare a statement for a specific digest only, you can use:
pkg:oci/trivy@sha256:5bd5ab35814f86783561603ebb35d5d5d99006dcdcd5c3f828ea1afb4c12d159?repository_url=ghcr.io/aquasecurity/trivy\n
Note
Using an image tag, like pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy&tag=0.50.0, is not supported in the product ID at the moment.
Next, specify vulnerable packages as subcomponents, such as pkg:apk/alpine/busybox. You can also include the package version and other qualifiers (e.g., arch) to limit statements, like pkg:apk/alpine/busybox@1.36.1-r29?arch=x86.
Lastly, include the vulnerability IDs.
Here's an example VEX document:
{\n \"@context\": \"https://openvex.dev/ns/v0.2.0\",\n \"@id\": \"https://openvex.dev/docs/public/vex-2e67563e128250cbcb3e98930df948dd053e43271d70dc50cfa22d57e03fe96f\",\n \"author\": \"Aqua Security\",\n \"timestamp\": \"2024-07-30T19:07:16.853479631-06:00\",\n \"version\": 1,\n \"statements\": [\n {\n \"vulnerability\": {\n \"name\": \"CVE-2023-42363\"\n },\n \"products\": [\n {\n \"@id\": \"pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy\",\n \"subcomponents\": [\n {\"@id\": \"pkg:apk/alpine/busybox\"},\n {\"@id\": \"pkg:apk/alpine/busybox-binsh\"}\n ]\n }\n ],\n \"status\": \"not_affected\",\n \"justification\": \"vulnerable_code_cannot_be_controlled_by_adversary\",\n \"impact_statement\": \"awk is not used\"\n }\n ]\n}\n
You can also refer to Trivy's example for more inspiration.
"},{"location":"guide/supply-chain/vex/oci/#step-2-generate-and-upload-a-vex-attestation-to-an-oci-registry","title":"Step 2: Generate and Upload a VEX Attestation to an OCI Registry","text":"You can use the Cosign command to generate and upload the VEX attestation. Cosign offers methods both with and without keys. For detailed instructions, please refer to the Cosign documentation.
To generate and attach a VEX attestation to your image, use the following command:
$ cosign attest --predicate oci.openvex.json --type openvex <IMAGE>\n
Note that this command attaches the attestation only to the specified image tag. If needed, repeat the process for other tags and digests.
"},{"location":"guide/supply-chain/vex/oci/#step-3-use-vex-attestation-with-trivy","title":"Step 3: Use VEX Attestation with Trivy","text":"Once you've attached the VEX attestation to the container image, Trivy can automatically discover and use it during scanning. Simply add the --vex oci flag when scanning a container image:
$ trivy image --vex oci <IMAGE>\n
To see which vulnerabilities were filtered by the VEX attestation, use the --show-suppressed flag:
$ trivy image --vex oci --show-suppressed <IMAGE>\n
The <IMAGE> specified in these commands must be the same as the one to which you attached the VEX attestation.
"},{"location":"guide/supply-chain/vex/repo/","title":"VEX Repository","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
"},{"location":"guide/supply-chain/vex/repo/#using-vex-repository","title":"Using VEX Repository","text":"Trivy can download and utilize VEX documents from repositories that comply with the VEX Repository Specification. While it's planned to be enabled by default in the future, currently it can be activated by explicitly specifying --vex repo.
$ trivy image ghcr.io/aquasecurity/trivy:0.52.0 --vex repo\n2024-07-20T11:22:58+04:00 INFO [vex] The default repository config has been created \nfile_path=\"/Users/teppei/.trivy/vex/repository.yaml\"\n2024-07-20T11:23:23+04:00 INFO [vex] Updating repository... repo=\"default\" url=\"https://github.com/aquasecurity/vexhub\"\n
During scanning, Trivy generates PURLs for discovered packages and searches for matching PURLs in the VEX Repository. If a match is found, the corresponding VEX is utilized.
"},{"location":"guide/supply-chain/vex/repo/#configuration-file","title":"Configuration File","text":""},{"location":"guide/supply-chain/vex/repo/#default-configuration","title":"Default Configuration","text":"When --vex repo is specified for the first time, a default configuration file is created at $HOME/.trivy/vex/repository.yaml. The home directory can be configured through environment variable $XDG_DATA_HOME.
You can also create the configuration file in advance using the trivy vex repo init command and edit it.
The default configuration file looks like this:
repositories:\n - name: default\n url: https://github.com/aquasecurity/vexhub\n enabled: true\n username: \"\"\n password: \"\"\n token: \"\"\n
By default, VEX Hub managed by Aqua Security is used. VEX Hub primarily trusts VEX documents published by the package maintainers.
"},{"location":"guide/supply-chain/vex/repo/#show-configuration","title":"Show Configuration","text":"You can see the config file path and the configured repositories with trivy vex repo list:
$ trivy vex repo list\nVEX Repositories (config: /home/username/.trivy/vex/repository.yaml)\n\n- Name: default\n URL: https://github.com/aquasecurity/vexhub\n Status: Enabled\n
"},{"location":"guide/supply-chain/vex/repo/#custom-repositories","title":"Custom Repositories","text":"If you want to trust VEX documents published by other organizations or use your own VEX repository, you can specify a custom repository that complies with the VEX Repository Specification. You can add a custom repository as below:
- name: custom\n url: https://example.com/custom-repo\n enabled: true\n
"},{"location":"guide/supply-chain/vex/repo/#authentication","title":"Authentication","text":"For private repositories:
username/password can be used for Basic authenticationtoken can be used for Bearer authentication
- name: custom\n url: https://example.com/custom-repo\n enabled: true\n token: \"my-token\"\n
"},{"location":"guide/supply-chain/vex/repo/#repository-priority","title":"Repository Priority","text":"The priority of VEX repositories is determined by their order in the configuration file. You can add repositories with higher priority than the default or even remove the default VEX Hub.
- name: repo1\n url: https://example.com/repo1\n- name: repo2\n url: https://example.com/repo2\n
In this configuration, when Trivy detects a vulnerability in a package, it generates a PURL for that package and searches for matching VEX documents in the configured repositories. The search process follows this order:
- Trivy first looks for a VEX document matching the package's PURL in
repo1. - If no matching VEX document is found in
repo1, Trivy then searches in repo2. - This process continues through all configured repositories until a match is found.
If a matching VEX document is found in any repository (e.g., repo1), the search stops, and Trivy uses that VEX document. Subsequent repositories (e.g., repo2) are not checked for that specific vulnerability and package combination.
It's important to note that the first matching VEX document found determines the final status of the vulnerability. For example, if repo1 states that a package is \"Affected\" by a vulnerability, this status will be used even if repo2 states that the same package is \"Not Affected\" for the same vulnerability. The \"Affected\" status from the higher-priority repository (repo1) takes precedence, and Trivy will consider the package as affected by the vulnerability.
"},{"location":"guide/supply-chain/vex/repo/#repository-updates","title":"Repository Updates","text":"VEX repositories are automatically updated during scanning. Updates are performed based on the update frequency specified by the repository.
To disable auto-update, pass --skip-vex-repo-update.
$ trivy image ghcr.io/aquasecurity/trivy:0.50.0 --vex repo --skip-vex-repo-update\n
To download VEX repositories in advance without scanning, use trivy vex repo download.
The cache can be cleared with trivy clean --vex-repo.
"},{"location":"guide/supply-chain/vex/repo/#displaying-filtered-vulnerabilities","title":"Displaying Filtered Vulnerabilities","text":"To see which vulnerabilities were filtered and why, use the --show-suppressed option:
$ trivy image ghcr.io/aquasecurity/trivy:0.50.0 --vex repo --show-suppressed\n...\n\nSuppressed Vulnerabilities (Total: 4)\n=====================================\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Status \u2502 Statement \u2502 Source \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 busybox \u2502 CVE-2023-42364 \u2502 MEDIUM \u2502 not_affected \u2502 vulnerable_code_cannot_be_controlled_by_adversary \u2502 VEX Repository: default \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 (https://github.com/aquasecurity/vexhub) \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 CVE-2023-42365 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502\n\u2502 busybox-binsh \u2502 CVE-2023-42364 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 CVE-2023-42365 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/supply-chain/vex/repo/#publishing-vex-documents","title":"Publishing VEX Documents","text":""},{"location":"guide/supply-chain/vex/repo/#for-oss-projects","title":"For OSS Projects","text":"As an OSS developer or maintainer, you may encounter vulnerabilities in the packages your project depends on. These vulnerabilities might be discovered through your own scans or reported by third parties using your OSS project.
While Trivy strives to minimize false positives, it doesn't perform code graph analysis, which means it can't evaluate exploitability at the code level. Consequently, Trivy may report vulnerabilities even in cases where:
- The vulnerable function in a dependency is never called in your project.
- The vulnerable code cannot be controlled by an attacker in the context of your project.
If you're confident that a reported vulnerability in a dependency doesn't affect your OSS project or container image, you can publish a VEX document to reduce noise in Trivy scans. To assess exploitability, you have several options:
- Manual assessment: As a maintainer, you can read the source code and determine if the vulnerability is exploitable in your project's context.
- Automated assessment: You can use SAST (Static Application Security Testing) tools or similar tools to analyze the code and determine exploitability.
By publishing VEX documents in the source repository, Trivy can automatically utilize them through VEX Hub. The main steps are:
- Generate a VEX document
- Commit the VEX document to the
.vex/ directory in the source repository (e.g., Trivy's VEX) - Register your project's PURL in VEX Hub
Step 3 is only necessary once. After that, updating the VEX file in your repository will automatically be fetched by VEX Hub and utilized by Trivy. See the VEX Hub repository for more information.
If you want to issue a VEX for an OSS project that you don't maintain, consider first proposing the VEX publication to the original repository. Many OSS maintainers are open to contributions that improve the security posture of their projects. However, if your proposal is not accepted, or if you want to issue a VEX with statements that differ from the maintainer's judgment, you may want to consider creating a custom repository.
"},{"location":"guide/supply-chain/vex/repo/#for-private-projects","title":"For Private Projects","text":"If you're working on private software or personal projects, you have several options:
- Local VEX files: You can create local VEX files and have Trivy read them during scans. This is suitable for individual use or small teams.
- .trivyignore: For simpler cases, using a .trivyignore file might be sufficient to suppress specific vulnerabilities.
- Custom repositories: For large organizations wanting to share VEX information for internally used software across different departments, setting up a custom VEX repository might be the best approach.
"},{"location":"guide/supply-chain/vex/repo/#hosting-custom-repositories","title":"Hosting Custom Repositories","text":"While the principle is to store VEX documents for OSS packages in the source repository, it's possible to create a custom repository if that's difficult.
There are various use cases for providing custom repositories:
- A Pull Request to add a VEX document upstream was not merged
- Consolidating VEX documents output by SAST tools
- Publishing vendor-specific VEX documents that differ from OSS maintainer statements
- Creating a private VEX repository to publish common VEX for your company
In these cases, you can create a repository that complies with the VEX Repository Specification to make it available for use with Trivy.
"},{"location":"guide/supply-chain/vex/sbom-ref/","title":"VEX SBOM Reference","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
"},{"location":"guide/supply-chain/vex/sbom-ref/#using-externally-referenced-vex-documents","title":"Using externally referenced VEX documents","text":"Trivy can discover and download VEX documents referenced in the externalReferences of a scanned CycloneDX SBOM. This requires the references to be of type exploitability-statement.
To be picked up by Trivy, following top level content needs to be part of a CycloneDx SBOM to dynamically resolve a remotely hosted file VEX file at the location https://vex.example.com:
\"externalReferences\": [\n {\n \"type\": \"exploitability-statement\",\n \"url\": \"https://vex.example.com/vex\"\n }\n ]\n
This can also be used to dynamically retrieve VEX files stored on GitHub with an externalReference such as:
\"externalReferences\": [\n {\n \"type\": \"exploitability-statement\",\n \"url\": \"https://raw.githubusercontent.com/aquasecurity/trivy/refs/heads/main/.vex/trivy.openvex.json\"\n }\n ]\n
This is not enabled by default at the moment, but can be used when scanning a CycloneDx SBOM and explicitly specifying --vex sbom-ref.
$ trivy sbom trivy.cdx.json --vex sbom-ref\n2025-01-19T13:29:31+01:00 INFO [vex] Retrieving external VEX document from host vex.example.com type=\"externalReference\"\n2025-01-19T13:29:31+01:00 INFO Some vulnerabilities have been ignored/suppressed. Use the \"--show-suppressed\" flag to display them.\n
All the referenced VEX files are retrieved via HTTP/HTTPS and used in the same way as if they were explicitly specified via a file reference.
"},{"location":"guide/target/container_image/","title":"Container Image","text":"Trivy supports two targets for container images.
- Files inside container images
- Container image metadata
"},{"location":"guide/target/container_image/#files-inside-container-images","title":"Files inside container images","text":"Container images consist of files. For instance, new files will be installed if you install a package.
Trivy scans the files inside container images for
- Vulnerabilities
- Misconfigurations
- Secrets
- Licenses
By default, vulnerability and secret scanning are enabled, and you can configure that with --scanners.
"},{"location":"guide/target/container_image/#vulnerabilities","title":"Vulnerabilities","text":"It is enabled by default. You can simply specify your image name (and a tag). It detects known vulnerabilities in your container image. See here for the detail.
$ trivy image [YOUR_IMAGE_NAME]\n
For example:
$ trivy image python:3.4-alpine\n
Result 2019-05-16T01:20:43.180+0900 INFO Updating vulnerability database...\n2019-05-16T01:20:53.029+0900 INFO Detecting Alpine vulnerabilities...\n\npython:3.4-alpine3.9 (alpine 3.9.2)\n===================================\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n\n+---------+------------------+----------+-------------------+---------------+--------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+---------+------------------+----------+-------------------+---------------+--------------------------------+\n| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |\n| | | | | | with long nonces |\n+---------+------------------+----------+-------------------+---------------+--------------------------------+\n
To enable only vulnerability scanning, you can specify --scanners vuln.
$ trivy image --scanners vuln [YOUR_IMAGE_NAME]\n
"},{"location":"guide/target/container_image/#misconfigurations","title":"Misconfigurations","text":"It is supported, but it is not useful in most cases. As mentioned here, Trivy mainly supports Infrastructure as Code (IaC) files for misconfigurations. If your container image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with --scanners misconfig.
$ trivy image --scanners misconfig [YOUR_IMAGE_NAME]\n
"},{"location":"guide/target/container_image/#secrets","title":"Secrets","text":"It is enabled by default. See here for the detail.
$ trivy image [YOUR_IMAGE_NAME]\n
"},{"location":"guide/target/container_image/#licenses","title":"Licenses","text":"It is disabled by default. See here for the detail.
$ trivy image --scanners license [YOUR_IMAGE_NAME]\n
"},{"location":"guide/target/container_image/#container-image-metadata","title":"Container image metadata","text":"Container images have configuration. docker inspect and docker history show the information according to the configuration.
Trivy scans the configuration of container images for
- Misconfigurations
- Secrets
They are disabled by default. You can enable them with --image-config-scanners.
Tips
The configuration can be exported as the JSON file by docker save.
"},{"location":"guide/target/container_image/#misconfigurations_1","title":"Misconfigurations","text":"Trivy detects misconfigurations on the configuration of container images. The image config is converted into Dockerfile and Trivy handles it as Dockerfile. See here for the detail of Dockerfile scanning.
It is disabled by default. You can enable it with --image-config-scanners misconfig.
$ trivy image --image-config-scanners misconfig [YOUR_IMAGE_NAME]\n
Result alpine:3.17 (dockerfile)\n========================\nTests: 24 (SUCCESSES: 21, FAILURES: 3)\nFailures: 3 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 1, CRITICAL: 0)\n\nHIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.\n\nSee https://avd.aquasec.com/misconfig/ds002\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\nLOW: Consider using 'COPY file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /' command instead of 'ADD file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /'\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nYou should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.\n\nSee https://avd.aquasec.com/misconfig/ds005\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n alpine:3.17:1\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 1 [ ADD file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\nLOW: Add HEALTHCHECK instruction in your Dockerfile\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.\n\nSee https://avd.aquasec.com/misconfig/ds026\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n
Tip
You can see how each layer is created with docker history.
"},{"location":"guide/target/container_image/#disabled-checks","title":"Disabled checks","text":"The following checks are disabled for this scan type due to known issues. See the linked issues for more details.
Check ID Reason Issue AVD-DS-0007 This check detects multiple ENTRYPOINT instructions in a stage, but since image history analysis does not identify stages, this check is not relevant for this scan type. #8364 AVD-DS-0016 This check detects multiple CMD instructions in a stage, but since image history analysis does not identify stages, this check is not relevant for this scan type. #7368"},{"location":"guide/target/container_image/#secrets_1","title":"Secrets","text":"Trivy detects secrets on the configuration of container images. The image config is converted into JSON and Trivy scans the file for secrets. It is especially useful for environment variables that are likely to have credentials by accident. See here for the detail.
$ trivy image --image-config-scanners secret [YOUR_IMAGE_NAME]\n
Result vuln-image (alpine 3.17.1)\n==========================\nTotal: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n\n\nvuln-image (secrets)\n====================\nTotal: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)\n\nCRITICAL: GitHub (github-pat)\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nGitHub Personal Access Token\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n test:16\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 14 {\n 15 \"created\": \"2023-01-09T17:05:20Z\",\n 16 [ \"created_by\": \"ENV secret=****************************************\",\n 17 \"comment\": \"buildkit.dockerfile.v0\",\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\nCRITICAL: GitHub (github-pat)\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nGitHub Personal Access Token\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n test:34\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 32 \"Env\": [\n 33 \"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\n 34 [ \"secret=****************************************\"\n 35 ]\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n
Tip
You can see environment variables with docker inspect.
"},{"location":"guide/target/container_image/#supported","title":"Supported","text":"Trivy will look for the specified image in a series of locations. By default, it will first look in the local Docker Engine, then Containerd, Podman, and finally container registry.
This behavior can be modified with the --image-src flag. For example, the command
trivy image --image-src podman,containerd alpine:3.7.3\n
Will first search in Podman. If the image is found there, it will be scanned and the results returned. If the image is not found in Podman, then Trivy will search in Containerd. If the image is not found there either, the scan will fail and no more image sources will be searched.
"},{"location":"guide/target/container_image/#docker-engine","title":"Docker Engine","text":"Trivy tries to look for the specified image in your local Docker Engine. It will be skipped if Docker Engine is not running locally.
If your docker socket is not the default path, you can override it via DOCKER_HOST.
"},{"location":"guide/target/container_image/#containerd","title":"containerd","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy tries to look for the specified image in your local containerd. It will be skipped if containerd is not running locally.
Specify your image name in containerd running locally.
$ nerdctl images\nREPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE\naquasec/nginx latest 2bcabc23b454 3 hours ago linux/amd64 149.1 MiB 54.1 MiB\n$ trivy image aquasec/nginx\n
If your containerd socket is not the default path (//run/containerd/containerd.sock), you can override it via CONTAINERD_ADDRESS.
$ export CONTAINERD_ADDRESS=/run/k3s/containerd/containerd.sock\n$ trivy image aquasec/nginx\n
If your scan targets are images in a namespace other than containerd's default namespace (default), you can override it via CONTAINERD_NAMESPACE.
$ export CONTAINERD_NAMESPACE=k8s.io\n$ trivy image aquasec/nginx\n
"},{"location":"guide/target/container_image/#podman","title":"Podman","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Scan your image in Podman (>=2.0) running locally. The remote Podman is not supported. If you prefer to keep the socket open at all times, then before performing Trivy commands, you can enable the podman.sock systemd service on your machine. For more details, see here.
$ systemctl --user enable --now podman.socket\n
Then, you can scan your image in Podman.
$ cat Dockerfile\nFROM alpine:3.12\nRUN apk add --no-cache bash\n$ podman build -t test .\n$ podman images\nREPOSITORY TAG IMAGE ID CREATED SIZE\nlocalhost/test latest efc372d4e0de About a minute ago 7.94 MB\n$ trivy image test\n
If you prefer not to keep the socket open at all times, but to limit the socket opening for your trivy scanning duration only then you can scan your image with the following command:
podman system service --time=0 \"${TMP_PODMAN_SOCKET}\" & \nPODMAN_SYSTEM_SERVICE_PID=\"$!\" \ntrivy image --podman-host=\"${TMP_PODMAN_SOCKET}\" --docker-host=\"${TMP_PODMAN_SOCKET}\" test\nkill \"${PODMAN_SYSTEM_SERVICE_PID}\"\n
"},{"location":"guide/target/container_image/#container-registry","title":"Container Registry","text":"Trivy supports registries that comply with the following specifications.
- Docker Registry HTTP API V2
- OCI Distribution Specification
You can configure credentials with trivy registry login. See here for the detail.
"},{"location":"guide/target/container_image/#tar-files","title":"Tar Files","text":"Trivy supports image tar files generated by the following tools.
- Docker Image Specification
- Moby Project
- Buildah
- Podman
- img
- Kaniko
$ docker pull ruby:3.1-alpine3.15\n$ docker save ruby:3.1-alpine3.15 -o ruby-3.1.tar\n$ trivy image --input ruby-3.1.tar\n
Result 2022-02-03T10:08:19.127Z INFO Detected OS: alpine\n2022-02-03T10:08:19.127Z WARN This OS version is not on the EOL list: alpine 3.15\n2022-02-03T10:08:19.127Z INFO Detecting Alpine vulnerabilities...\n2022-02-03T10:08:19.127Z INFO Number of language-specific files: 2\n2022-02-03T10:08:19.127Z INFO Detecting gemspec vulnerabilities...\n2022-02-03T10:08:19.128Z INFO Detecting node-pkg vulnerabilities...\n2022-02-03T10:08:19.128Z WARN This OS version is no longer supported by the distribution: alpine 3.15.0\n2022-02-03T10:08:19.128Z WARN The vulnerability detection may be insufficient because security updates are not provided\n\nruby-3.1.tar (alpine 3.15.0)\n============================\nTotal: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0)\n\n+----------+------------------+----------+-------------------+---------------+---------------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+----------+------------------+----------+-------------------+---------------+---------------------------------------+\n| gmp | CVE-2021-43618 | HIGH | 6.2.1-r0 | 6.2.1-r1 | gmp: Integer overflow and resultant |\n| | | | | | buffer overflow via crafted input |\n| | | | | | -->avd.aquasec.com/nvd/cve-2021-43618 |\n+----------+ + + + + +\n| gmp-dev | | | | | |\n| | | | | | |\n| | | | | | |\n+----------+ + + + + +\n| libgmpxx | | | | | |\n| | | | | | |\n| | | | | | |\n+----------+------------------+----------+-------------------+---------------+---------------------------------------+\n\nNode.js (node-pkg)\n==================\nTotal: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n\n\nRuby (gemspec)\n==============\nTotal: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n
"},{"location":"guide/target/container_image/#oci-layout","title":"OCI Layout","text":"Trivy supports image directories compliant with Open Container Image Layout Specification.
Buildah:
$ buildah push docker.io/library/alpine:3.11 oci:/path/to/alpine\n$ trivy image --input /path/to/alpine\n
Skopeo:
$ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine\n$ trivy image --input /path/to/alpine\n
Referencing specific images can be done by their tag or by their manifest digest:
# Referenced by tag\n$ trivy image --input /path/to/alpine:3.15\n\n# Referenced by digest\n$ trivy image --input /path/to/alpine@sha256:82389ea44e50c696aba18393b168a833929506f5b29b9d75eb817acceb6d54ba\n
"},{"location":"guide/target/container_image/#sbom","title":"SBOM","text":"Trivy supports the generation of Software Bill of Materials (SBOM) for container images and the search for SBOMs during vulnerability scanning.
"},{"location":"guide/target/container_image/#generation","title":"Generation","text":"Trivy can generate SBOM for container images. See here for details.
"},{"location":"guide/target/container_image/#discover-sbom-inside-container-images","title":"Discover SBOM inside container images","text":"Trivy can search for Software Bill of Materials (SBOMs) within container image files and scan their components for vulnerabilities.
"},{"location":"guide/target/container_image/#third-party-sbom-files","title":"Third-party SBOM files","text":"SBOM specifications define key requirements for component documentation2. However, different tools and systems often have varying approaches to documenting component types and their relationships.
Due to these variations, Trivy cannot always accurately interpret SBOMs generated by other tools. For example, it may have difficulty determining the correct file paths to component information files (such as lock files or binaries). In such cases, Trivy uses the path to the scanned SBOM file itself to maintain traceability and ensure accurate dependency reporting.
"},{"location":"guide/target/container_image/#discover-sbom-referencing-the-container-image","title":"Discover SBOM referencing the container image","text":"Trivy can search for Software Bill of Materials (SBOMs) that reference container images. If an SBOM is found, the vulnerability scan is performed using the SBOM instead of the container image. By using the SBOM, you can perform a vulnerability scan more quickly, as it allows you to skip pulling the container image and analyzing its layers.
To enable this functionality, you need to specify the --sbom-sources flag. The following two sources are supported:
- OCI Registry (
oci) - Rekor (
rekor)
Example:
$ trivy image --sbom-sources oci ghcr.io/knqyf263/oci-referrers\n2023-03-05T17:36:55.278+0200 INFO Vulnerability scanning is enabled\n2023-03-05T17:36:58.103+0200 INFO Detected SBOM format: cyclonedx-json\n2023-03-05T17:36:58.129+0200 INFO Found SBOM (cyclonedx) in the OCI referrers\n...\n\nghcr.io/knqyf263/oci-referrers (alpine 3.16.2)\n==============================================\nTotal: 17 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 9, CRITICAL: 3)\n
The OCI Registry utilizes the Referrers API. For more information about Rekor, please refer to its documentation.
"},{"location":"guide/target/container_image/#compliance","title":"Compliance","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
This section describes container image specific compliance reports. For an overview of Trivy's Compliance feature, including working with custom compliance, check out the Compliance documentation.
"},{"location":"guide/target/container_image/#built-in-reports","title":"Built in reports","text":"The following reports are available out of the box:
Compliance Version Name for command More info CIS Docker Community Edition Benchmark 1.1.0 docker-cis-1.6.0 Link"},{"location":"guide/target/container_image/#examples","title":"Examples","text":"Scan a container image configuration and generate a compliance summary report:
trivy image --compliance docker-cis-1.6.0 [YOUR_IMAGE_NAME]\n
Note
The Issues column represent the total number of failed checks for this control.
"},{"location":"guide/target/container_image/#authentication","title":"Authentication","text":"Please reference this page.
"},{"location":"guide/target/container_image/#scan-cache","title":"Scan Cache","text":"When scanning container images, it stores analysis results in the cache, using the image ID and the layer IDs as the key. This approach enables faster scans of the same container image or different images that share layers.
More details are available in the cache documentation.
"},{"location":"guide/target/container_image/#options","title":"Options","text":""},{"location":"guide/target/container_image/#scan-image-on-a-specific-architecture-and-os","title":"Scan Image on a specific Architecture and OS","text":"By default, Trivy loads an image on a \"linux/amd64\" machine. To customise this, pass a --platform argument in the format OS/Architecture for the image:
$ trivy image --platform=os/architecture [YOUR_IMAGE_NAME]\n
For example:
$ trivy image --platform=linux/arm alpine:3.16.1\n
Result 2022-10-25T21:00:50.972+0300 INFO Vulnerability scanning is enabled\n2022-10-25T21:00:50.972+0300 INFO Secret scanning is enabled\n2022-10-25T21:00:50.972+0300 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning\n2022-10-25T21:00:50.972+0300 INFO Please see also https://trivy.dev/dev/docs/secret/scanning/#recommendation for faster secret detection\n2022-10-25T21:00:56.190+0300 INFO Detected OS: alpine\n2022-10-25T21:00:56.190+0300 INFO Detecting Alpine vulnerabilities...\n2022-10-25T21:00:56.191+0300 INFO Number of language-specific files: 0\n\nalpine:3.16.1 (alpine 3.16.1)\n=============================\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 zlib \u2502 CVE-2022-37434 \u2502 CRITICAL \u2502 1.2.12-r1 \u2502 1.2.12-r2 \u2502 zlib: heap-based buffer over-read and overflow in inflate() \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 in inflate.c via a... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2022-37434 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/target/container_image/#configure-docker-daemon-socket-to-connect-to","title":"Configure Docker daemon socket to connect to.","text":"You can configure Docker daemon socket with DOCKER_HOST or --docker-host.
$ trivy image --docker-host tcp://127.0.0.1:2375 YOUR_IMAGE\n
"},{"location":"guide/target/container_image/#configure-podman-daemon-socket-to-connect-to","title":"Configure Podman daemon socket to connect to.","text":"You can configure Podman daemon socket with --podman-host.
$ trivy image --podman-host /run/user/1000/podman/podman.sock YOUR_IMAGE\n
"},{"location":"guide/target/container_image/#prevent-scanning-oversized-container-images","title":"Prevent scanning oversized container images","text":"Use the --max-image-size flag to avoid scanning images that exceed a specified size. The size is specified in a human-readable format1 (e.g., 100MB, 10GB).
An error is returned in the following cases:
- if the compressed image size exceeds the limit,
- if the accumulated size of the uncompressed layers exceeds the limit during their pulling.
The layers are pulled into a temporary folder during their pulling and are always cleaned up, even after a successful scan.
EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Example Usage:
# Limit uncompressed image size to 10GB\n$ trivy image --max-image-size=10GB myapp:latest\n
Error Output:
Error: uncompressed image size (15GB) exceeds maximum allowed size (10GB)\n
-
Trivy uses decimal (SI) prefixes (based on 1000) for size.\u00a0\u21a9
-
SPDX uses package instead of component.\u00a0\u21a9
"},{"location":"guide/target/filesystem/","title":"Filesystem","text":"Scan your local projects for
- Vulnerabilities
- Misconfigurations
- Secrets
- Licenses
By default, vulnerability and secret scanning are enabled, and you can configure that with --scanners.
$ trivy fs /path/to/project\n
It's also possible to scan a single file.
$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test/Pipfile.lock\n
"},{"location":"guide/target/filesystem/#scanners","title":"Scanners","text":""},{"location":"guide/target/filesystem/#vulnerabilities","title":"Vulnerabilities","text":"It is enabled by default. Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json. See here for the detail.
$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test\n
Result 2020-06-01T17:06:58.652+0300 WARN OS is not detected and vulnerabilities in OS packages are not detected.\n2020-06-01T17:06:58.652+0300 INFO Detecting pipenv vulnerabilities...\n2020-06-01T17:06:58.691+0300 INFO Detecting cargo vulnerabilities...\n\nPipfile.lock\n============\nTotal: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)\n\n+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+\n| django | CVE-2020-7471 | HIGH | 2.0.9 | 3.0.3, 2.2.10, 1.11.28 | django: potential |\n| | | | | | SQL injection via |\n| | | | | | StringAgg(delimiter) |\n+ +------------------+----------+ +------------------------+------------------------------------+\n| | CVE-2019-19844 | MEDIUM | | 3.0.1, 2.2.9, 1.11.27 | Django: crafted email address |\n| | | | | | allows account takeover |\n+ +------------------+ + +------------------------+------------------------------------+\n| | CVE-2019-3498 | | | 2.1.5, 2.0.10, 1.11.18 | python-django: Content |\n| | | | | | spoofing via URL path in |\n| | | | | | default 404 page |\n+ +------------------+ + +------------------------+------------------------------------+\n| | CVE-2019-6975 | | | 2.1.6, 2.0.11, 1.11.19 | python-django: |\n| | | | | | memory exhaustion in |\n| | | | | | django.utils.numberformat.format() |\n+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+\n...\n
"},{"location":"guide/target/filesystem/#misconfigurations","title":"Misconfigurations","text":"It is disabled by default and can be enabled with --scanners misconfig. See here for the detail.
$ trivy fs --scanners misconfig /path/to/project\n
"},{"location":"guide/target/filesystem/#secrets","title":"Secrets","text":"It is enabled by default. See here for the detail.
$ trivy fs /path/to/project\n
"},{"location":"guide/target/filesystem/#licenses","title":"Licenses","text":"It is disabled by default. See here for the detail.
$ trivy fs --scanners license /path/to/project\n
"},{"location":"guide/target/filesystem/#sbom-generation","title":"SBOM generation","text":"Trivy can generate SBOM for local projects. See here for the detail.
"},{"location":"guide/target/filesystem/#scan-cache","title":"Scan Cache","text":"When scanning local projects, it doesn't use the cache by default. However, when the local project is a git repository with clean status and the cache backend other than the memory one is enabled, it stores analysis results, using the latest commit hash as the key.
$ trivy fs --cache-backend fs /path/to/git/repo\n
More details are available in the cache documentation.
"},{"location":"guide/target/kubernetes/","title":"Kubernetes","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy can connect to your Kubernetes cluster and scan it for security issues using the trivy k8s command. This page covers the technical capabilities of Trivy Kubernetes scanning. Trivy can also be installed inside your cluster as a Kubernetes Operator, and continuously scan it. For more about this, please see the Trivy Operator project.
When scanning a Kubernetes cluster, Trivy differentiates between the following:
- Cluster infrastructure (e.g api-server, kubelet, addons)
- Cluster configuration (e.g Roles, ClusterRoles).
- Application workloads (e.g nginx, postgresql).
When scanning any of the above, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
Container image is scanned for:
- Vulnerabilities
- Misconfigurations
- Exposed secrets
Kubernetes resource definition is scanned for:
- Vulnerabilities (Open Source Libraries, Control Plane and Node Components)
- Misconfigurations
- Exposed secrets
"},{"location":"guide/target/kubernetes/#kubernetes-target-configurations","title":"Kubernetes target configurations","text":"trivy k8s [flags] [CONTEXT] - if the target name [CONTEXT] is not specified, the default will be used.\n
for example:
trivy k8s --report summary\n
JSON result for multi-container pods
For multi-container pods, it may be challenging to associate results with specific images in the JSON summary report. Kubernetes treats a pod as a single object, so individual images within the pod aren't distinguished. For detailed information, please use the --report all option.
By default Trivy will look for a kubeconfig configuration file in the default location, and use the default cluster that is specified. You can also specify a kubeconfig using the --kubeconfig flag:
trivy k8s --kubeconfig ~/.kube/config2\n
"},{"location":"guide/target/kubernetes/#required-roles","title":"Required roles","text":"To successfully scan a Kubernetes cluster, trivy kubernetes subcommand must be executed under a role or a cluster role that has some specific permissions.
The role must have list verb for all resources (\"*\") inside the following API groups: core (\"\"), \"apps\", \"batch\",\"networking.k8s.io\", \"rbac.authorization.k8s.io\":
- apiGroups: [\"\"]\n resources: [\"*\"]\n verbs: [\"list\"]\n- apiGroups: [\"apps\", \"batch\", \"networking.k8s.io\", \"rbac.authorization.k8s.io\"]\n resources: [\"*\"]\n verbs: [\"list\"]\n
If node collector is enabled (default: enabled), Trivy needs a cluster role with some additional permissions to run and track the jobs: - apiGroups: [\"\"]\n resources: [\"nodes/proxy\", \"pods/log\"]\n verbs: [\"get\"]\n- apiGroups: [\"\"]\n resources: [\"events\"]\n verbs: [\"watch\"]\n- apiGroups: [\"batch\"]\n resources: [\"jobs\", \"cronjobs\"]\n verbs: [\"list\", \"get\"]\n- apiGroups: [\"batch\"]\n resources: [\"jobs\"]\n verbs: [\"create\",\"delete\", \"watch\"]\n- apiGroups: [\"\"]\n resources: [\"namespaces\"]\n verbs: [\"create\"]\n
"},{"location":"guide/target/kubernetes/#skip-images","title":"Skip-images","text":"By default, all cluster resource images will be downloaded and scanned.
You can control whether Trivy will scan and download the cluster resource images. To disable this feature, add the --skip-images flag.
--skip-images flag will prevent the downloading and scanning of images (including vulnerabilities and secrets) in the cluster resources.
Example:
trivy k8s --report summary --skip-images\n
"},{"location":"guide/target/kubernetes/#includeexclude-kinds","title":"Include/Exclude Kinds","text":"You can control which kinds of resources will be discovered using the --include-kinds or --exclude-kinds comma-separated flags:
Note: Both flags (--include-kinds or --exclude-kinds) cannot be set in conjunction.
--include-kinds will include the listed kinds in cluster scanning.--exclude-kinds will exclude the listed kinds from cluster scanning.
By default, all kinds will be included in cluster scanning.
Example:
trivy k8s --report summary --exclude-kinds node,pod\n
"},{"location":"guide/target/kubernetes/#includeexclude-namespaces","title":"Include/Exclude Namespaces","text":"You can control which namespaces will be discovered using the --include-namespaces or --exclude-namespaces comma-separated flags:
Note: Both flags (--include-namespaces or --exclude-namespaces) cannot be set in conjunction.
--include-namespaces will include the listed namespaces in cluster scanning.--exclude-namespaces will exclude the listed namespaces from cluster scanning.
By default, all namespaces will be included in cluster scanning.
using --exclude-namespaces
Trivy requires a complete list of namespaces to exclude specific ones. Therefore, --exclude-namespaces option is only available for cluster roles now.
Example:
trivy k8s --report summary --exclude-namespace dev-system,staging-system\n
"},{"location":"guide/target/kubernetes/#control-plane-and-node-components-vulnerability-scanning","title":"Control Plane and Node Components Vulnerability Scanning","text":"Trivy is capable of discovering Kubernetes control plane (apiserver, controller-manager and etc) and node components(kubelet, kube-proxy and etc), matching them against the official Kubernetes vulnerability database feed, and reporting any vulnerabilities it finds.
To read more about KBOM, see the documentation for Kubernetes scanning.
trivy k8s --scanners vuln --report all\n\nNodeComponents/kind-control-plane (kubernetes)\n\nTotal: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Status \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 k8s.io/kubelet \u2502 CVE-2023-2431 \u2502 LOW \u2502 fixed \u2502 1.21.1 \u2502 1.24.14, 1.25.10, 1.26.5, 1.27.2 \u2502 Bypass of seccomp profile enforcement \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2023-2431 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2021-25741 \u2502 HIGH \u2502 \u2502 \u2502 1.19.16, 1.20.11, 1.21.5, 1.22.1 \u2502 Symlink exchange can allow host filesystem access \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-25741 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2021-25749 \u2502 \u2502 \u2502 \u2502 1.22.14, 1.23.11, 1.24.5 \u2502 runAsNonRoot logic bypass for Windows containers \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-25749 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/target/kubernetes/#node-collector","title":"Node-Collector","text":"Node-collector is a scan job that collects node configuration parameters and permission information. This information will be evaluated against Kubernetes hardening (e.g. CIS benchmark) and best practices values. The scan results will be output in infrastructure assessment and CIS benchmark compliance reports.
"},{"location":"guide/target/kubernetes/#disable-node-collector","title":"Disable Node Collector","text":"You can control whether the node scan-job (node-collector) will run in the cluster. To disable it, add the --disable-node-collector flag
--disable-node-collector This flag will exclude findings related to Node (infra assessment) misconfigurations
By default, the node scan-job (node-collector) will run in the cluster.
Example:
trivy k8s --report summary --disable-node-collector\n
"},{"location":"guide/target/kubernetes/#taints-and-tolerations","title":"Taints and Tolerations","text":"The node-collector scan-job will run on every node. In case the node has been tainted, it is possible to add toleration to the scan job for it to be scheduled on the tainted node. for more details see k8s docs
--tolerations key1=value1:NoExecute,key2=value2:NoSchedule this flag will enable node-collector to be schedule on tainted Node
Example:
trivy k8s --report summary --tolerations key1=value1:NoExecute,key2=value2:NoSchedule\n
"},{"location":"guide/target/kubernetes/#exclude-nodes-by-label","title":"Exclude Nodes by Label","text":"You can exclude specific nodes from the scan using the --exclude-nodes flag, which takes a label in the format label-name:label-value and excludes all matching nodes:
trivy k8s --report summary --exclude-nodes kubernetes.io/arch:arm6\n
"},{"location":"guide/target/kubernetes/#reporting-and-filtering","title":"Reporting and filtering","text":"Since scanning an entire cluster for any security issue can be overwhelming, By default Trivy summarizes the results in a simple \"summary\" view. By scoping the scan on a specific resource, you can see the detailed report. You can always choose the report granularity using the --report summary/--report all flag.
Scan a full cluster and generate a simple summary report:
trivy k8s --report=summary\n
Filter by severity:
trivy k8s --severity=CRITICAL --report=all\n
Filter by scanners (Vulnerabilities, Secrets or Misconfigurations):
trivy k8s --scanners=secret --report=summary\n# or\ntrivy k8s --scanners=misconfig --report=summary\n
The supported output formats are table, which is the default, and json.
trivy k8s --format json -o results.json cluster\n
Result {\n \"ClusterName\": \"minikube\",\n \"Vulnerabilities\": [\n {\n \"Namespace\": \"default\",\n \"Kind\": \"Deployment\",\n \"Name\": \"app\",\n \"Results\": [\n {\n \"Target\": \"ubuntu:latest (ubuntu 22.04)\",\n \"Class\": \"os-pkgs\",\n \"Type\": \"ubuntu\",\n \"Vulnerabilities\": [\n {\n \"VulnerabilityID\": \"CVE-2016-2781\",\n \"PkgName\": \"coreutils\",\n \"InstalledVersion\": \"8.32-4.1ubuntu1\",\n \"Layer\": {\n \"Digest\": \"sha256:125a6e411906fe6b0aaa50fc9d600bf6ff9bb11a8651727ce1ed482dc271c24c\",\n \"DiffID\": \"sha256:e59fc94956120a6c7629f085027578e6357b48061d45714107e79f04a81a6f0c\"\n },\n \"SeveritySource\": \"ubuntu\",\n \"PrimaryURL\": \"https://avd.aquasec.com/nvd/cve-2016-2781\",\n \"DataSource\": {\n \"ID\": \"ubuntu\",\n \"Name\": \"Ubuntu CVE Tracker\",\n \"URL\": \"https://git.launchpad.net/ubuntu-cve-tracker\"\n },\n \"Title\": \"coreutils: Non-privileged session can escape to the parent session in chroot\",\n \"Description\": \"chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.\",\n \"Severity\": \"LOW\",\n \"CweIDs\": [\n \"CWE-20\"\n ],\n \"VendorSeverity\": {\n \"cbl-mariner\": 2,\n \"nvd\": 2,\n \"redhat\": 2,\n \"ubuntu\": 1\n },\n \"CVSS\": {\n \"nvd\": {\n \"V2Vector\": \"AV:L/AC:L/Au:N/C:N/I:P/A:N\",\n \"V3Vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N\",\n \"V2Score\": 2.1,\n \"V3Score\": 6.5\n },\n \"redhat\": {\n \"V2Vector\": \"AV:L/AC:H/Au:N/C:C/I:C/A:C\",\n \"V3Vector\": \"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\",\n \"V2Score\": 6.2,\n \"V3Score\": 8.6\n }\n },\n \"References\": [\n \"http://seclists.org/oss-sec/2016/q1/452\",\n \"http://www.openwall.com/lists/oss-security/2016/02/28/2\",\n \"http://www.openwall.com/lists/oss-security/2016/02/28/3\",\n \"https://access.redhat.com/security/cve/CVE-2016-2781\",\n \"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2781\",\n \"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E\",\n \"https://lore.kernel.org/patchwork/patch/793178/\",\n \"https://nvd.nist.gov/vuln/detail/CVE-2016-2781\"\n ],\n \"PublishedDate\": \"2017-02-07T15:59:00Z\",\n \"LastModifiedDate\": \"2021-02-25T17:15:00Z\"\n }\n ]\n }\n ]\n }\n ],\n \"Misconfigurations\": [\n {\n \"Namespace\": \"default\",\n \"Kind\": \"Deployment\",\n \"Name\": \"app\",\n \"Results\": [\n {\n \"Target\": \"Deployment/app\",\n \"Class\": \"config\",\n \"Type\": \"kubernetes\",\n \"MisconfSummary\": {\n \"Successes\": 20,\n \"Failures\": 19\n },\n \"Misconfigurations\": [\n {\n \"Type\": \"Kubernetes Security Check\",\n \"ID\": \"KSV001\",\n \"Title\": \"Process can elevate its own privileges\",\n \"Description\": \"A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.\",\n \"Message\": \"Container 'app' of Deployment 'app' should set 'securityContext.allowPrivilegeEscalation' to false\",\n \"Namespace\": \"builtin.kubernetes.KSV001\",\n \"Query\": \"data.builtin.kubernetes.KSV001.deny\",\n \"Resolution\": \"Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.\",\n \"Severity\": \"MEDIUM\",\n \"PrimaryURL\": \"https://avd.aquasec.com/misconfig/ksv001\",\n \"References\": [\n \"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted\",\n \"https://avd.aquasec.com/misconfig/ksv001\"\n ],\n \"Status\": \"FAIL\",\n \"Layer\": {},\n \"IacMetadata\": {\n \"Provider\": \"Kubernetes\",\n \"Service\": \"general\",\n \"StartLine\": 121,\n \"EndLine\": 133\n }\n },\n {\n \"Type\": \"Kubernetes Security Check\",\n \"ID\": \"KSV003\",\n \"Title\": \"Default capabilities not dropped\",\n \"Description\": \"The container should drop all default capabilities and add only those that are needed for its execution.\",\n \"Message\": \"Container 'app' of Deployment 'app' should add 'ALL' to 'securityContext.capabilities.drop'\",\n \"Namespace\": \"builtin.kubernetes.KSV003\",\n \"Query\": \"data.builtin.kubernetes.KSV003.deny\",\n \"Resolution\": \"Add 'ALL' to containers[].securityContext.capabilities.drop.\",\n \"Severity\": \"LOW\",\n \"PrimaryURL\": \"https://avd.aquasec.com/misconfig/ksv003\",\n \"References\": [\n \"https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/\",\n \"https://avd.aquasec.com/misconfig/ksv003\"\n ],\n \"Status\": \"FAIL\",\n \"Layer\": {},\n \"IacMetadata\": {\n \"Provider\": \"Kubernetes\",\n \"Service\": \"general\",\n \"StartLine\": 121,\n \"EndLine\": 133\n }\n }\n ]\n }\n ]\n },\n {\n \"Namespace\": \"default\",\n \"Kind\": \"ConfigMap\",\n \"Name\": \"kube-root-ca.crt\"\n }\n ]\n}\n
"},{"location":"guide/target/kubernetes/#compliance","title":"Compliance","text":"This section describes Kubernetes specific compliance reports. For an overview of Trivy's Compliance feature, including working with custom compliance, check out the Compliance documentation.
The following reports are available out of the box:
Compliance Name for command More info NSA, CISA Kubernetes Hardening Guidance v1.0 k8s-nsa-1.0 Link CIS Benchmark for Kubernetes v1.23 k8s-cis-1.23 Link CIS Benchmark for RKE2 v1.24 rke2-cis-1.24 Link CIS Benchmark for EKS v1.4 eks-cis-1.4 Link Pod Security Standards, Baseline k8s-pss-baseline-0.1 Link Pod Security Standards, Restricted k8s-pss-restricted-0.1 Link Examples:
Scan the cluster for Kubernetes Pod Security Standards Baseline compliance:
trivy k8s --compliance=k8s-pss-baseline --report summary\n
Get the detailed report for checks:
trivy k8s --compliance=k8s-cis-1.23 --report all\n
Get summary report in JSON format:
trivy k8s --compliance=k8s-cis-1.23 --report summary --format json\n
Get detailed report in JSON format:
trivy k8s --compliance=k8s-cis-1.23 --report all --format json\n
"},{"location":"guide/target/kubernetes/#kbom","title":"KBOM","text":"KBOM, Kubernetes Bill of Materials, is a manifest of all the important components that make up your Kubernetes cluster \u2013 Control plane components, Node Components, and Addons, including their versions and images. Which \u201capi-server\u201d version are you currently running? Which flavor of \"kubelet\" is running on each node? What kind of etcd or storage are you currently using? And most importantly \u2013 are there any vulnerabilities known to affect these components? These are all questions that KBOM can help you answer. For more background on KBOM, see here.
Trivy can generate KBOM in CycloneDX format:
trivy k8s --format cyclonedx --output mykbom.cdx.json\n
Trivy can also scan that generated KBOM (or any SBOM) for vulnerabilities:
trivy sbom mykbom.cdx.json\n
Result 2023-09-28T22:52:25.707+0300 INFO Vulnerability scanning is enabled\n 2023-09-28T22:52:25.707+0300 INFO Detected SBOM format: cyclonedx-json\n 2023-09-28T22:52:25.717+0300 WARN No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages.\n 2023-09-28T22:52:25.717+0300 WARN e.g. files under \"/lib/apk/db/\", \"/var/lib/dpkg/\" and \"/var/lib/rpm\"\n 2023-09-28T22:52:25.717+0300 INFO Detected OS: debian gnu/linux\n 2023-09-28T22:52:25.717+0300 WARN unsupported os : debian gnu/linux\n 2023-09-28T22:52:25.717+0300 INFO Number of language-specific files: 3\n 2023-09-28T22:52:25.717+0300 INFO Detecting kubernetes vulnerabilities...\n 2023-09-28T22:52:25.718+0300 INFO Detecting gobinary vulnerabilities...\n Kubernetes (kubernetes)\n Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)\n \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n \u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Status \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n \u2502 k8s.io/kubelet \u2502 CVE-2021-25749 \u2502 HIGH \u2502 fixed \u2502 1.24.0 \u2502 1.22.14, 1.23.11, 1.24.5 \u2502 runAsNonRoot logic bypass for Windows containers \u2502\n \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-25749 \u2502\n \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n \u2502 \u2502 CVE-2023-2431 \u2502 LOW \u2502 \u2502 \u2502 1.24.14, 1.25.9, 1.26.4, 1.27.1 \u2502 Bypass of seccomp profile enforcement \u2502\n \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2023-2431 \u2502\n \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
Find more in the documentation for SBOM scanning.
Currently KBOM vulnerability matching works for plain Kubernetes distributions and does not work well for vendor variants, including some cloud managed distributions.
"},{"location":"guide/target/repository/","title":"Code Repository","text":"Scan your local or remote code repositories for
- Vulnerabilities
- Misconfigurations
- Secrets
- Licenses
By default, vulnerability and secret scanning are enabled, and you can configure that with --scanners.
$ trivy repo (REPO_PATH | REPO_URL)\n
For example, you can scan a local repository as below.
$ trivy repo ./\n
It's also possible to scan a single file.
$ trivy repo ./trivy-ci-test/Pipfile.lock\n
To scan remote code repositories, you need to specify the URL.
$ trivy repo https://github.com/aquasecurity/trivy-ci-test\n
"},{"location":"guide/target/repository/#rationale","title":"Rationale","text":"trivy repo is designed to scan code repositories, and it is intended to be used for scanning local/remote repositories in your machine or in your CI environment. Therefore, unlike container/VM image scanning, it targets lock files such as package-lock.json and does not target artifacts like JAR files, binary files, etc. See here for the detail.
"},{"location":"guide/target/repository/#scanners","title":"Scanners","text":""},{"location":"guide/target/repository/#vulnerabilities","title":"Vulnerabilities","text":"It is enabled by default. Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json. See here for the detail.
$ trivy repo ~/src/github.com/aquasecurity/trivy-ci-test\n
Result 2020-06-01T17:06:58.652+0300 WARN OS is not detected and vulnerabilities in OS packages are not detected.\n2020-06-01T17:06:58.652+0300 INFO Detecting pipenv vulnerabilities...\n2020-06-01T17:06:58.691+0300 INFO Detecting cargo vulnerabilities...\n\nPipfile.lock\n============\nTotal: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)\n\n+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+\n| django | CVE-2020-7471 | HIGH | 2.0.9 | 3.0.3, 2.2.10, 1.11.28 | django: potential |\n| | | | | | SQL injection via |\n| | | | | | StringAgg(delimiter) |\n+ +------------------+----------+ +------------------------+------------------------------------+\n| | CVE-2019-19844 | MEDIUM | | 3.0.1, 2.2.9, 1.11.27 | Django: crafted email address |\n| | | | | | allows account takeover |\n+ +------------------+ + +------------------------+------------------------------------+\n| | CVE-2019-3498 | | | 2.1.5, 2.0.10, 1.11.18 | python-django: Content |\n| | | | | | spoofing via URL path in |\n| | | | | | default 404 page |\n+ +------------------+ + +------------------------+------------------------------------+\n| | CVE-2019-6975 | | | 2.1.6, 2.0.11, 1.11.19 | python-django: |\n| | | | | | memory exhaustion in |\n| | | | | | django.utils.numberformat.format() |\n+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+\n...\n
"},{"location":"guide/target/repository/#misconfigurations","title":"Misconfigurations","text":"It is disabled by default and can be enabled with --scanners misconfig. See here for the detail.
$ trivy repo --scanners misconfig (REPO_PATH | REPO_URL)\n
"},{"location":"guide/target/repository/#secrets","title":"Secrets","text":"It is enabled by default. See here for the detail.
$ trivy repo (REPO_PATH | REPO_URL)\n
"},{"location":"guide/target/repository/#licenses","title":"Licenses","text":"It is disabled by default. See here for the detail.
$ trivy repo --scanners license (REPO_PATH | REPO_URL)\n
"},{"location":"guide/target/repository/#sbom-generation","title":"SBOM generation","text":"Trivy can generate SBOM for code repositories. See here for the detail.
"},{"location":"guide/target/repository/#git-metadata","title":"Git Metadata","text":"When scanning git repositories (both local and remote), Trivy automatically extracts and includes git metadata in the scan results. This metadata provides context about the scanned repository.
The metadata includes information such as:
- Repository URL
- Branch name
- Tags
- Commit details (hash, message, commiter)
- Author information
This feature works automatically for any git repository. When using JSON format output, the git metadata will be included in the Metadata field. For detailed information about the available fields, please refer to the JSON output of your scan results.
$ trivy repo --format json <repo-name>\n
"},{"location":"guide/target/repository/#scan-cache","title":"Scan Cache","text":"When scanning git repositories, it stores analysis results in the cache, using the latest commit hash as the key. Note that the cache is not used when the repository is dirty, otherwise Trivy will miss the files that are not committed.
More details are available in the cache documentation.
"},{"location":"guide/target/repository/#references","title":"References","text":"The following flags and environmental variables are available for remote git repositories.
"},{"location":"guide/target/repository/#scanning-a-branch","title":"Scanning a Branch","text":"Pass a --branch argument with a valid branch name on the remote repository provided:
$ trivy repo --branch <branch-name> <repo-name>\n
"},{"location":"guide/target/repository/#scanning-upto-a-commit","title":"Scanning upto a Commit","text":"Pass a --commit argument with a valid commit hash on the remote repository provided:
$ trivy repo --commit <commit-hash> <repo-name>\n
"},{"location":"guide/target/repository/#scanning-a-tag","title":"Scanning a Tag","text":"Pass a --tag argument with a valid tag on the remote repository provided:
$ trivy repo --tag <tag-name> <repo-name>\n
"},{"location":"guide/target/repository/#scanning-private-repositories","title":"Scanning Private Repositories","text":"In order to scan private GitHub or GitLab repositories, the environment variable GITHUB_TOKEN or GITLAB_TOKEN must be set, respectively, with a valid token that has access to the private repository being scanned.
The GITHUB_TOKEN environment variable will take precedence over GITLAB_TOKEN, so if a private GitLab repository will be scanned, then GITHUB_TOKEN must be unset.
You can find how to generate your GitHub Token in the following GitHub documentation.
For example:
$ export GITHUB_TOKEN=\"your_private_github_token\"\n$ trivy repo <your private GitHub repo URL>\n\n# or\n$ export GITLAB_TOKEN=\"your_private_gitlab_token\"\n$ trivy repo <your private GitLab repo URL>\n
"},{"location":"guide/target/rootfs/","title":"Rootfs","text":"Rootfs scanning is for special use cases such as
- Host machine
- Root filesystem
- Unpacked filesystem
$ trivy rootfs /path/to/rootfs\n
Note
Rootfs scanning works differently from the Filesystem scanning. You should use trivy fs to scan your local projects in CI/CD. See here for the differences.
Note
Scanning vulnerabilities for Red Hat has a limitation, see the Red Hat page for details.
"},{"location":"guide/target/rootfs/#performance-optimization","title":"Performance Optimization","text":"By default, Trivy traverses all files from the specified root directory to find target files for scanning. However, when you only need to scan specific files with absolute paths, you can avoid this traversal, which makes scanning faster. For example, when scanning only OS packages, no full traversal is performed:
$ trivy rootfs --pkg-types os --scanners vuln /\n
When scanning language-specific packages or secrets, traversal is necessary because the location of these files is unknown. If you want to exclude specific directories from scanning for better performance, you can use the --skip-dirs option.
"},{"location":"guide/target/sbom/","title":"SBOM scanning","text":"Trivy can take the following SBOM formats as an input and scan for vulnerabilities and licenses.
- CycloneDX
- SPDX
- SPDX JSON
- CycloneDX-type attestation
- KBOM in CycloneDX format
To scan SBOM, you can use the sbom subcommand and pass the path to the SBOM. The input format is automatically detected.
$ trivy sbom /path/to/sbom_file\n
By default, vulnerability scan in SBOM is executed. You can use --scanners vuln,license command property to select also license scan, or --scanners license alone.
Note
Passing SBOMs generated by tool other than Trivy may result in inaccurate detection because Trivy relies on custom properties in SBOM for accurate scanning.
"},{"location":"guide/target/sbom/#cyclonedx","title":"CycloneDX","text":"Trivy supports CycloneDX as an input.
Note
CycloneDX XML is not supported at the moment.
$ trivy sbom /path/to/cyclonedx.json\n
"},{"location":"guide/target/sbom/#spdx","title":"SPDX","text":"Trivy supports the SPDX SBOM as an input.
The following SPDX formats are supported:
- Tag-value (
--format spdx) - JSON (
--format spdx-json)
$ trivy image --format spdx-json --output spdx.json alpine:3.16.0\n$ trivy sbom spdx.json\n
Result 2022-09-15T21:32:27.168+0300 INFO Vulnerability scanning is enabled\n2022-09-15T21:32:27.169+0300 INFO Detected SBOM format: spdx-json\n2022-09-15T21:32:27.210+0300 INFO Detected OS: alpine\n2022-09-15T21:32:27.210+0300 INFO Detecting Alpine vulnerabilities...\n2022-09-15T21:32:27.211+0300 INFO Number of language-specific files: 0\n\nspdx.json (alpine 3.16.0)\n=========================\nTotal: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 1)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 busybox \u2502 CVE-2022-30065 \u2502 HIGH \u2502 1.35.0-r13 \u2502 1.35.0-r15 \u2502 busybox: A use-after-free in Busybox's awk applet leads to \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 denial of service... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2022-30065 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 libcrypto1.1 \u2502 CVE-2022-2097 \u2502 MEDIUM \u2502 1.1.1o-r0 \u2502 1.1.1q-r0 \u2502 openssl: AES OCB fails to encrypt some bytes \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2022-2097 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 libssl1.1 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 ssl_client \u2502 CVE-2022-30065 \u2502 HIGH \u2502 1.35.0-r13 \u2502 1.35.0-r15 \u2502 busybox: A use-after-free in Busybox's awk applet leads to \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 denial of service... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2022-30065 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 zlib \u2502 CVE-2022-37434 \u2502 CRITICAL \u2502 1.2.12-r1 \u2502 1.2.12-r2 \u2502 zlib: a heap-based buffer over-read or buffer overflow in \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 inflate in inflate.c... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2022-37434 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/target/sbom/#sbom-attestation","title":"SBOM attestation","text":"You can also scan an SBOM attestation. In the following example, Cosign gets an attestation and Trivy scans it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the SBOM attestation page.
$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl\n$ trivy sbom ./sbom.cdx.intoto.jsonl\n\nsbom.cdx.intoto.jsonl (alpine 3.7.3)\n=========================\nTotal: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 musl \u2502 CVE-2019-14697 \u2502 CRITICAL \u2502 1.1.18-r3 \u2502 1.1.18-r4 \u2502 musl libc through 1.1.23 has an x87 floating-point stack \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 adjustment im ...... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2019-14697 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 musl-utils \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/target/sbom/#kbom","title":"KBOM","text":"To read more about KBOM, see the documentation for Kubernetes scanning.
The supported Kubernetes distributions for core components vulnerability scanning are:
- Kubernetes upstream
- Rancher rke2
$ trivy k8s --format cyclonedx cluster -o kbom.json\n$ trivy sbom kbom.json\n2023-09-28T22:52:25.707+0300 INFO Vulnerability scanning is enabled\n2023-09-28T22:52:25.717+0300 INFO Number of language-specific files: 3\n2023-09-28T22:52:25.717+0300 INFO Detecting kubernetes vulnerabilities...\n2023-09-28T22:52:25.718+0300 INFO Detecting gobinary vulnerabilities...\n\nKubernetes (kubernetes)\n\nTotal: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)\n\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Status \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 k8s.io/kubelet \u2502 CVE-2021-25749 \u2502 HIGH \u2502 fixed \u2502 1.24.0 \u2502 1.22.14, 1.23.11, 1.24.5 \u2502 runAsNonRoot logic bypass for Windows containers \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-25749 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2023-2431 \u2502 LOW \u2502 \u2502 \u25021.24.14, 1.25.9, 1.26.4, 1.27.1 \u2502 Bypass of seccomp profile enforcement \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2023-2431 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/target/vm/","title":"Virtual Machine Image","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
To scan virtual machine (VM) images, you can use the vm subcommand.
"},{"location":"guide/target/vm/#targets","title":"Targets","text":"The following targets are currently supported:
- Local file
- AWS EC2
- Amazon Machine Image (AMI)
- Amazon Elastic Block Store (EBS) Snapshot
"},{"location":"guide/target/vm/#local-file","title":"Local file","text":"Pass the path to your local VM image file.
$ trivy vm --scanners vuln disk.vmdk\n
Result disk.vmdk (amazon 2 (Karoo))\n===========================================================================================\nTotal: 802 (UNKNOWN: 0, LOW: 17, MEDIUM: 554, HIGH: 221, CRITICAL: 10)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 amazon-ssm-agent \u2502 CVE-2022-24675 \u2502 HIGH \u2502 3.0.529.0-1.amzn2 \u2502 3.1.1575.0-1.amzn2 \u2502 golang: encoding/pem: fix stack overflow in Decode \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2022-24675 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 bind-export-libs \u2502 CVE-2021-25215 \u2502 \u2502 32:9.11.4-26.P2.amzn2.4 \u2502 32:9.11.4-26.P2.amzn2.5 \u2502 bind: An assertion check can fail while answering queries \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 for DNAME records... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-25215 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2021-25214 \u2502 MEDIUM \u2502 \u2502 32:9.11.4-26.P2.amzn2.5.2 \u2502 bind: Broken inbound incremental zone update (IXFR) can \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 cause named to terminate... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-25214 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 bind-libs \u2502 CVE-2021-25215 \u2502 HIGH \u2502 \u2502 32:9.11.4-26.P2.amzn2.5 \u2502 bind: An assertion check can fail while answering queries \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 for DNAME records... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-25215 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2021-25214 \u2502 MEDIUM \u2502 \u2502 32:9.11.4-26.P2.amzn2.5.2 \u2502 bind: Broken inbound incremental zone update (IXFR) can \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 cause named to terminate... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-25214 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 bind-libs-lite \u2502 CVE-2021-25215 \u2502 HIGH \u2502 \u2502 32:9.11.4-26.P2.amzn2.5 \u2502 bind: An assertion check can fail while answering queries \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 for DNAME records... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-25215 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2021-25214 \u2502 MEDIUM \u2502 \u2502 32:9.11.4-26.P2.amzn2.5.2 \u2502 bind: Broken inbound incremental zone update (IXFR) can \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 cause named to terminate... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-25214 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n...\n
"},{"location":"guide/target/vm/#amazon-machine-image-ami","title":"Amazon Machine Image (AMI)","text":"You can specify your AMI ID with the ami: prefix.
$ trivy vm ami:${your_ami_id}\n
Note
AMIs in the marketplace are not supported because the EBS direct APIs don't support that. See the AWS documentation for the detail.
"},{"location":"guide/target/vm/#example","title":"Example","text":"$ trivy vm --scanners vuln ami:ami-0123456789abcdefg\n
If you want to scan a AMI of non-default setting region, you can set any region via --aws-region option.
$ trivy vm --aws-region ap-northeast-1 ami:ami-0123456789abcdefg\n
"},{"location":"guide/target/vm/#required-actions","title":"Required Actions","text":"Some actions on EBS are also necessary since Trivy scans an EBS snapshot tied to the specified AMI under the hood.
- ec2:DescribeImages
- ebs:ListSnapshotBlocks
- ebs:GetSnapshotBlock
"},{"location":"guide/target/vm/#amazon-elastic-block-store-ebs-snapshot","title":"Amazon Elastic Block Store (EBS) Snapshot","text":"You can specify your EBS snapshot ID with the ebs: prefix.
$ trivy vm ebs:${your_ebs_snapshot_id}\n
Note
Public snapshots are not supported because the EBS direct APIs don't support that. See the AWS documentation for the detail.
"},{"location":"guide/target/vm/#example_1","title":"Example","text":"$ trivy vm --scanners vuln ebs:snap-0123456789abcdefg\n
If you want to scan an EBS Snapshot of non-default setting region, you can set any region via --aws-region option.
$ trivy vm --aws-region ap-northeast-1 ebs:ebs-0123456789abcdefg\n
The above command takes a while as it calls EBS API and fetches the EBS blocks. If you want to scan the same snapshot several times, you can download the snapshot locally by using coldsnap maintained by AWS. Then, Trivy can scan the local VM image file.
$ coldsnap download snap-0123456789abcdefg disk.img\n$ trivy vm ./disk.img\n
"},{"location":"guide/target/vm/#required-actions_1","title":"Required Actions","text":" - ebs:ListSnapshotBlocks
- ebs:GetSnapshotBlock
"},{"location":"guide/target/vm/#scanners","title":"Scanners","text":"Trivy supports VM image scanning for
- Vulnerabilities
- Misconfigurations
- Secrets
- Licenses
"},{"location":"guide/target/vm/#vulnerabilities","title":"Vulnerabilities","text":"It is enabled by default. You can simply specify your VM image location. It detects known vulnerabilities in your VM image. See here for the detail.
$ trivy vm [YOUR_VM_IMAGE]\n
Note
Scanning Red Hat has a limitation, see the Red Hat page for details.
"},{"location":"guide/target/vm/#misconfigurations","title":"Misconfigurations","text":"It is supported, but it is not useful in most cases. As mentioned here, Trivy mainly supports Infrastructure as Code (IaC) files for misconfigurations. If your VM image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with --scanners misconfig.
$ trivy vm --scanners misconfig [YOUR_VM_IMAGE]\n
"},{"location":"guide/target/vm/#secrets","title":"Secrets","text":"It is enabled by default. See here for the detail.
$ trivy vm [YOUR_VM_IMAGE]\n
Tip
The scanning could be faster if you enable only vulnerability scanning (--scanners vuln) because Trivy tries to download only necessary blocks for vulnerability detection.
"},{"location":"guide/target/vm/#licenses","title":"Licenses","text":"It is disabled by default. See here for the detail.
$ trivy vm --scanners license [YOUR_VM_IMAGE]\n
"},{"location":"guide/target/vm/#sbom-generation","title":"SBOM generation","text":"Trivy can generate SBOM for VM images. See here for the detail.
"},{"location":"guide/target/vm/#scan-cache","title":"Scan Cache","text":"When scanning AMI or EBS snapshots, it stores analysis results in the cache, using the snapshot ID. Scanning the same snapshot several times skips analysis if the cache is already available.
When scanning local files, it doesn't use the cache by default.
More details are available in the cache documentation.
"},{"location":"guide/target/vm/#supported-architectures","title":"Supported Architectures","text":""},{"location":"guide/target/vm/#virtual-machine-images","title":"Virtual machine images","text":"Image format Support VMDK \u2714 OVA VHD VHDX QCOW2"},{"location":"guide/target/vm/#vmdk-disk-types","title":"VMDK disk types","text":"VMDK disk type Support streamOptimized \u2714 monolithicSparse vmfs vmfsSparse twoGbMaxExtentSparse monolithicFlat twoGbMaxExtentFlat vmfsRaw fullDevice partitionedDevice vmfsRawDeviceMap vmfsPassthroughRawDeviceMap Reference: VMware Virtual Disk Format 1.1.pdf
"},{"location":"guide/target/vm/#disk-partitions","title":"Disk partitions","text":"Disk format Support Master boot record (MBR) \u2714 Extended master boot record GUID partition table (GPT) \u2714 Logical volume manager (LVM)"},{"location":"guide/target/vm/#filesystems","title":"Filesystems","text":"Filesystem format Support XFS \u2714 EXT4 \u2714 EXT2/3 \u2714 ZFS"},{"location":"tutorials/overview/","title":"Tutorials","text":"In this section you can find step-by-step guides that help you accomplish specific tasks.
\ud83d\udc48 Please use the side-navigation on the left in order to browse the different topics.
"},{"location":"tutorials/overview/#adding-tutorials","title":"Adding tutorials","text":"You are welcome to create tutorials and showcase them here. Tutorials can be either included in here as full articles, or included as external links under external community resources. Before sending a PR, please first create an issue (of kind \"Documentation\") and describe the suggestion, whether it's an external link or article, and what category it's under.
Guidelines:
- Focus on a specific use case. Start by clearly describing the use case and when/who it is relevant for.
- Provide an end-to-end set of instructions. Make sure anyone can easily follow.
- Describe the expected outcome after each step. Include examples as much as possible.
"},{"location":"tutorials/additional-resources/cks/","title":"CKS preparation resources","text":"The Certified Kubernetes Security Specialist (CKS) Exam is offered by The Linux Foundation. It provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime. CKA certification is required to sit for this exam.
"},{"location":"tutorials/additional-resources/cks/#community-resources","title":"Community Resources","text":" - Trivy Video overview (short)
- Example questions from the exam
- More example questions
- CKS exam study guide
- Docker Image Vulnerabilities & Trivy Image Scanning Demo | K21Academy
"},{"location":"tutorials/additional-resources/cks/#aqua-security-blog-posts-to-learn-more","title":"Aqua Security Blog posts to learn more","text":" - Supply chain security best practices
- Supply chain attacks
If you know of interesting resources, please start a PR to add those to the list.
"},{"location":"tutorials/additional-resources/community/","title":"Community References","text":"Below is a list of additional resources from the community.
"},{"location":"tutorials/additional-resources/community/#vulnerability-scanning","title":"Vulnerability Scanning","text":" - Detecting Spring4Shell with Trivy and Grype
- Scan OS of your EC2 instances with Trivy
"},{"location":"tutorials/additional-resources/community/#cicd-pipelines","title":"CI/CD Pipelines","text":" - How to use Tekton to set up a CI pipeline with OpenShift Pipelines
- Continuous Container Vulnerability Testing with Trivy
- Getting Started With Trivy and Jenkins
- How to use Tekton to set up a CI pipeline with OpenShift Pipelines
"},{"location":"tutorials/additional-resources/community/#misconfiguration-scanning","title":"Misconfiguration Scanning","text":" - Identifying Misconfigurations in your Terraform
- How to write custom checks for Trivy
"},{"location":"tutorials/additional-resources/community/#sbom-attestation-related","title":"SBOM, Attestation & related","text":" - Attesting Image Scans With Kyverno
"},{"location":"tutorials/additional-resources/community/#trivy-kubernetes","title":"Trivy Kubernetes","text":" - Using Trivy Kubernetes in OVHCloud documentation.
"},{"location":"tutorials/additional-resources/community/#comparisons","title":"Comparisons","text":" - the vulnerability remediation lifecycle of Alpine containers
- Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy
- Docker Image Security: Static Analysis Tool Comparison \u2013 Anchore Engine vs Clair vs Trivy
"},{"location":"tutorials/additional-resources/community/#evaluations","title":"Evaluations","text":" - Istio evaluating to use Trivy
- Research Spike: evaluate Trivy for scanning running containers
"},{"location":"tutorials/additional-resources/references/","title":"Additional Resources and Tutorials","text":"Below is a list of additional resources from Aqua Security.
"},{"location":"tutorials/additional-resources/references/#announcements","title":"Announcements","text":" - Trivy Vulnerability Scanner Joins the Aqua Open-source Family
- Trivy Image Vulnerability Scanner Now Under Apache 2.0 License
"},{"location":"tutorials/additional-resources/references/#vulnerability-scanning","title":"Vulnerability Scanning","text":" - Using Trivy to Discover Vulnerabilities in VS Code Projects
- How does a vulnerability scanner identify packages?
- Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security
"},{"location":"tutorials/additional-resources/references/#cicd-pipelines","title":"CI/CD Pipelines","text":" - DevSecOps with Trivy and GitHub Actions
- Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action
"},{"location":"tutorials/additional-resources/references/#misconfiguration-scanning","title":"Misconfiguration Scanning","text":" - Identifying Misconfigurations in your Terraform
"},{"location":"tutorials/additional-resources/references/#clientserver","title":"Client/Server","text":" - Using Trivy in client server mode
"},{"location":"tutorials/additional-resources/references/#workshops","title":"Workshops","text":" - Trivy Live Demo & Q&A
- First Steps to Full Lifecycle Security with Open Source Tools - Rory McCune & Anais Urlichs
"},{"location":"tutorials/additional-resources/references/#older-resources","title":"Older Resources","text":" - Webinar: Trivy Open Source Scanner for Container Images \u2013 Just Download and Run!
- Kubernetes Security through GitOps Best Practices: ArgoCD and Starboard
- Get started with Kubernetes Security and Starboard
"},{"location":"tutorials/integrations/","title":"Integrations","text":"Scan your image automatically as part of your CI workflow, failing the workflow if a vulnerability is found. When you don't want to fail the test, specify --exit-code 0.
"},{"location":"tutorials/integrations/aws-codepipeline/","title":"AWS CodePipeline","text":"See this blog post for an example of using Trivy within AWS CodePipeline.
"},{"location":"tutorials/integrations/aws-security-hub/","title":"AWS Security Hub","text":""},{"location":"tutorials/integrations/aws-security-hub/#upload-findings-to-security-hub","title":"Upload findings to Security Hub","text":"In the following example using the template asff.tpl, ASFF file can be generated.
$ AWS_REGION=us-west-1 AWS_ACCOUNT_ID=123456789012 trivy image --format template --template \"@contrib/asff.tpl\" -o report.asff golang:1.12-alpine\n
ASFF template needs AWS_REGION and AWS_ACCOUNT_ID from environment variables.
The Product ARN field follows the pattern below to match what AWS requires for the product resource type.
\"ProductArn\": \"arn:aws:securityhub:{{ env \"AWS_REGION\" }}::product/aquasecurity/aquasecurity\",\n
In order to upload results you must first run enable-import-findings-for-product like:
aws securityhub enable-import-findings-for-product --product-arn arn:aws:securityhub:<AWS_REGION>::product/aquasecurity/aquasecurity\n
The findings are formatted for the API with a key of Findings and a value of the array of findings. In order to upload via the CLI the outer wrapping must be removed being left with only the array of findings. The easiest way of doing this is with the jq library using the command
cat report.asff | jq '.Findings'\n
Then, you can upload it with AWS CLI.
$ aws securityhub batch-import-findings --findings file://report.asff\n
"},{"location":"tutorials/integrations/aws-security-hub/#note","title":"Note","text":"The batch-import-findings command limits the number of findings uploaded to 100 per request. The best known workaround to this problem is using jq to run the following command
jq '.[:100]' report.asff 1> short_report.asff\n
"},{"location":"tutorials/integrations/aws-security-hub/#customize","title":"Customize","text":"You can customize asff.tpl
$ export AWS_REGION=us-west-1\n$ export AWS_ACCOUNT_ID=123456789012\n$ trivy image --format template --template \"@your-asff.tpl\" -o report.asff golang:1.12-alpine\n
"},{"location":"tutorials/integrations/aws-security-hub/#reference","title":"Reference","text":"aws.amazon.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/
"},{"location":"tutorials/integrations/azure-devops/","title":"Azure Devops","text":" - Here is the Azure DevOps Pipelines Task for Trivy
"},{"location":"tutorials/integrations/azure-devops/#use-imagecleaner-to-clean-up-stale-images-on-your-azure-kubernetes-service-cluster","title":"Use ImageCleaner to clean up stale images on your Azure Kubernetes Service cluster","text":"It's common to use pipelines to build and deploy images on Azure Kubernetes Service (AKS) clusters. While great for image creation, this process often doesn't account for the stale images left behind and can lead to image bloat on cluster nodes. These images can present security issues as they may contain vulnerabilities. By cleaning these unreferenced images, you can remove an area of risk in your clusters. When done manually, this process can be time intensive, which ImageCleaner can mitigate via automatic image identification and removal.
Vulnerability is determined based on a trivy scan, after which images with a LOW, MEDIUM, HIGH, or CRITICAL classification are flagged. An updated ImageList will be automatically generated by ImageCleaner based on a set time interval, and can also be supplied manually.
"},{"location":"tutorials/integrations/azure-devops/#microsoft-defender-for-container-registries-and-trivy","title":"Microsoft Defender for container registries and Trivy","text":"This blog explains how to scan your Azure Container Registry-based container images with the integrated vulnerability scanner when they're built as part of your GitHub workflows.
To set up the scanner, you'll need to enable Microsoft Defender for Containers and the CI/CD integration. When your CI/CD workflows push images to your registries, you can view registry scan results and a summary of CI/CD scan results.
The findings of the CI/CD scans are an enrichment to the existing registry scan findings by Qualys. Defender for Cloud's CI/CD scanning is powered by Aqua Trivy
"},{"location":"tutorials/integrations/bitbucket/","title":"Bitbucket Pipelines","text":"See trivy-pipe for the details.
"},{"location":"tutorials/integrations/circleci/","title":"CircleCI","text":"$ cat .circleci/config.yml\njobs:\n build:\n docker:\n - image: docker:stable-git\n steps:\n - checkout\n - setup_remote_docker\n - run:\n name: Build image\n command: docker build -t trivy-ci-test:${CIRCLE_SHA1} .\n - run:\n name: Install trivy\n command: |\n apk add --update-cache --upgrade curl\n curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin\n - run:\n name: Scan the local image with trivy\n command: trivy image --exit-code 0 --no-progress trivy-ci-test:${CIRCLE_SHA1}\nworkflows:\n version: 2\n release:\n jobs:\n - build\n
Example Repository
"},{"location":"tutorials/integrations/github-actions/","title":"GitHub Actions","text":" - Here is the Trivy GitHub Action
- The Microsoft Azure team have written a container-scan action that uses Trivy and Dockle
- For full control over the options specified to Trivy, this blog post describes adding Trivy into your own GitHub action workflows
"},{"location":"tutorials/integrations/gitlab-ci/","title":"GitLab CI","text":"GitLab 15.0 includes free integration with Trivy.
To configure container scanning with Trivy in GitLab, simply include the CI template in your .gitlab-ci.yml file:
include:\n - template: Security/Container-Scanning.gitlab-ci.yml\n
If you're a GitLab 14.x Ultimate customer, you can use the same configuration above.
Alternatively, you can always use the example configurations below.
stages:\n - test\n\ntrivy:\n stage: test\n image: docker:stable\n services:\n - name: docker:dind\n entrypoint: [\"env\", \"-u\", \"DOCKER_HOST\"]\n command: [\"dockerd-entrypoint.sh\"]\n variables:\n DOCKER_HOST: tcp://docker:2375/\n DOCKER_DRIVER: overlay2\n # See https://github.com/docker-library/docker/pull/166\n DOCKER_TLS_CERTDIR: \"\"\n IMAGE: trivy-ci-test:$CI_COMMIT_SHA\n TRIVY_NO_PROGRESS: \"true\"\n TRIVY_CACHE_DIR: \".trivycache/\"\n before_script:\n - export TRIVY_VERSION=$(wget -qO - \"https://api.github.com/repos/aquasecurity/trivy/releases/latest\" | grep '\"tag_name\":' | sed -E 's/.*\"v([^\"]+)\".*/\\1/')\n - echo $TRIVY_VERSION\n - wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -\n allow_failure: true\n script:\n # Build image\n - docker build -t $IMAGE .\n # Build report\n - ./trivy image --exit-code 0 --format template --template \"@/contrib/gitlab.tpl\" -o gl-container-scanning-report.json $IMAGE\n # Print report\n - ./trivy image --exit-code 0 --severity HIGH $IMAGE\n # Fail on severe vulnerabilities\n - ./trivy image --exit-code 1 --severity CRITICAL $IMAGE\n cache:\n paths:\n - .trivycache/\n # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab Ultimate)\n artifacts:\n reports:\n container_scanning: gl-container-scanning-report.json\n
Example Repository
"},{"location":"tutorials/integrations/gitlab-ci/#gitlab-ci-using-trivy-container","title":"GitLab CI using Trivy container","text":"To scan a previously built image that has already been pushed into the GitLab container registry the following CI job manifest can be used. Note that entrypoint needs to be unset for the script section to work. In case of a non-public GitLab project Trivy additionally needs to authenticate to the registry to be able to pull your application image. Finally, it is not necessary to clone the project repo as we only work with the container image.
container_scanning:\n image:\n name: docker.io/aquasec/trivy:latest\n entrypoint: [\"\"]\n variables:\n # No need to clone the repo, we exclusively work on artifacts. See\n # https://docs.gitlab.com/ee/ci/runners/configure_runners.html#git-strategy\n GIT_STRATEGY: none\n TRIVY_USERNAME: \"$CI_REGISTRY_USER\"\n TRIVY_PASSWORD: \"$CI_REGISTRY_PASSWORD\"\n TRIVY_AUTH_URL: \"$CI_REGISTRY\"\n TRIVY_NO_PROGRESS: \"true\"\n TRIVY_CACHE_DIR: \".trivycache/\"\n FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG\n script:\n - trivy --version\n # update vulnerabilities db\n - time trivy image --download-db-only\n # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there\n - time trivy image --exit-code 0 --format template --template \"@/contrib/gitlab.tpl\"\n --output \"$CI_PROJECT_DIR/gl-container-scanning-report.json\" \"$FULL_IMAGE_NAME\"\n # Prints full report\n - time trivy image --exit-code 0 \"$FULL_IMAGE_NAME\"\n # Fail on critical vulnerabilities\n - time trivy image --exit-code 1 --severity CRITICAL \"$FULL_IMAGE_NAME\"\n cache:\n paths:\n - .trivycache/\n # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)\n artifacts:\n when: always\n reports:\n container_scanning: gl-container-scanning-report.json\n tags:\n - docker-runner\n
"},{"location":"tutorials/integrations/gitlab-ci/#gitlab-ci-alternative-template","title":"GitLab CI alternative template","text":"Depending on the edition of gitlab you have or your desired workflow, the container scanning template may not meet your needs. As an addition to the above container scanning template, a template for code climate has been included. The key things to update from the above examples are the template and report type. An updated example is below.
stages:\n - test\n\ntrivy:\n stage: test\n image: docker:stable\n services:\n - name: docker:dind\n entrypoint: [\"env\", \"-u\", \"DOCKER_HOST\"]\n command: [\"dockerd-entrypoint.sh\"]\n variables:\n DOCKER_HOST: tcp://docker:2375/\n DOCKER_DRIVER: overlay2\n # See https://github.com/docker-library/docker/pull/166\n DOCKER_TLS_CERTDIR: \"\"\n IMAGE: trivy-ci-test:$CI_COMMIT_SHA\n TRIVY_NO_PROGRESS: \"true\"\n TRIVY_CACHE_DIR: \".trivycache/\"\n before_script:\n - export TRIVY_VERSION=$(wget -qO - \"https://api.github.com/repos/aquasecurity/trivy/releases/latest\" | grep '\"tag_name\":' | sed -E 's/.*\"v([^\"]+)\".*/\\1/')\n - echo $TRIVY_VERSION\n - wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -\n allow_failure: true\n script:\n # Build image\n - docker build -t $IMAGE .\n # Image report\n - ./trivy image --exit-code 0 --format template --template \"@/contrib/gitlab-codequality.tpl\" -o gl-codeclimate-image.json $IMAGE\n # Filesystem report\n - ./trivy filesystem --scanners misconfig,vuln --exit-code 0 --format template --template \"@/contrib/gitlab-codequality.tpl\" -o gl-codeclimate-fs.json .\n # Combine report\n - apk update && apk add jq\n - jq -s 'add' gl-codeclimate-image.json gl-codeclimate-fs.json > gl-codeclimate.json\n cache:\n paths:\n - .trivycache/\n # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)\n artifacts:\n paths:\n - gl-codeclimate.json\n reports:\n codequality: gl-codeclimate.json\n
Currently gitlab only supports a single code quality report. There is an open feature request to support multiple reports. Until this has been implemented, if you already have a code quality report in your pipeline, you can use jq to combine reports. Depending on how you name your artifacts, it may be necessary to rename the artifact if you want to reuse the name. To then combine the previous artifact with the output of trivy, the following jq command can be used, jq -s 'add' prev-codeclimate.json trivy-codeclimate.json > gl-codeclimate.json.
"},{"location":"tutorials/integrations/gitlab-ci/#gitlab-ci-alternative-template-example-report","title":"GitLab CI alternative template example report","text":"You'll be able to see a full report in the GitLab pipeline code quality UI, where filesystem vulnerabilities and misconfigurations include links to the flagged files and image vulnerabilities report the image/os or runtime/library that the vulnerability originates from instead.
"},{"location":"tutorials/integrations/travis-ci/","title":"Travis CI","text":"$ cat .travis.yml\nservices:\n - docker\n\nenv:\n global:\n - COMMIT=${TRAVIS_COMMIT::8}\n\nbefore_install:\n - docker build -t trivy-ci-test:${COMMIT} .\n - export VERSION=$(curl --silent \"https://api.github.com/repos/aquasecurity/trivy/releases/latest\" | grep '\"tag_name\":' | sed -E 's/.*\"v([^\"]+)\".*/\\1/')\n - wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz\n - tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz\nscript:\n - ./trivy image --exit-code 0 --severity HIGH --no-progress trivy-ci-test:${COMMIT}\n - ./trivy image --exit-code 1 --severity CRITICAL --no-progress trivy-ci-test:${COMMIT}\ncache:\n directories:\n - $HOME/.cache/trivy\n
Example Repository
"},{"location":"tutorials/kubernetes/cluster-scanning/","title":"Kubernetes Scanning Tutorial","text":""},{"location":"tutorials/kubernetes/cluster-scanning/#prerequisites","title":"Prerequisites","text":"To test the following commands yourself, make sure that you\u2019re connected to a Kubernetes cluster. A simple kind, a Docker-Desktop or microk8s cluster will do. In our case, we\u2019ll use a one-node kind cluster. Pro tip: The output of the commands will be even more interesting if you have some workloads running in your cluster.
"},{"location":"tutorials/kubernetes/cluster-scanning/#cluster-scanning","title":"Cluster Scanning","text":"Trivy K8s is great to get an overview of all the vulnerabilities and misconfiguration issues or to scan specific workloads that are running in your cluster. You would want to use the Trivy K8s command either on your own local cluster or in your CI/CD pipeline post deployments.
The trivy k8s command is part of the Trivy CLI.
With the following command, we can scan our entire Kubernetes cluster for vulnerabilities and get a summary of the scan:
trivy k8s --report=summary\n
To get detailed information for all your resources, just replace \u2018summary\u2019 with \u2018all\u2019:
trivy k8s --report=all\n
However, we recommend displaying all information only in case you scan a specific namespace or resource since you can get overwhelmed with additional details.
Furthermore, we can specify the namespace that Trivy is supposed to scan to focus on specific resources in the scan result:
trivy k8s --include-namespaces kube-system --report summary\n
Again, if you\u2019d like to receive additional details, use the \u2018--report=all\u2019 flag:
trivy k8s --include-namespaces kube-system --report all\n
Like with scanning for vulnerabilities, we can also filter in-cluster security issues by severity of the vulnerabilities:
trivy k8s --severity=CRITICAL --report=summary\n
Note that you can use any of the Trivy flags on the Trivy K8s command.
"},{"location":"tutorials/kubernetes/cluster-scanning/#trivy-operator","title":"Trivy Operator","text":"The Trivy K8s command is an imperative model to scan resources. We wouldn\u2019t want to manually scan each resource across different environments. The larger the cluster and the more workloads are running in it, the more error-prone this process would become. With the Trivy Operator, we can automate the scanning process after the deployment.
The Trivy Operator follows the Kubernetes Operator Model. Operators automate human actions, and the result of the task is saved as custom resource definitions (CRDs) within your cluster.
This has several benefits:
-
Trivy Operator is installed CRDs in our cluster. As a result, all our resources, including our security scanner and its scan results, are Kubernetes resources. This makes it much easier to integrate the Trivy Operator directly into our existing processes, such as connecting Trivy with Prometheus, a monitoring system.
-
The Trivy Operator will automatically scan your resources every six hours. You can set up automatic alerting in case new critical security issues are discovered.
-
The CRDs can be both machine and human-readable depending on which applications consume the CRDs. This allows for more versatile applications of the Trivy operator.
There are several ways that you can install the Trivy Operator in your cluster. In this guide, we\u2019re going to use the Helm installation.
Please follow the Trivy Operator documentation for further information on:
- Installation of the Trivy Operator
- Getting started guide
"},{"location":"tutorials/kubernetes/gitops/","title":"Installing the Trivy-Operator through GitOps","text":"This tutorial shows you how to install the Trivy Operator through GitOps platforms, namely ArgoCD and FluxCD.
"},{"location":"tutorials/kubernetes/gitops/#argocd","title":"ArgoCD","text":"Make sure to have ArgoCD installed and running in your Kubernetes cluster.
You can either deploy the Trivy Operator through the argocd CLI or by applying a Kubernetes manifest.
ArgoCD command:
> kubectl create ns trivy-system\n> argocd app create trivy-operator --repo https://github.com/aquasecurity/trivy-operator --path deploy/helm --dest-server https://kubernetes.default.svc --dest-namespace trivy-system\n
Note that this installation is directly related to our official Helm Chart. If you want to change any of the value, we'd suggest you to create a separate values.yaml file. Kubernetes manifest trivy-operator.yaml:
apiVersion: argoproj.io/v1alpha1\nkind: Application\nmetadata:\n name: trivy-operator\n namespace: argocd\nspec:\n project: default\n source:\n chart: trivy-operator\n repoURL: https://aquasecurity.github.io/helm-charts/\n targetRevision: 0.0.3\n helm:\n values: |\n trivy:\n ignoreUnfixed: true\n destination:\n server: https://kubernetes.default.svc\n namespace: trivy-system\n syncPolicy:\n automated:\n prune: true\n selfHeal: true\n
To apply the Kubernetes manifest, if you have the manifest locally, you can use the following command through kubectl:
> kubectl apply -f trivy-operator.yaml\n\napplication.argoproj.io/trivy-operator created\n
If you have the manifest in a Git repository, you can apply it to your cluster through the following command:
> kubectl apply -n argocd -f https://raw.githubusercontent.com/AnaisUrlichs/argocd-starboard/main/starboard/argocd-starboard.yaml\n
The latter command would allow you to make changes to the YAML manifest that ArgoCD would register automatically. Once deployed, you want to tell ArgoCD to sync the application from the actual state to the desired state:
argocd app sync trivy-operator\n
Now you can see the deployment in the ArgoCD UI. Have a look at the ArgoCD documentation to know how to access the UI.
Note that ArgoCD is unable to show the Trivy CRDs as synced.
"},{"location":"tutorials/kubernetes/gitops/#fluxcd","title":"FluxCD","text":"Make sure to have FluxCD installed and running in your Kubernetes cluster.
You can either deploy the Trivy Operator through the Flux CLI or by applying a Kubernetes manifest.
Flux command:
> kubectl create ns trivy-system\n> flux create source helm trivy-operator --url https://aquasecurity.github.io/helm-charts --namespace trivy-system\n> flux create helmrelease trivy-operator --chart trivy-operator\n --source HelmRepository/trivy-operator\n --chart-version 0.0.3\n --namespace trivy-system\n
Kubernetes manifest trivy-operator.yaml:
apiVersion: source.toolkit.fluxcd.io/v1beta2\nkind: HelmRepository\nmetadata:\n name: trivy-operator\n namespace: flux-system\nspec:\n interval: 60m\n url: https://aquasecurity.github.io/helm-charts/\n\n---\napiVersion: helm.toolkit.fluxcd.io/v2beta1\nkind: HelmRelease\nmetadata:\n name: trivy-operator\n namespace: trivy-system\nspec:\n chart:\n spec:\n chart: trivy-operator\n sourceRef:\n kind: HelmRepository\n name: trivy-operator\n namespace: flux-system\n version: 0.10.1\n interval: 60m\n values:\n trivy:\n ignoreUnfixed: true\n install:\n crds: CreateReplace\n createNamespace: true\n
You can then apply the file to your Kubernetes cluster:
kubectl apply -f trivy-operator.yaml\n
"},{"location":"tutorials/kubernetes/gitops/#after-the-installation","title":"After the installation","text":"After the install, you want to check that the Trivy operator is running in the trivy-system namespace:
kubectl get deployment -n trivy-system\n
"},{"location":"tutorials/kubernetes/kyverno/","title":"Attesting Image Scans With Kyverno","text":"This tutorial is based on the following blog post by Chip Zoller: Attesting Image Scans With Kyverno
This tutorial details
- Verify the container image has an attestation with Kyverno
"},{"location":"tutorials/kubernetes/kyverno/#prerequisites","title":"Prerequisites","text":" - A running Kubernetes cluster that kubectl is connected to
- A Container image signed with Cosign and an attestation generated for a Trivy Vulnerability scan. Follow this tutorial for more information.
"},{"location":"tutorials/kubernetes/kyverno/#kyverno-policy-to-check-attestation","title":"Kyverno Policy to check attestation","text":"The following policy ensures that the attestation is no older than 168h:
vuln-attestation.yaml
apiVersion: kyverno.io/v1\nkind: ClusterPolicy\nmetadata:\n name: check-vulnerabilities\nspec:\n validationFailureAction: Enforce\n background: false\n webhookTimeoutSeconds: 30\n failurePolicy: Fail\n rules:\n - name: checking-vulnerability-scan-not-older-than-one-hour\n match:\n any:\n - resources:\n kinds:\n - Pod\n verifyImages:\n - imageReferences:\n - \"*\"\n attestations:\n - type: https://cosign.sigstore.dev/attestation/vuln/v1\n conditions:\n - all:\n - key: \"{{ time_since('','{{ metadata.scanFinishedOn }}', '') }}\"\n operator: LessThanOrEquals\n value: \"1h\"\n attestors:\n - count: 1\n entries:\n - keys:\n publicKeys: |-\n -----BEGIN PUBLIC KEY-----\n abc\n xyz\n -----END PUBLIC KEY-----\n
"},{"location":"tutorials/kubernetes/kyverno/#apply-the-policy-to-your-kubernetes-cluster","title":"Apply the policy to your Kubernetes cluster","text":"Ensure that you have Kyverno already deployed and running on your cluster -- for instance through he Kyverno Helm Chart.
Next, apply the above policy:
kubectl apply -f vuln-attestation.yaml\n
To ensure that the policy worked, we can deploy an example Kubernetes Pod with our container image:
kubectl run app-signed --image= docker.io/anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd\u00a0\n
Note that the image is based on the signing tutorial. Once we apply the deployment, it should pass since our attestation is available:
kubectl apply -f deployment.yaml -n app\ndeployment.apps/cns-website created\n
However, if we try to deploy any other container image, our deployment will fail. We can verify this by replacing the image referenced in the deployment with docker.io/anaisurlichs/cns-website:0.0.5 and applying the deployment:
kubectl run app-unsigned --image=docker.io/anaisurlichs/cns-website:0.1.1\u00a0\n\nResource: \"apps/v1, Resource=deployments\", GroupVersionKind: \"apps/v1, Kind=Deployment\"\nName: \"cns-website\", Namespace: \"app\"\nfor: \"deployment-two.yaml\": admission webhook \"mutate.kyverno.svc-fail\" denied the request: \n\nresource Deployment/app/cns-website was blocked due to the following policies\n\ncheck-image:\n autogen-check-image: |\n failed to verify signature for docker.io/anaisurlichs/cns-website:0.0.5: .attestors[0].entries[0].keys: no matching signatures:\n
"},{"location":"tutorials/misconfiguration/custom-checks/","title":"Custom Checks with Rego","text":"Trivy can scan configuration files for common security issues (a.k.a IaC misconfiguration scanning). In addition to a comprehensive built in database of checks, you can add your own custom checks. Checks are written in Rego language and the full documentation for checks and customizing them is available here.
This tutorial will walk you through writing a custom check in Rego that checks for an issue in a Dockerfile.
When you are writing a check, it's important to understand the input to the check. This will be the IaC file that you are scanning; for example, a Kubernetes YAML resource definition, or an AWS JSON CloudFormation, or in our case a Dockerfile.
Since Rego is primarily tailored to query JSON objects, all incoming configuration files needs to be first converted to structured objects, which is available to the Rego code as the input variable. This is nothing that users have to do manually in Trivy. Instead, Rego makes it possible to pass in custom Schemas that detail how files are converted. Once Rego has access to a custom Schema, it will know in which format to access configuration files such as a Dockerfile.
Here you can find the schemas that define how different configuration files are converted to JSON by Trivy. This tutorial will make use of the dockerfile.json schema. The schema will need to be parsed into your custom check.
Users can also use the Schema Explorer to view the structure of the data provided to Rego.
"},{"location":"tutorials/misconfiguration/custom-checks/#create-a-rego-file-and-specify-trivy-metadata","title":"Create a Rego file and Specify Trivy metadata","text":"First, create a new .rego file e.g. a docker-check.rego file:
touch docker-check.rego\n
Next, we need to specify metadata about the check. This is information that helps Trivy load and process the check.
# METADATA\n# title: Verify Image\n# description: Verify Image is allowed to be used and in the right format\n# schemas:\n# - input: schema[\"dockerfile\"]\n# custom:\n# id: ID001\n# severity: MEDIUM\n# input:\n# selector: \n# - type: dockerfile\n
Important: The METADATA has to be defined on top of the file.
More information on the different fields in the metadata can be found in the Trivy documentation.
"},{"location":"tutorials/misconfiguration/custom-checks/#package-and-imports","title":"Package and imports","text":"package custom.dockerfile.ID001\n\nimport future.keywords.in\n
Every Rego check has a package name. In our case, we will call it custom.dockerfile.ID001 to avoid confusion between custom checks and built-in checks. The group name dockerfile has no effect on the package name. Note that each package has to contain only one check. However, we can pass multiple checks into our Trivy scan. The first keyword of the package, in this case custom, will be reused in the trivy command as the --namespace.
"},{"location":"tutorials/misconfiguration/custom-checks/#allowed-data","title":"Allowed data","text":"The check that we are setting up compares the container images used in the Dockerfile with a list of white-listed container images. Thus, we need to add the images that are allowed to be used in the Dockerfile to our check. In our case, we will store them in an array of arrays:
allowed_images := {\n [\"node:21-alpine3.19\", \"as\", \"build-deps\"],\n [\"nginx:1.2\"]\n}\n
"},{"location":"tutorials/misconfiguration/custom-checks/#select-the-images-that-are-used-in-the-dockerfile","title":"Select the images that are used in the Dockerfile","text":"Next, we need to iterate over the different commands in our Dockerfile and identify the commands that provide the base container images:
deny[msg] {\n input.Stages[m].Commands[l].Cmd == \"from\"\n val := input.Stages[m].Commands[l].Value\n not val in allowed_images\n msg := sprintf(\"The container image '%s' used in the Dockerfile is not allowed\", val)\n}\n
Let's look at the check line by line:
- The rule should always be
deny in the Trivy Rego checks input.Stages[m].Commands[l].Cmd input allows us to access the different commands in the Dockerfile. We need to access the commands that use \"FROM\". Every command will be converted to lowercase.val := input.Stages[m].Commands[l].Value accesses the value of the FROM command and stores it in valnot val in allowed_images checks whether val is not part of our allowed images list; this part of the check relies on the import statement- In case our check fails, the
msg will be printed with the image name used in val
Note that Rego
- uses
AND automatically to combine conditions in this check - automatically iterates through the array of commands in the Dockerfile and allowed images
"},{"location":"tutorials/misconfiguration/custom-checks/#run-the-check-in-a-trivy-misconfiguration-scan","title":"Run the check in a Trivy misconfiguration scan","text":"Ensure that you have Trivy installed and run the following command:
trivy fs --scanners misconf --config-check ./docker-check.rego --namespaces custom ./Dockerfile\n
Please replace:
./docker-check.rego with the file path to your checkcustom should be replaced with your package name if different./Dockerfile is the path to the Dockerfile that should be scanned
Note: If you define custom packages, you have to specify the package prefix via --namespaces option. In our case, we called the custom package custom.
"},{"location":"tutorials/misconfiguration/custom-checks/#resources","title":"Resources","text":" - Rego provides a long list of courses that can be useful in writing more complex checks
- The Rego documentation provides detailed information on the different types, iterations etc.
- Have a look at the built-in checks for Trivy for inspiration on how to write custom checks.
"},{"location":"tutorials/misconfiguration/terraform/","title":"Scanning Terraform files with Trivy","text":"This tutorial is focused on ways Trivy can scan Terraform IaC configuration files.
A video tutorial on Terraform Misconfiguration scans can be found on the Aqua Open Source YouTube account.
A note to tfsec users We have been consolidating all of our scanning-related efforts in one place, and that is Trivy. You can read more on the decision in the tfsec discussions.
"},{"location":"tutorials/misconfiguration/terraform/#trivy-config-command","title":"Trivy Config Command","text":"Terraform configuration scanning is available as part of the trivy config command. This command scans all configuration files for misconfiguration issues. You can find the details within misconfiguration scans in the Trivy documentation.
Command structure:
trivy config <any flags you want to use> <file or directory that you would like to scan> \n
The trivy config command can scan Terraform configuration, CloudFormation, Dockerfile, Kubernetes manifests, and Helm Charts for misconfiguration. Trivy will compare the configuration found in the file with a set of best practices.
- If the configuration is following best practices, the check will pass,
- If the configuration does not define the resource of some configuration, Trivy will assume the default configuration for the resource creation is used. In this case, the check might fail.
- If the configuration that has been defined does not follow best practices, the check will fail.
"},{"location":"tutorials/misconfiguration/terraform/#prerequisites","title":"Prerequisites","text":"Install Trivy on your local machines. The documentation provides several different installation options. This tutorial will use this example Terraform tutorial for terraform misconfiguration scanning with Trivy.
Git clone the tutorial and cd into the directory:
git clone git@github.com:Cloud-Native-Security/trivy-demo.git\ncd bad_iac/terraform\n
In this case, the folder only contains Terraform configuration files. However, you could scan a directory that contains several different configurations e.g. Kubernetes YAML manifests, Dockerfile, and Terraform. Trivy will then detect the different configuration files and apply the right rules automatically. "},{"location":"tutorials/misconfiguration/terraform/#different-types-of-trivy-config-scans","title":"Different types of trivy config scans","text":"Below are several examples of how the trivy config scan can be used.
General Terraform scan with trivy:
trivy config <specify the directory> \n
So if we are already in the directory that we want to scan:
trivy config ./ \n
"},{"location":"tutorials/misconfiguration/terraform/#specify-the-scan-format","title":"Specify the scan format","text":"The --format flag changes the way that Trivy displays the scan result:
JSON:
trivy config -f json terraform-infra \n
Sarif:
trivy config -f sarif terraform-infra \n
"},{"location":"tutorials/misconfiguration/terraform/#specifying-the-output-location","title":"Specifying the output location","text":"The --output flag specifies the file location in which the scan result should be saved:
JSON:
trivy config -f json -o example.json terraform-infra \n
Sarif:
trivy config -f sarif -o example.sarif terraform-infra \n
"},{"location":"tutorials/misconfiguration/terraform/#filtering-by-severity","title":"Filtering by severity","text":"If you are presented with lots and lots of misconfiguration across different files, you might want to filter or the misconfiguration with the highest severity:
trivy config --severity CRITICAL, MEDIUM terraform-infra \n
"},{"location":"tutorials/misconfiguration/terraform/#passing-tftfvars-files-into-trivy-config-scans","title":"Passing tf.tfvars files into trivy config scans","text":"You can pass terraform values to Trivy to override default values found in the Terraform HCL code. More information are provided in the documentation.
trivy config --tf-vars terraform.tfvars ./\n
"},{"location":"tutorials/misconfiguration/terraform/#custom-checks","title":"Custom Checks","text":"We have lots of examples in the documentation on how you can write and pass custom Rego checks into terraform misconfiguration scans.
"},{"location":"tutorials/misconfiguration/terraform/#secret-and-vulnerability-scans","title":"Secret and vulnerability scans","text":"The trivy config command does not perform secret and vulnerability checks out of the box. However, you can specify as part of your trivy fs scan that you would like to scan you terraform files for exposed secrets and misconfiguraction through the following flags:
trivy fs --scanners secret,misconfig ./\n
The trivy config command is a sub-command of the trivy fs command. You can learn more about this command in the documentation.
"},{"location":"tutorials/misconfiguration/terraform/#scanning-terraform-plan-files","title":"Scanning Terraform Plan files","text":"Instead of scanning your different Terraform resources individually, you could also scan your Terraform Plan file before it is deployed for misconfiguration. This will give you insights into any misconfiguration of your resources as they would become deployed. Here is the link to the documentation.
Note that you need to be able to create a terraform init and plan without any errors.
"},{"location":"tutorials/misconfiguration/terraform/#using-trivy-in-your-cicd-pipeline","title":"Using Trivy in your CI/CD pipeline","text":"Similar to tfsec, Trivy can be used either on local developer machines or integrated into your CI/CD pipeline. There are several steps available for different pipelines, including GitHub Actions, Circle CI, GitLab, Travis and more in the tutorials section of the documentation: https://trivy.dev/docs/latest/tutorials/integrations/
"},{"location":"tutorials/shell/shell-completion/","title":"Enable shell completion","text":"Below is example steps to enable shell completion feature for trivy cli:
"},{"location":"tutorials/shell/shell-completion/#1-know-your-current-shell","title":"1. Know your current shell","text":"$ echo $SHELL\n/bin/zsh # For this example it is zsh, but will be vary depend on your $SHELL, maybe /bin/bash or /bin/fish\n
"},{"location":"tutorials/shell/shell-completion/#2-run-completion-command-to-get-sub-commands","title":"2. Run completion command to get sub-commands","text":"$ trivy completion zsh -h\nGenerate the autocompletion script for the zsh shell.\n\nIf shell completion is not already enabled in your environment you will need\nto enable it. You can execute the following once:\n\n echo \"autoload -U compinit; compinit\" >> ~/.zshrc\n\nTo load completions in your current shell session:\n\n source <(trivy completion zsh); compdef _trivy trivy\n\nTo load completions for every new session, execute once:\n\n#### Linux:\n\n trivy completion zsh > \"${fpath[1]}/_trivy\"\n\n#### macOS:\n\n trivy completion zsh > $(brew --prefix)/share/zsh/site-functions/_trivy\n\nYou will need to start a new shell for this setup to take effect.\n
"},{"location":"tutorials/shell/shell-completion/#3-run-the-sub-commands-following-the-instruction","title":"3. Run the sub-commands following the instruction","text":"echo \"autoload -U compinit; compinit\" >> ~/.zshrc\nsource <(trivy completion zsh); compdef _trivy trivy\ntrivy completion zsh > \"${fpath[1]}/_trivy\"\n
"},{"location":"tutorials/shell/shell-completion/#4-start-a-new-shell-and-you-can-see-the-shell-completion","title":"4. Start a new shell and you can see the shell completion","text":"$ trivy [tab]\ncompletion -- Generate the autocompletion script for the specified shell\nconfig -- Scan config files for misconfigurations\nfilesystem -- Scan local filesystem\nhelp -- Help about any command\nimage -- Scan a container image\nkubernetes -- scan kubernetes cluster\nmodule -- Manage modules\nplugin -- Manage plugins\nrepository -- Scan a repository\nrootfs -- Scan rootfs\nsbom -- Scan SBOM for vulnerabilities\nserver -- Server mode\nversion -- Print the version\n
"},{"location":"tutorials/signing/vuln-attestation/","title":"Vulnerability Scan Record Attestation","text":"This tutorial details how to
- Scan container images for vulnerabilities
- Generate an attestation, using Cosign, with and without generating a separate key pair
"},{"location":"tutorials/signing/vuln-attestation/#prerequisites","title":"Prerequisites","text":" - Trivy CLI installed
- Cosign CLI installed
- Ensure that you have access to a container image in a remote container registry that you own/within your account. In this tutorial, we will use DockerHub.
"},{"location":"tutorials/signing/vuln-attestation/#scan-container-image-for-vulnerabilities","title":"Scan Container Image for vulnerabilities","text":"Scan your container image for vulnerabilities and save the scan result to a scan.json file:
trivy image --ignore-unfixed --format cosign-vuln --output scan.json DockerHubID/imagename:imagetag\n
For example:
trivy image --ignore-unfixed --format cosign-vuln --output scan.json anaisurlichs/signed-example:0.1\n
--ignore-unfixed: Ensures only the vulnerabilities, which have a already a fix available, are displayed--output scan.json: The scan output is saved to a scan.json file instead of being displayed in the terminal.
Note: Replace the container image with the container image that you want to scan.
"},{"location":"tutorials/signing/vuln-attestation/#option-1-signing-and-generating-an-attestation-without-new-key-pair","title":"Option 1: Signing and Generating an attestation without new key pair","text":""},{"location":"tutorials/signing/vuln-attestation/#signing","title":"Signing","text":"Sign the container image:
cosign sign DockerHubID/imagename@imageSHA\n
The imageSHA can be obtained through the following docker command:
docker image ls --digests\n
The SHA will be displayed next to the image name and tag. Note that it is better practice to sign the image SHA rather than the tag as the SHA will remain the same for the particular image that we have signed.
For example:
cosign sign docker.io/anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd\n
"},{"location":"tutorials/signing/vuln-attestation/#attestation","title":"Attestation","text":"The following command generates an attestation for the vulnerability scan and uploads it to the container image used:
cosign attest --predicate scan.json --type vuln docker.io/DockerHubID/imagename:imageSHA\n
For example:
cosign attest --predicate scan.json --type vuln docker.io/anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd\n
Note: Replace the container image with the container image that you would like to scan.
Next, Sigstore will ask you to verify with an account -- Microsoft, GitHub, or Google.
Once done, the user will be provided with a certificate in the terminal where they ran the command. Example certificate:
-----BEGIN CERTIFICATE-----\nMIIC1TCCAlygAwIBAgIUfSXI7xTWSLq4nuygd8YPuhPZlEswCgYIKoZIzj0EAwMw\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\ncm1lZGlhdGUwHhcNMjQwMTExMTMzODUzWhcNMjQwMTExMTM0ODUzWjAAMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAETcUNnK76mfo9G3j1c7NN6Vcn6yQPDX5rd3QB\nunkHs1Uk59CWv3qm6sUyRNYaATs9zdHAZqLck8G4P/Pj7+GzCKOCAXswggF3MA4G\n........\n-----END CERTIFICATE-----\n
"},{"location":"tutorials/signing/vuln-attestation/#option-2-signing-and-generating-an-attestation-with-a-new-cosign-key-pair","title":"Option 2: Signing and Generating an attestation with a new Cosign key pair","text":"To generate an attestation for the container image with a separate key pair, we can use Cosign to generate a new key pair:
cosign generate-key-pair\u00a0\n
This will generate a cosign.key and a cosign.pub file. The cosign.key file is your private key that should be kept confidential as it is used to sign artefacts. However, the cosign.pub file contains the information of the corresponding public key. This key can be used by third parties to verify the attestation -- basically that this person who claims to have signed the attestation actually is the one who signed it.
"},{"location":"tutorials/signing/vuln-attestation/#signing_1","title":"Signing","text":"Sign the container image:
cosign sign --key cosign.key docker.io/anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd\n
"},{"location":"tutorials/signing/vuln-attestation/#attestation_1","title":"Attestation","text":"To generate the attestation with the specific key pairs, run the following command:
cosign attest --key cosign.key --type vuln --predicate scan.json docker.io/anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd\u00a0\n
"},{"location":"tutorials/signing/vuln-attestation/#verify-the-attestation","title":"Verify the attestation","text":""},{"location":"tutorials/signing/vuln-attestation/#option-1-no-separate-key-pair","title":"Option 1 -- No separate key pair","text":"If you have not generated a key pair but received a certificate after the container image was signed, use the following command to verify the attestation:
cosign verify-attestation --type vuln --certificate-identity Email-used-to-sign --certificate-oidc-issuer='the-issuer-used' docker.io/DockerHubID/imagename:imageSHA\n
For example, the command could be like this:
cosign verify-attestation --type vuln --certificate-identity urlichsanais@gmail.com --certificate-oidc-issuer='https://github.com/login/oauth' anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd\n
"},{"location":"tutorials/signing/vuln-attestation/#option-2-separate-key-pair","title":"Option 2 -- Separate key pair","text":"If you have used a new cosign key pair, the attestation can be verified through the following command:
cosign verify-attestation --key cosign.pub --type vuln anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd\u00a0\n
Output The output should look similar to the following: Verification for anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd --\nThe following checks were performed on each of these signatures:\n - The cosign claims were validated\n - Existence of the claims in the transparency log was verified offline\n - The signatures were verified against the specified public key\n{\"payloadType\":\"application/vnd.in-toto+json\",\"payload\":\n
"},{"location":"tutorials/signing/vuln-attestation/#more-information","title":"More information","text":"See here for more details.
"}]}
\ No newline at end of file
+{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"],"fields":{"title":{"boost":1000.0},"text":{"boost":1.0},"tags":{"boost":1000000.0}}},"docs":[{"location":"","title":"Docs","text":"Welcome to the Trivy documentation! Here you can find complete and thorough information about every aspect of Trivy, how to use it, features available, and configuration options.
\ud83d\udc48 Please use the left side navigation browse the different topics.
"},{"location":"commercial/compare/","title":"Aqua Security is the home of Trivy","text":"Trivy is proudly maintained by Aqua Security. If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering. In this page you can find a high level comparison between Trivy Open Source and Aqua's commercial product. If you'd like to learn more or request a demo, click here to contact us.
"},{"location":"commercial/compare/#user-experience","title":"User experience","text":"Feature Trivy OSS Aqua Interface CLI tool CLI tool Enterprise-grade web application SaaS or on-prem Search & Discover - Easily search for security issues across all workloads and infrastructure in your organization Visually discover risks across your organization User management - Multi account Granular permissions (RBAC) Single Sign On (SSO) Support Some skills required for setup and integration Best effort community support Personal onboarding by Aqua Customer Success SLA backed professional support Scalability & Availability Single scan at a time Centralized scanning service supports concurrent scans efficiently Highly available production grade architecture Rate limiting Assets hosted on public free infrastructure and could be rate limited Assets hosted on Aqua infrastructure and does not have limitations"},{"location":"commercial/compare/#vulnerability-scanning","title":"Vulnerability scanning","text":"Feature Trivy OSS Aqua Vulnerabilities sources Based on open source vulnerability feeds Based on open source and commercial vulnerability feeds New Vulnerabilities SLA No SLA Commercial level SLA Package managers Find packages in lock files Find packages in lock files or reconstructed lock files Vulnerability management Manually ignore specific vulnerabilities by ID or property Advanced vulnerability management solution Vulnerability tracking and suppression Incident lifecycle management Vulnerability prioritization Manually triage by severity Multiple prioritization tools: Accessibility of the affected resources Exploitability of the vulnerability Open Source packages health and trustworthiness score Affected image layers Reachability analysis - Analyze source code to eliminate vulnerabilities of unused dependencies Contextual vulnerabilities - Reduce irrelevant vulnerabilities based on environmental factors (e.g. Spring4Shell not relevant due to JDK version) Compiled binaries Find embedded dependencies in Go and Rust binaries Find SBOM by hash in public Sigstore In addition, identify popular applications"},{"location":"commercial/compare/#container-scanning","title":"Container scanning","text":"Feature Trivy OSS Aqua Windows containers - Support scanning windows containers Scan container registries - Connect to any container registries and automatically scan it Private registries Standard registry authenticationCloud authentication with ECR, GCR, ACR Supports registry specific authentication schemes Layer cache Local cache directory Scalable Cloud cache"},{"location":"commercial/compare/#advanced-scanning","title":"Advanced scanning","text":"Feature Trivy OSS Aqua Malware scanning - Scan container images for malware Sandbox scanning - Use DTA (Dynamic threat analysis) to run and test container images' behavior to detect sophisticated threats SAST (code scanning) - Analyze source code for security issues and vulnerabilities"},{"location":"commercial/compare/#policy-and-enforcement","title":"Policy and enforcement","text":"Feature Trivy OSS Aqua Kubernetes admission - Validating Kubernetes Admission based on automatic or user defined policy CI/CD policies Can fail the entire build on any finding Granular policies to fail builds based on custom criteria Container engine - Block incompliant images from running at container engine level Block vulnerable packages - vShield \u2013 monitor and block usage of vulnerable packages"},{"location":"commercial/compare/#secrets-scanning","title":"Secrets scanning","text":"Feature Trivy OSS Aqua Detected patterns Basic patterns Advanced patterns Leaked secrets validation - Automatically checks if leaked secrets are valid and usable"},{"location":"commercial/compare/#iaccspm-scanning","title":"IaC/CSPM scanning","text":"Feature Trivy OSS Aqua Infrastructure as Code (IaC) Many popular languages as detailed here In addition, Build Pipeline configuration scanning Checks customization Create custom checks with Rego Create custom checks in no-code interface Customize existing checks with organizational preferences Cloud scanning AWS (subset of services) AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud Compliance frameworks CIS, NSA, vendor guides More than 25 compliance programs Custom compliance Create in YAML Create in a web UI Remediation advice Basic AI powered specialized remediation guides"},{"location":"commercial/compare/#kubernetes-scanning","title":"Kubernetes scanning","text":"Feature Trivy OSS Aqua Scan initiation CLI / Kubernetes Operator Kubernetes Operator / Management web application Results consumption kubectl / CRD / Prometheus exporter In addition, Advanced UI dashboards, Automatic notifications and incident management flows Cluster discovery Kubeconfig Automatic discovery thorough cloud onboarding Workload image scanning Scanning in cluster, requires capacity planning Scanning offloaded to Aqua service, little impact on scanned clusters Cluster scanning CIS, NSA, PSS More than 25 compliance programs Scope Single cluster Multi cluster, Cloud relationship Scalability Reports limited by in-cluster etcd storage (size and number of reports) Cloud-based storage (unlimited scalability)"},{"location":"commercial/contact/","title":"Contact Us","text":""},{"location":"community/principles/","title":"Trivy Project Principles","text":"This document outlines the guiding principles and governance framework for the Trivy project.
"},{"location":"community/principles/#core-principles","title":"Core Principles","text":"Trivy is a security scanner focused on static analysis and designed with simplicity and security at its core. All new proposals to the project must adhere to the following principles.
"},{"location":"community/principles/#static-analysis-no-runtime-required","title":"Static Analysis (No Runtime Required)","text":"Trivy operates without requiring container or VM image startups, eliminating the need for Docker or similar runtimes, except for scanning images stored within a container runtime. This approach enhances security and efficiency by minimizing dependencies.
"},{"location":"community/principles/#external-dependency-free-single-binary","title":"External Dependency Free (Single Binary)","text":"Operating as a single binary, Trivy is independent of external environments and avoids executing external OS commands or processes. If specific functionality, like Maven's, is needed, Trivy opts for internal reimplementations or processing outputs of the tool without direct execution of external tools.
This approach obviously requires more effort but significantly reduces security risks associated with executing OS commands and dependency errors due to external environment versions. Simplifying the scanner's use by making it operational immediately upon binary download facilitates easier initiation of scans.
"},{"location":"community/principles/#no-setup-required","title":"No Setup Required","text":"Trivy must be ready to use immediately after installation. It's unacceptable for Trivy not to function without setting up a database or writing configuration files by default. Such setups should only be necessary for users requiring specific customizations.
Security often isn't a top priority for many organizations and can be easily deferred. Trivy aims to lower the barrier to entry by simplifying the setup process, making it easier for users to start securing their projects.
"},{"location":"community/principles/#security-focus","title":"Security Focus","text":"Trivy prioritizes the identification of security issues, excluding features unrelated to security, such as performance metrics or content listings of container images. It can, however, produce and output intermediate representations like SBOMs for comprehensive security assessments.
Trivy serves as a tool with opinions on security, used to warn users about potential issues.
"},{"location":"community/principles/#detecting-unintended-states","title":"Detecting Unintended States","text":"Trivy is designed to detect unintended vulnerable states in projects, such as the use of vulnerable versions of dependencies or misconfigurations in Infrastructure as Code (IaC) that may unintentionally expose servers to the internet. The focus is on identifying developer mistakes or undesirable states, not on detecting intentional attacks, such as malicious images and malware.
"},{"location":"community/principles/#out-of-scope-features","title":"Out of Scope Features","text":"Aqua Security offers a premium version with several features not available in the open-source Trivy project. While detailed information can be found here, it's beneficial to highlight specific functionalities frequently inquired about:
"},{"location":"community/principles/#runtime-security","title":"Runtime Security","text":"As mentioned in the Core Principles, Trivy is a static analysis security scanner, making runtime security outside its scope. Runtime security needs are addressed by Tracee or the commercial version of Aqua Security.
"},{"location":"community/principles/#intentional-attacks","title":"Intentional Attacks","text":"As mentioned in the Core Principles, detection of intentional attacks, such as malware or malicious container images, is not covered by Trivy and is supported in the commercial version.
"},{"location":"community/principles/#user-interface","title":"User Interface","text":"Trivy primarily operates via CLI for displaying results, with a richer UI available in the commercial version.
"},{"location":"community/contribute/discussion/","title":"Discussions","text":"Thank you for taking interest in contributing to Trivy!
Trivy uses GitHub Discussion for bug reports, feature requests, and questions. If maintainers decide to accept a new feature or confirm that it is a bug, they will close the discussion and create a GitHub Issue associated with that discussion.
- Feel free to open discussions for any reason. When you open a new discussion, you'll have to select a discussion category as described below.
- Please spend a small amount of time giving due diligence to the issue/discussion tracker. Your discussion might be a duplicate. If it is, please add your comment to the existing issue/discussion.
- Remember that users might search for your issue/discussion in the future, so please give it a meaningful title to help others.
- The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
There are 4 categories:
- \ud83d\udca1 Ideas
- Share ideas for new features
- \ud83d\udd0e False Detection
- Report false positives/negatives
- \ud83d\udc1b Bugs
- Report something that is not working as expected
- \ud83d\ude4f Q&A
- Ask the community for help
Note
If you find any false positives or false negatives, please make sure to report them under the \"False Detection\" category, not \"Bugs\".
"},{"location":"community/contribute/discussion/#false-detection","title":"False detection","text":"Trivy depends on multiple data sources. Sometime these databases contain mistakes.
If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:
- Run Trivy with
-f json that shows data sources. - According to the shown data source, make sure that the security advisory in the data source is correct.
If the data source is correct and Trivy shows wrong results, please raise an issue on Trivy.
"},{"location":"community/contribute/discussion/#github-advisory-database","title":"GitHub Advisory Database","text":"Visit here and search CVE-ID.
If you find a problem, it'll be nice to fix it: How to contribute to a GitHub security advisory
"},{"location":"community/contribute/discussion/#gitlab-advisory-database","title":"GitLab Advisory Database","text":"Visit here and search CVE-ID.
If you find a problem, it'll be nice to fix it: Create an issue to GitLab Advisory Database
"},{"location":"community/contribute/discussion/#red-hat-cve-database","title":"Red Hat CVE Database","text":"Visit here and search CVE-ID.
"},{"location":"community/contribute/issue/","title":"Issues","text":"Thank you for taking interest in contributing to Trivy!
Trivy uses GitHub Discussion for bug reports, feature requests, and questions.
Warning
Issues created by non-maintainers will be immediately closed.
"},{"location":"community/contribute/pr/","title":"Pull Requests","text":"Thank you for taking interest in contributing to Trivy!
- Every Pull Request should have an associated GitHub issue link in the PR description. Note that issues are created by Trivy maintainers based on feedback provided in a GitHub discussion. Please refer to the issue and discussion pages for explanation about this process. If you think your change is trivial enough, you can skip the issue and instead add justification and explanation in the PR description.
- Your PR is more likely to be accepted if it focuses on just one change.
- There's no need to add or tag reviewers.
- If a reviewer commented on your code or asked for changes, please remember to respond with a comment. Do not mark the discussion as resolved. It's up to the reviewer to mark it resolved (in case the suggested fix addresses the problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
- Please include a comment with the results before and after your change.
- Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
- If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
"},{"location":"community/contribute/pr/#development","title":"Development","text":"Install the necessary tools for development by following their respective installation instructions.
- Go
- Mage
"},{"location":"community/contribute/pr/#build","title":"Build","text":"After making changes to the Go source code, build the project with the following command:
$ mage build\n$ ./trivy -h\n
"},{"location":"community/contribute/pr/#lint","title":"Lint","text":"You must pass the linter checks:
$ mage lint:run\n
Additionally, you need to have run go mod tidy, so execute the following command as well:
$ mage tidy\n
To autofix linters use the following command:
$ mage lint:fix\n
"},{"location":"community/contribute/pr/#unit-tests","title":"Unit tests","text":"Your PR must pass all the unit tests. You can test it as below.
$ mage test:unit\n
"},{"location":"community/contribute/pr/#integration-tests","title":"Integration tests","text":"Your PR must pass all the integration tests. You can test it as below.
$ mage test:integration\n
"},{"location":"community/contribute/pr/#protocol-buffers","title":"Protocol Buffers","text":"If you update protobuf files (.proto), you need to regenerate the Go code:
$ mage protoc:generate\n
You can also format and lint protobuf files:
$ mage protoc:fmt # Format protobuf files\n$ mage protoc:lint # Lint protobuf files\n$ mage protoc:breaking # Check for breaking changes against main branch\n
"},{"location":"community/contribute/pr/#documentation","title":"Documentation","text":"If you update CLI flags, you need to generate the CLI references. The test will fail if they are not up-to-date.
$ mage docs:generate\n
You can build the documents as below and view it at http://localhost:8000.
$ mage docs:serve\n
"},{"location":"community/contribute/pr/#title","title":"Title","text":"It is not that strict, but we use the title conventions in this repository. Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
"},{"location":"community/contribute/pr/#format-of-the-title","title":"Format of the title","text":"<type>(<scope>): <subject>\n
The type and scope should always be lowercase as shown below.
Allowed <type> values:
- feat for a new feature for the user, not a new feature for build script. Such commit will trigger a release bumping a MINOR version.
- fix for a bug fix for the user, not a fix to a build script. Such commit will trigger a release bumping a PATCH version.
- perf for performance improvements. Such commit will trigger a release bumping a PATCH version.
- docs for changes to the documentation.
- style for formatting changes, missing semicolons, etc.
- refactor for refactoring production code, e.g. renaming a variable.
- test for adding missing tests, refactoring tests; no production code change.
- build for updating build configuration, development tools or other changes irrelevant to the user.
- chore for updates that do not apply to the above, such as dependency updates.
- ci for changes to CI configuration files and scripts
- revert for revert to a previous commit
Allowed <scope> values:
checks:
- vuln
- misconf
- secret
- license
mode:
- image
- fs
- repo
- sbom
- k8s
- server
- aws
- vm
- plugin
os:
- alpine
- redhat
- alma
- rocky
- azure
- oracle
- debian
- ubuntu
- amazon
- suse
- photon
- distroless
language:
- ruby
- php
- python
- nodejs
- rust
- dotnet
- java
- go
- elixir
- dart
- julia
vuln:
- os
- lang
config:
- kubernetes
- dockerfile
- terraform
- cloudformation
container
- docker
- podman
- containerd
- oci
cli:
- cli
- flag
SBOM:
- cyclonedx
- spdx
- purl
others:
- helm
- report
- db
- parser
- deps
The <scope> can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
Breaking changes
A PR, introducing a breaking API change, needs to append a ! after the type/scope.
"},{"location":"community/contribute/pr/#example-titles","title":"Example titles","text":"feat(alma): add support for AlmaLinux\n
feat(vuln)!: delete the existing CLI flag\n
fix(oracle): handle advisories with ksplice versions\n
docs(misconf): add comparison with Conftest and TFsec\n
chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0\n
NOTE: please do not use chore(deps): update fanal and something like that if you add new features or fix bugs in Trivy-related projects. The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
"},{"location":"community/contribute/pr/#commits","title":"Commits","text":""},{"location":"community/contribute/pr/#understand-where-your-pull-request-belongs","title":"Understand where your pull request belongs","text":"Trivy is composed of several repositories that work together:
- Trivy is the client-side, user-facing, command line tool.
- vuln-list is a vulnerability database, aggregated from different sources, and normalized for easy consumption. Think of this as the \"server\" side of the trivy command line tool. There should be no pull requests to this repo
- vuln-list-update is the code that maintains the vuln-list database.
- trivy-db maintains the vulnerability database pulled by Trivy CLI.
- go-dep-parser is a library for parsing lock files such as package-lock.json and Gemfile.lock.
"},{"location":"community/contribute/checks/overview/","title":"Contribute Rego Checks","text":"The following guide provides an overview of contributing checks to the default checks in Trivy.
All of the checks in Trivy can be found in the trivy-checks repository on GitHub. Before you begin writing a check, ensure:
- The check does not already exist as part of the default checks in the trivy-checks repository.
- The pull requests in the trivy-checks repository to see whether someone else is already contributing the check that you wanted to add.
- The issues in Trivy to see whether any specific checks are missing in Trivy that you can contribute.
If anything is unclear, please start a discussion and we will do our best to help.
"},{"location":"community/contribute/checks/overview/#check-structure","title":"Check structure","text":"Checks are written in Rego and follow a particular structure in Trivy. Below is an example check for AWS:
# METADATA\n# title: \"RDS IAM Database Authentication Disabled\"\n# description: \"Ensure IAM Database Authentication is enabled for RDS database instances to manage database access\"\n# scope: package\n# schemas:\n# - input: schema[\"aws\"]\n# related_resources:\n# - https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html\n# custom:\n# id: AVD-AWS-0176\n# avd_id: AVD-AWS-0176\n# provider: aws\n# service: rds\n# severity: MEDIUM\n# short_code: enable-iam-auth\n# recommended_action: \"Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication.\"\n# input:\n# selector:\n# - type: cloud\n# subtypes:\n# - service: rds\n# provider: aws\n\npackage builtin.aws.rds.aws0176\n\ndeny[res] {\n instance := input.aws.rds.instances[_]\n instance.engine.value == [\"postgres\", \"mysql\"][_]\n not instance.iamauthenabled.value\n res := result.new(\"Instance does not have IAM Authentication enabled\", instance.iamauthenabled)\n}\n
"},{"location":"community/contribute/checks/overview/#verify-the-provider-and-service-exists","title":"Verify the provider and service exists","text":"Every check for a cloud service references a cloud provider. The list of providers are found in the Trivy repository.
Before writing a new check for a cloud provider, you need to verify if the cloud provider or resource type that your check targets is supported by Trivy. If it's not, you'll need to add support for it. Additionally, if the provider that you want to target exists, you need to check whether the service your policy will target is supported. As a reference you can take a look at the AWS provider here.
Note New Kubernetes and Dockerfile checks do not require any additional provider definitions. You can find an example of a Dockerfile check here and a Kubernetes check here.
"},{"location":"community/contribute/checks/overview/#add-support-for-a-new-service-in-an-existing-provider","title":"Add Support for a New Service in an existing Provider","text":"Please reference the documentation on adding Support for a New Service.
This guide also showcases how to add new properties for an existing Service.
"},{"location":"community/contribute/checks/overview/#create-a-new-rego-file","title":"Create a new .rego file","text":"The following directory in the trivy-checks repository contains all of our custom checks. Depending on what type of check you want to create, you will need to nest a new .rego file in either of the subdirectories:
- cloud: All checks related to cloud providers and their services
- docker: Docker specific checks
- kubernetes: Kubernetes specific checks
"},{"location":"community/contribute/checks/overview/#check-package-name","title":"Check Package name","text":"Have a look at the existing package names in the built in checks.
The package name should be in the format builtin.PROVIDER.SERVICE.ID, e.g. builtin.aws.rds.aws0176.
"},{"location":"community/contribute/checks/overview/#generating-an-id","title":"Generating an ID","text":"Every check has a custom ID that is referenced throughout the metadata of the check to uniquely identify the check. If you plan to contribute your check back into the trivy-checks repository, it will require a valid ID.
Running make id in the root of the trivy-checks repository will provide you with the next available ID for your rule.
"},{"location":"community/contribute/checks/overview/#check-schemas","title":"Check Schemas","text":"Rego Checks for Trivy can utilise Schemas to map the input to specific objects. The schemas available are listed here..
More information on using the builtin schemas is provided in the main documentation.
"},{"location":"community/contribute/checks/overview/#check-metadata","title":"Check Metadata","text":"The metadata is the top section that starts with # METADATA, and has to be placed on top of the check. You can copy and paste from another check as a starting point. This format is effectively yaml within a Rego comment, and is defined as part of Rego itself.
For detailed information on each component of the Check Metadata, please refer to the main documentation.
Note that while the Metadata is optional in your own custom checks for Trivy, if you are contributing your check to the Trivy builtin checks, the Metadata section will be required.
"},{"location":"community/contribute/checks/overview/#writing-rego-rules","title":"Writing Rego Rules","text":"Rules are defined using OPA Rego. You can find a number of examples in the checks directory (Link). The OPA documentation is a great place to start learning Rego. You can also check out the Rego Playground to experiment with Rego, and join the OPA Slack.
deny[res] {\n instance := input.aws.rds.instances[_]\n instance.engine.value == [\"postgres\", \"mysql\"][_]\n not instance.iamauthenabled.value\n res := result.new(\"Instance does not have IAM Authentication enabled\", instance.iamauthenabled)\n}\n
The rule should return a result, which can be created using result.new. This function does not need to be imported, it is defined internally and provided at runtime. The first argument is the message to display and the second argument is the resource that the issue was detected on.
It is possible to pass any rego variable that references a field of the input document.
"},{"location":"community/contribute/checks/overview/#generate-docs","title":"Generate docs","text":"Finally, you'll want to generate documentation for your newly added rule. Please run make docs in the trivy-checks directory to generate the documentation for your new policy and submit a PR for us to take a look at.
"},{"location":"community/contribute/checks/overview/#adding-tests","title":"Adding Tests","text":"All Rego checks need to have tests. There are many examples of these in the checks directory for each check (Link). More information on how to write tests for Rego checks is provided in the custom misconfiguration section of the docs.
"},{"location":"community/contribute/checks/overview/#example-pr","title":"Example PR","text":"You can see a full example PR for a new rule being added here: https://github.com/aquasecurity/defsec/pull/1000.
"},{"location":"community/contribute/checks/service-support/","title":"Add Service Support","text":"A service refers to a service by a cloud provider. This section details how to add a new service to an existing provider. All contributions need to be made to the trivy repository.
"},{"location":"community/contribute/checks/service-support/#prerequisites","title":"Prerequisites","text":"Before you begin, verify that the provider does not already have the service that you plan to add.
"},{"location":"community/contribute/checks/service-support/#adding-a-new-service-to-an-existing-provider","title":"Adding a new service to an existing provider","text":"Adding a new service involves two steps. The service will need a data structure to store information about the required resources that will be scanned. Additionally, the service will require one or more adapters to convert the scan targetes as input(s) into the aforementioned data structure.
"},{"location":"community/contribute/checks/service-support/#create-a-new-file-in-the-provider-directory","title":"Create a new file in the provider directory","text":"In this example, we are adding the CodeBuild service to the AWS provider.
First, create a new directory and file for your new service under the provider directory: e.g. aws/codebuild/codebuild.go
The CodeBuild service will require a structure struct to hold the information on the input that is scanned. The input is the CodeBuild resource that a user configured and wants to scan for misconfiguration.
type CodeBuild struct {\n Projects []Project\n}\n
The CodeBuild service manages Project resources. The Project struct has been added to hold information about each Project resources; Project Resources in turn manage ArtifactSettings:
type Project struct {\n Metadata iacTypes.Metadata\n ArtifactSettings ArtifactSettings\n SecondaryArtifactSettings []ArtifactSettings\n}\n\ntype ArtifactSettings struct {\n Metadata iacTypes.Metadata\n EncryptionEnabled iacTypes.BoolValue\n}\n
The iacTypes.Metadata struct is embedded in all of the Trivy types and provides a common set of metadata for all resources. This includes the file and line number where the resource was defined and the name of the resource.
A resource in this example Project can have a name and can optionally be encrypted. Instead of using raw string and bool types respectively, we use the trivy types iacTypes.Metadata and iacTypes.BoolValue. These types wrap the raw values and provide additional metadata about the value. For instance, whether it was set by the user and the file and line number where the resource was defined.
Have a look at the other providers and services in the iac/providers directory in Trivy.
Next you'll need to add a reference to your new service struct in the provider struct at pkg/iac/providers/aws/aws.go:
type AWS struct {\n ...\n CodeBuild codebuild.CodeBuild\n ...\n}\n
"},{"location":"community/contribute/checks/service-support/#update-adapters","title":"Update Adapters","text":"Now you'll need to update all of the adapters which populate the struct of the provider that you have been using. Following the example above, if you want to add support for CodeBuild in Terraform, you'll need to update the Terraform AWS adapter as shown here: trivy/pkg/iac/adapters/terraform/aws/codebuild/adapt.go.
Another example for updating the adapters is provided in the following PR. Additionally, please refer to the respective Terraform documentation on the provider to which you are adding the service. For instance, the Terraform documentation for AWS CodeBuild is provided here.
"},{"location":"community/contribute/checks/service-support/#create-a-new-schema-for-your-provider","title":"Create a new Schema for your provider","text":"Once the new service has been added to the provider, you need to create the schema for the service as part of the provider schema.
This process has been automated with mage commands. In the Trivy root directory run mage schema:generate to generate the schema for your new service and mage schema:verify.
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/","title":"Add Vulnerability Advisory Source","text":"This guide walks through the process of adding a new vulnerability advisory source to Trivy.
Info
For an overview of how Trivy's vulnerability database works, see the Overview page.
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#prerequisites","title":"Prerequisites","text":"Before starting, ensure you have:
- Identified the upstream advisory source and its API/format
- Checked that the data source doesn't already exist in Trivy
- Created a GitHub discussion or issue to discuss the addition
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#required-changes","title":"Required Changes","text":"To add a new vulnerability advisory source, you'll need to make changes across three repositories. Below we'll use the Echo OS support as an example.
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#step-1-add-fetcher-script-vuln-list-update","title":"Step 1: Add Fetcher Script (vuln-list-update)","text":"Note
Skip this step if your advisory source is already managed in a Git repository (e.g., GitHub, GitLab).
Create a fetcher script in vuln-list-update to collect advisories from the upstream source.
Key tasks:
- Fetch advisories from the upstream API or source
- Validate the advisory format and data
- Save advisories as JSON files in the vuln-list directory structure
- Store original data as-is where possible: Avoid preprocessing or modifying advisory fields. Save the raw data exactly as provided by the upstream source (format conversion like YAML to JSON is acceptable for consistency)
- Include all necessary metadata (CVE ID, affected versions, severity, etc.)
Example PR:
- feat(echo): Add Echo Support (vuln-list-update#350)
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#step-2-add-parser-trivy-db","title":"Step 2: Add Parser (trivy-db)","text":"Create a parser in trivy-db to transform raw advisories into Trivy's database format.
Key tasks:
- Create a new vulnerability source in
pkg/vulnsrc/ - Implement the advisory parsing logic
- Map advisory fields to Trivy's vulnerability schema
- Handle version ranges and affected packages correctly
- Store CVE mappings if available
- Add unit tests for the parser
Example PR:
- feat(echo): Add Echo Support (trivy-db#528)
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#step-3-add-osecosystem-support-trivy","title":"Step 3: Add OS/Ecosystem Support (Trivy)","text":"Update trivy to support the new operating system or package ecosystem.
Key tasks:
- Add OS analyzer in
pkg/fanal/analyzer/os/ to detect the OS - Implement vulnerability detection logic if special handling is needed
- Add integration tests with test data
- Update documentation to include the new data source
Example PR:
- feat(echo): Add Echo Support (trivy#8833)
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#complete-example-echo-os-support","title":"Complete Example: Echo OS Support","text":"The Echo OS support was added through three coordinated PRs:
- vuln-list-update: Fetches Echo advisories from
https://advisory.echohq.com/data.json - PR: https://github.com/aquasecurity/vuln-list-update/pull/350
- trivy-db: Parses Echo advisories and stores them in the database
- PR: https://github.com/aquasecurity/trivy-db/pull/528
- Trivy: Detects Echo OS and scans for vulnerabilities
- PR: https://github.com/aquasecurity/trivy/pull/8833
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#testing-your-changes","title":"Testing Your Changes","text":""},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#test-vuln-list-update","title":"Test vuln-list-update","text":"First, fetch all existing advisories (required for building the database):
cd vuln-list-update\ngo run main.go -vuln-list-dir /path/to/vuln-list\n
Then, test your new data source by fetching only your target:
go run main.go -target your-source -vuln-list-dir /path/to/vuln-list\n
Verify that advisories are correctly saved in the vuln-list directory.
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#test-trivy-db","title":"Test trivy-db","text":"cd trivy-db\nmake db-build CACHE_DIR=/path/to/cache\n
Check that the database is built without errors and contains your advisories.
Note
The CACHE_DIR should point to the parent directory of your vuln-list directory. For example, if your vuln-list is at /tmp/test/vuln-list, set CACHE_DIR=/tmp/test.
You can inspect the built database using BoltDB viewer tools like boltwiz:
# Open the database\nboltwiz out/trivy.db\n
This allows you to verify that your vulnerabilities are correctly stored in the database.
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#test-trivy","title":"Test Trivy","text":"# Build Trivy with your changes\nmage build\n\n# Use your local database\n./trivy image --skip-db-update --cache-dir /path/to/cache your-test-image\n
Verify that vulnerabilities from your new data source are detected correctly.
"},{"location":"community/contribute/vulnerability-database/add-vulnerability-source/#getting-help","title":"Getting Help","text":"If you have questions or need help:
- Check existing data sources for reference implementations
- Start a discussion in the Trivy repository
"},{"location":"community/contribute/vulnerability-database/overview/","title":"Vulnerability Data Sources","text":"This section explains how Trivy's vulnerability database works and how to contribute new advisory data sources.
"},{"location":"community/contribute/vulnerability-database/overview/#overview","title":"Overview","text":"Trivy's vulnerability database is built through a multi-repository workflow involving three main repositories:
graph LR\n A[Advisory Sources] -->|vuln-list-update| B[vuln-list]\n B --> C[\"trivy-db<br/>(Trivy DB)\"]\n C --> D[\"trivy<br/>(Trivy CLI)\"]\n E[GitHub-managed<br/>Advisories] --> C
"},{"location":"community/contribute/vulnerability-database/overview/#workflow-steps","title":"Workflow Steps","text":" -
Advisory Collection (vuln-list-update)
- Fetch raw advisories from upstream sources
- Store them in vuln-list repository
- Run periodically via cron to keep advisories up-to-date
- This step can be skipped if advisories are already managed in a Git repository (e.g., GitHub Security Advisories)
-
Database Build (trivy-db)
- Parse advisories from vuln-list or directly from Git-managed sources
- Transform them into Trivy's database format
- Publish the built database periodically via cron
-
Database Consumption (trivy)
- Download the latest vulnerability database at scan time
- Use it to detect vulnerabilities in scan targets
"},{"location":"community/contribute/vulnerability-database/overview/#why-store-advisories-in-vuln-list","title":"Why Store Advisories in vuln-list?","text":"For data sources that are not already Git-managed, storing advisories in the vuln-list repository provides several benefits:
- Transparency: Easy to track changes and differences between advisory versions
- Web UI: Browse advisories directly on GitHub with a user-friendly interface
- Stability: Mitigate issues when upstream advisory servers are unstable or unavailable
- Shareability: Provide stable URLs to reference specific advisories
- Data Quality: Validate advisory data before committing to vuln-list, preventing malformed data or unexpected format changes from breaking Trivy DB
- Historical Data: Preserve past advisories when upstream formats change
"},{"location":"community/contribute/vulnerability-database/overview/#repository-overview","title":"Repository Overview","text":""},{"location":"community/contribute/vulnerability-database/overview/#vuln-list-update","title":"vuln-list-update","text":"This repository contains scripts that fetch advisories from various upstream sources. Each data source has its own package that handles:
- Fetching advisories from APIs or web sources
- Validating the advisory format and data
- Saving them to the vuln-list repository
"},{"location":"community/contribute/vulnerability-database/overview/#vuln-list","title":"vuln-list","text":"This repository serves as a data storage for raw advisories fetched by vuln-list-update. Key characteristics:
- Contains raw advisory data in JSON format
- Updated automatically by vuln-list-update scripts via cron
- Not for manual contributions: Direct pull requests to this repository are not accepted
- Used as the source for trivy-db to build the vulnerability database
"},{"location":"community/contribute/vulnerability-database/overview/#trivy-db","title":"trivy-db","text":"This repository contains parsers that transform raw advisories into Trivy's database format. Each data source has its own vulnerability source handler that:
- Reads advisory files from vuln-list or directly from Git-managed sources (e.g., GitHub Security Advisories)
- Maps advisory fields to Trivy's schema
- Stores vulnerability information in the database
"},{"location":"community/contribute/vulnerability-database/overview/#trivy","title":"trivy","text":"The main Trivy repository contains:
- OS and package analyzers to detect what's installed
- Vulnerability detection logic
"},{"location":"community/contribute/vulnerability-database/overview/#next-steps","title":"Next Steps","text":"Ready to add a new vulnerability advisory source? See the Add Vulnerability Advisory Source guide for detailed steps.
"},{"location":"community/maintainer/backporting/","title":"Backporting Process","text":"This document outlines the backporting process for Trivy, including when to create patch releases and how to perform the backporting.
"},{"location":"community/maintainer/backporting/#when-to-create-patch-releases","title":"When to Create Patch Releases","text":"In general, small changes should not be backported and should be included in the next minor release. However, patch releases should be made in the following cases:
- Fixes for HIGH or CRITICAL vulnerabilities in Trivy itself or Trivy's dependencies
- Fixes for bugs that cause panic during Trivy execution or otherwise interfere with normal usage
In these cases, the fixes should be backported using the procedure described below. At the maintainer's discretion, other bug fixes may be included in the patch release containing these hotfixes.
"},{"location":"community/maintainer/backporting/#versioning","title":"Versioning","text":"Trivy follows Semantic Versioning, using version numbers in the format MAJOR.MINOR.PATCH. When creating a patch release, the PATCH part of the version number is incremented. For example, if a fix is being distributed for v0.50.0, the patch release would be v0.50.1.
"},{"location":"community/maintainer/backporting/#backporting-procedure","title":"Backporting Procedure","text":" - A release branch (e.g.,
release/v0.50) is automatically created when a new minor version is released. - Create a pull request (PR) against the main branch with the necessary fixes. If the fixes are already merged into the main branch, skip this step.
- Once the PR with the fixes is merged, comment
@aqua-bot backport <release-branch> on the PR (e.g., @aqua-bot backport release/v0.50). This will trigger the automated backporting process using GitHub Actions. - The automated process will create a new PR with the backported changes. Ensure that all tests pass for this PR.
- Once the tests pass, merge the automatically created PR into the release branch.
- Merge a release PR on the release branch and release the patch version.
Note
Even if a conflict occurs, a PR is created by forceful commit, in which case the conflict should be resolved manually. If you want to re-run a backport of the same PR, close the existing PR, delete the branch and re-run it.
"},{"location":"community/maintainer/backporting/#example","title":"Example","text":"To better understand the backporting procedure, let's walk through an example using the releases of v0.50.
gitGraph:\n commit id:\"Feature 1\"\n commit id:\"v0.50.0 release\" tag:\"v0.50.0\"\n\n branch \"release/v0.50\"\n\n checkout main\n commit id:\"Bugfix 1\"\n\n checkout \"release/v0.50\"\n cherry-pick id:\"Bugfix 1\"\n\n checkout main\n commit id:\"Feature 2\"\n commit id:\"Bugfix 2\"\n commit id:\"Feature 3\"\n\n checkout \"release/v0.50\"\n cherry-pick id:\"Bugfix 2\"\n commit id:\"v0.50.1 release\" tag:\"v0.50.1\"
"},{"location":"community/maintainer/help-wanted/","title":"Overview","text":"We use two labels help wanted and good first issue to identify issues that have been specially groomed for new contributors. The good first issue label is a subset of help wanted label, indicating that members have committed to providing extra assistance for new contributors. All good first issue items also have the help wanted label.
"},{"location":"community/maintainer/help-wanted/#help-wanted","title":"Help Wanted","text":"Items marked with the help wanted label need to ensure that they are:
- Low Barrier to Entry
It should be tractable for new contributors. Documentation on how that type of change should be made should already exist.
- Clear Task
The task is agreed upon and does not require further discussions in the community. Call out if that area of code is untested and requires new fixtures.
API / CLI behavior is decided and included in the OP issue, for example: \"The new command syntax is trivy --format yaml IMAGE_NAME\"_ with expected validations called out.
- Goldilocks priority
Not too high that a core contributor should do it, but not too low that it isn't useful enough for a core contributor to spend time to review it, answer questions, help get it into a release, etc.
- Up-To-Date
Often these issues become obsolete and have already been done, are no longer desired, no longer make sense, have changed priority or difficulty , etc.
"},{"location":"community/maintainer/help-wanted/#good-first-issue","title":"Good First Issue","text":"Items marked with the good first issue label are intended for first-time contributors. It indicates that members will keep an eye out for these pull requests and shepherd it through our processes.
These items need to ensure that they follow the guidelines for help wanted labels (above) in addition to meeting the following criteria:
- No Barrier to Entry
The task is something that a new contributor can tackle without advanced setup, or domain knowledge.
- Solution Explained
The recommended solution is clearly described in the issue.
- Provides Context
If background knowledge is required, this should be explicitly mentioned and a list of suggested readings included.
- Gives Examples
Link to examples of similar implementations so new contributors have a reference guide for their changes.
- Identifies Relevant Code
The relevant code and tests to be changed should be linked in the issue.
- Ready to Test
There should be existing tests that can be modified, or existing test cases fit to be copied. If the area of code doesn't have tests, before labeling the issue, add a test fixture. This prep often makes a great help wanted task!
"},{"location":"community/maintainer/pr-review/","title":"Pull Request Review Policy","text":"This document outlines the review policy for pull requests in the Trivy project.
"},{"location":"community/maintainer/pr-review/#core-principles","title":"Core Principles","text":""},{"location":"community/maintainer/pr-review/#1-all-changes-through-pull-requests","title":"1. All Changes Through Pull Requests","text":"All changes to the main branch must be made through pull requests. Direct commits to main are not allowed.
"},{"location":"community/maintainer/pr-review/#2-required-approvals","title":"2. Required Approvals","text":"Every pull request requires approval from at least one CODEOWNER before merging.
For changes that span multiple domains (e.g., both vulnerability and misconfiguration scanning), approval from at least one code owner from each affected domain is required.
When a pull request is created by the only code owner of a domain, approval from any other maintainer is required.
When a code owner wants additional input from other owners or maintainers, they should comment requesting feedback and wait for others to approve before providing their own approval. This prevents accidental merging by the PR author.
"},{"location":"community/maintainer/pr-review/#3-merge-responsibility","title":"3. Merge Responsibility","text":" - General Rule: The pull request author should click the merge button after receiving required approvals
- Exception: For urgent fixes (hotfixes), a CODEOWNER may merge the PR directly
- External Contributors: Pull requests from external contributors should be merged by a CODEOWNER
"},{"location":"community/maintainer/release-flow/","title":"Release Flow","text":""},{"location":"community/maintainer/release-flow/#overview","title":"Overview","text":"Trivy adopts conventional commit messages, and Release Please automatically creates a release PR based on the messages of the merged commits. This release PR is automatically updated every time a new commit is added to the release branch.
If a commit has the prefix feat:, a PR is automatically created to increment the minor version, and if a commit has the prefix fix:, a PR is created to increment the patch version. When the PR is merged, GitHub Actions automatically creates a version tag and the release is performed. For detailed behavior, please refer to the GitHub Actions configuration.
Note
Commits with prefixes like chore or build are not considered releasable, and no release PR is created. To include such commits in a release, you need to either include commits with feat or fix prefixes or perform a manual release as described below.
Tip
It's a good idea to check if there are any outstanding vulnerability updates created by dependabot waiting for your review. They can be found in the \"Security\" tab of the repository. If there are any, please review and merge them before creating a release. This will help to ensure that the release includes the latest security patches.
"},{"location":"community/maintainer/release-flow/#flow","title":"Flow","text":"The release flow consists of the following main steps:
- Creating the release PR (automatically or manually)
- Drafting the release notes in GitHub Discussions
- Merging the release PR
- Updating the release notes in GitHub Discussions
- Navigating to the release notes in GitHub Releases page
"},{"location":"community/maintainer/release-flow/#automatic-release-pr-creation","title":"Automatic Release PR Creation","text":"When a releasable commit (a commit with feat or fix prefix) is merged, a release PR is automatically created. These Release PRs are kept up-to-date as additional work is merged. When it's ready to tag a release, simply merge the release PR. See the Release Please documentation for more information.
The title of the PR will be in the format release: v${version} [${branch}] (e.g., release: v0.51.0 [main]). The format of the PR title is important for identifying the release commit, so it should not be changed.
The release/vX.Y release branches are also subject to automatic release PR creation for patch releases. The PR title will be like release: v0.51.1 [release/v0.51].
"},{"location":"community/maintainer/release-flow/#manual-release-pr-creation","title":"Manual Release PR Creation","text":"If you want to release commits like chore, a release PR is not automatically created, so you need to manually trigger the creation of a release PR. The Release Please workflow supports workflow_dispatch and can be triggered manually. Click \"Run workflow\" in the top right corner and specify the release branch. In Trivy, the following branches are the release branches.
mainrelease/vX.Y (e.g. release/v0.51)
Specify the release version (without the v prefix) and click \"Run workflow\" to create a release PR for the specified version.
"},{"location":"community/maintainer/release-flow/#drafting-the-release-notes","title":"Drafting the Release Notes","text":"Next, create release notes for this version. Draft a new post in GitHub Discussions, and maintainers edit these release notes (e.g., https://github.com/aquasecurity/trivy/discussions/6605). Currently, the creation of this draft is done manually. For patch version updates, this step can be skipped since they only involve bug fixes.
"},{"location":"community/maintainer/release-flow/#merging-the-release-pr","title":"Merging the Release PR","text":"Once the draft of the release notes is complete, merge the release PR. When the PR is merged, a tag is automatically created, and GoReleaser releases binaries, container images, etc.
"},{"location":"community/maintainer/release-flow/#updating-the-release-notes","title":"Updating the Release Notes","text":"If the release completes without errors, a page for the release notes is created in GitHub Discussions (e.g., https://github.com/aquasecurity/trivy/discussions/6622). Copy the draft release notes, adjust the formatting, and finalize the release notes.
"},{"location":"community/maintainer/release-flow/#navigating-to-the-release-notes","title":"Navigating to the Release Notes","text":"To navigate to the release highlights and summary in GitHub Discussions, place a link in the GitHub Releases page as below:
## \u26a1Release highlights and summary\u26a1\n\n\ud83d\udc49 https://github.com/aquasecurity/trivy/discussions/6838\n\n## Changelog\nhttps://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0520-2024-06-03\n
Replace URLs with appropriate ones.
Example: https://github.com/aquasecurity/trivy/releases/tag/v0.52.0
"},{"location":"community/maintainer/release-flow/#merging-the-auto-generated-helm-chart-update-pr","title":"Merging the auto-generated Helm chart update PR","text":"Once the release PR is merged, there will be an auto-generated PR that bumps the Trivy version for the Trivy Helm Chart. An example can be seen here.
[!NOTE] It is possible that the release action takes a while to finish and the Helm chart action runs prior. In such a case the Helm chart action will fail as it will not be able to find the latest Trivy container image. In such a case, it is advised to manually restart the Helm chart action, once the release action is finished.
If things look good, approve and merge this PR to further trigger the publishing of the Helm Chart.
The release is now complete \ud83c\udf7b
"},{"location":"community/maintainer/triage/","title":"Triage","text":"Triage is an important part of maintaining the health of the trivy repo. A well organized repo allows maintainers to prioritize feature requests, fix bugs, and respond to users facing difficulty with the tool as quickly as possible.
Triage includes:
- Labeling issues
- Responding to issues
- Closing issues
"},{"location":"community/maintainer/triage/#daily-triage","title":"Daily Triage","text":"Daily triage has two goals:
- Responsiveness for new issues
- Responsiveness when explicitly requested information was provided
It covers:
- Issues without a
kind/ or triage/ label - Issues without a
priority/ label triage/needs-information issues which the user has followed up on, and now require a response.
"},{"location":"community/maintainer/triage/#categorization","title":"Categorization","text":"The most important level of categorizing the issue is defining what type it is. We typically want at least one of the following labels on every issue, and some issues may fall into multiple categories:
triage/support - The default for most incoming issueskind/bug - When it\u2019s a bug or we aren\u2019t delivering the best user experience
Other possibilities: - kind/feature- Identify new feature requests - kind/testing - Update or fix unit/integration tests - kind/cleanup - Cleaning up/refactoring the codebase - kind/documentation - Updates or additions to trivy documentation
If the issue is specific to a driver for OS packages or libraries:
co/[driver for OS packages]
co/alpineco/amazonco/debianco/oracleco/photonco/redhatco/suseco/ubuntu
co/[driver for libraries of programming languages]
co/bundlerco/cargoco/composerco/npmco/yarnco/pipenvco/poetry
Help wanted?
Good First Issue - bug has a proposed solution, can be implemented w/o further discussion.
Help wanted - if the bug could use help from a contributor
"},{"location":"community/maintainer/triage/#prioritization","title":"Prioritization","text":"If the issue is not triage/support, it needs a priority label.
priority/critical-urgent - someones top priority ASAP, such as security issue, user-visible bug, or build breakage. Rarely used.
priority/important-soon: in time for the next two releases. It should be attached to a milestone.
priority/important-longterm: 2-4 releases from now
priority/backlog: agreed that this would be good to have, but no one is available at the moment. Consider tagging as help wanted
priority/awaiting-more-evidence: may be useful, but there is not yet enough support.
"},{"location":"community/maintainer/triage/#weekly-triage","title":"Weekly Triage","text":"Weekly triage has three goals:
- Catching up on unresponded issues
- Reviewing and closing PR\u2019s
- Closing stale issues
"},{"location":"community/maintainer/triage/#post-release-triage","title":"Post-Release Triage","text":"Post-release triage occurs after a major release (around every 4-6 weeks). It focuses on:
- Closing bugs that have been resolved by the release
- Reprioritizing bugs that have not been resolved by the release
- Letting users know if we believe that there is still an issue
This includes reviewing:
- Every issue that hasn\u2019t been touched in the last 2 days
- Re-evaluation of long-term issues
- Re-evaluation of short-term issues
"},{"location":"community/maintainer/triage/#responding-to-issues","title":"Responding to Issues","text":""},{"location":"community/maintainer/triage/#needs-more-information","title":"Needs More Information","text":"A sample response to ask for more info:
I don\u2019t yet have a clear way to replicate this issue. Do you mind adding some additional details. Here is additional information that would be helpful:
* The exact trivy command line used
* The exact image you want to scan
* The full output of the trivy command, preferably with --debug for extra logging.
Thank you for sharing your experience!
Then: Label with triage/needs-information.
"},{"location":"community/maintainer/triage/#issue-might-be-resolved","title":"Issue might be resolved","text":"If you think a release may have resolved an issue, ask the author to see if their issue has been resolved:
Could you please check to see if trivy addresses this issue? We've made some changes with how this is handled, and improved the trivy logs output to help us debug tricky cases like this.
Then: Label with triage/needs-information.
"},{"location":"community/maintainer/triage/#closing-with-care","title":"Closing with Care","text":"Issues typically need to be closed for the following reasons:
- The issue has been addressed
- The issue is a duplicate of an existing issue
- There has been a lack of information over a long period of time
In any of these situations, we aim to be kind when closing the issue, and offer the author action items should they need to reopen their issue or still require a solution.
Samples responses for these situations include:
"},{"location":"community/maintainer/triage/#issue-has-been-addressed","title":"Issue has been addressed","text":"@author: I believe this issue is now addressed by trivy v1.0.0, as it . If you still see this issue with trivy v1.0 or higher, please reopen this issue.
Thank you for reporting this issue!
Then: Close the issue
"},{"location":"community/maintainer/triage/#duplicate-issue","title":"Duplicate Issue","text":"This issue appears to be a duplicate of #X, do you mind if we move the conversation there?
This way we can centralize the content relating to the issue. If you feel that this issue is not in fact a duplicate, please re-open it. If you have additional information to share, please add it to the new issue.
Thank you for reporting this!
Then: Label with triage/duplicate and close the issue.
"},{"location":"community/maintainer/triage/#lack-of-information","title":"Lack of Information","text":"If an issue hasn't been active for more than four weeks, and the author has been pinged at least once, then the issue can be closed.
Hey @author -- hopefully it's OK if I close this - there wasn't enough information to make it actionable, and some time has already passed. If you are able to provide additional details, you may reopen it at any point.
Here is additional information that may be helpful to us:
* Whether the issue occurs with the latest trivy release
* The exact trivy command line used
* The exact image you want to scan
* The full output of the trivy command, preferably with --debug for extra logging.
Thank you for sharing your experience!
Then: Close the issue.
"},{"location":"community/maintainer/triage/#help-wanted-issues","title":"Help Wanted issues","text":"We use two labels help wanted and good first issue to identify issues that have been specially groomed for new contributors.
We have specific guidelines for how to use these labels. If you see an issue that satisfies these guidelines, you can add the help wanted label and the good first issue label. Please note that adding the good first issue label must also add the help wanted label.
If an issue has these labels but does not satisfy the guidelines, please ask for more details to be added to the issue or remove the labels.
"},{"location":"ecosystem/","title":"Ecosystem","text":"Trivy is integrated into many popular tools and applications, so that you can easily add security to your workflow.
In this section you will find an aggregation of the different integrations. Integrations are listed as either \"official\" or \"community\". Official integrations are developed by the core Trivy team and supported by it. Community integrations are integrations developed by the community, and collected here for your convenience. For support or questions about community integrations, please contact the original developers.
\ud83d\udc48 Please use the side-navigation on the left in order to browse the different topics.
"},{"location":"ecosystem/#add-missing-integration","title":"Add missing integration","text":"We are happy to showcase community integrations in this section. To suggest an addition simply make a Pull Request to add the missing integration.
"},{"location":"ecosystem/cicd/","title":"CI/CD Integrations","text":""},{"location":"ecosystem/cicd/#azure-devops-official","title":"Azure DevOps (Official)","text":"Azure Devops is Microsoft Azure cloud native CI/CD service.
Trivy has a \"Azure Devops Pipelines Task\" for Trivy, that lets you easily introduce security scanning into your workflow, with an integrated Azure Devops UI.
\ud83d\udc49 Get it at: https://github.com/aquasecurity/trivy-azure-pipelines-task
"},{"location":"ecosystem/cicd/#github-actions","title":"GitHub Actions","text":"GitHub Actions is GitHub's native CI/CD and job orchestration service.
"},{"location":"ecosystem/cicd/#trivy-action-official","title":"trivy-action (Official)","text":"GitHub Action for integrating Trivy into your GitHub pipeline
\ud83d\udc49 Get it at: https://github.com/aquasecurity/trivy-action
"},{"location":"ecosystem/cicd/#trivy-action-community","title":"trivy-action (Community)","text":"GitHub Action to scan vulnerability using Trivy. If vulnerabilities are found by Trivy, it creates a GitHub Issue.
\ud83d\udc49 Get it at: https://github.com/marketplace/actions/trivy-action
"},{"location":"ecosystem/cicd/#trivy-github-issues-community","title":"trivy-github-issues (Community)","text":"In this action, Trivy scans the dependency files such as package-lock.json and go.sum in your repository, then create GitHub issues according to the result.
\ud83d\udc49 Get it at: https://github.com/marketplace/actions/trivy-github-issues
"},{"location":"ecosystem/cicd/#buildkite-plugin-community","title":"Buildkite Plugin (Community)","text":"The trivy buildkite plugin provides a convenient mechanism for running the open-source trivy static analysis tool on your project.
\ud83d\udc49 Get it at: https://github.com/equinixmetal-buildkite/trivy-buildkite-plugin
"},{"location":"ecosystem/cicd/#dagger-community","title":"Dagger (Community)","text":"Dagger is CI/CD as code that runs anywhere.
The Dagger module for Trivy provides functions for scanning container images from registries as well as Dagger Container objects from any Dagger SDK (e.g. Go, Python, Node.js, etc).
\ud83d\udc49 Get it at: https://daggerverse.dev/mod/github.com/jpadams/daggerverse/trivy
"},{"location":"ecosystem/cicd/#semaphore-community","title":"Semaphore (Community)","text":"Semaphore is a CI/CD service.
You can use Trivy in Semaphore for scanning code, containers, infrastructure, and Kubernetes in Semaphore workflow.
\ud83d\udc49 Get it at: https://docs.semaphore.io/using-semaphore/recipes/trivy
"},{"location":"ecosystem/cicd/#circleci-community","title":"CircleCI (Community)","text":"CircleCI is a CI/CD service.
You can use the Trivy Orb for Circle CI to introduce security scanning into your workflow.
\ud83d\udc49 Get it at: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb Source: https://github.com/15five/trivy-orb
"},{"location":"ecosystem/cicd/#woodpecker-ci-community","title":"Woodpecker CI (Community)","text":"Example Trivy step in pipeline
pipeline:\n securitycheck:\n image: aquasec/trivy:latest\n commands:\n # use any trivy command, if exit code is 0 woodpecker marks it as passed, else it assumes it failed\n - trivy fs --exit-code 1 --skip-dirs web/ --skip-dirs docs/ --severity MEDIUM,HIGH,CRITICAL .\n
Woodpecker does use Trivy itself so you can see it in use there.
"},{"location":"ecosystem/cicd/#concourse-ci-community","title":"Concourse CI (Community)","text":"Concourse CI is a CI/CD service.
You can use Trivy Resource in Concourse for scanning containers and introducing security scanning into your workflow. It has capabilities to fail the pipeline, create issues, alert communication channels (using respective resources) based on Trivy scan output.
\ud83d\udc49 Get it at: https://github.com/Comcast/trivy-resource/
"},{"location":"ecosystem/cicd/#secobserve-github-actions-and-gitlab-templates-community","title":"SecObserve GitHub actions and GitLab templates (Community)","text":"SecObserve GitHub actions and GitLab templates run various vulnerability scanners, providing uniform methods and parameters for launching the tools.
The Trivy integration supports scanning Docker images and local filesystems for vulnerabilities as well as scanning IaC files for misconfigurations.
\ud83d\udc49 Get it at: https://github.com/SecObserve/secobserve_actions_templates
"},{"location":"ecosystem/ide/","title":"IDE and developer tools Integrations","text":""},{"location":"ecosystem/ide/#vscode-official","title":"VSCode (Official)","text":"Visual Studio Code is an open source versatile code editor and development environment.
\ud83d\udc49 Get it at: https://github.com/aquasecurity/trivy-vscode-extension
"},{"location":"ecosystem/ide/#jetbrains-official","title":"JetBrains (Official)","text":"JetBrains makes IDEs such as Goland, Pycharm, IntelliJ, Webstorm, and more.
The Trivy plugin for JetBrains IDEs lets you use Trivy right from your development environment.
\ud83d\udc49 Get it at: https://plugins.jetbrains.com/plugin/18690-trivy-findings-explorer
"},{"location":"ecosystem/ide/#kubernetes-lens-official","title":"Kubernetes Lens (Official)","text":"Kubernetes Lens is a management application for Kubernetes clusters.
Trivy has an extension for Kubernetes Lens that lets you scan Kubernetes workloads and view the results in the Lens UI.
\ud83d\udc49 Get it at: https://github.com/aquasecurity/trivy-operator-lens-extension
"},{"location":"ecosystem/ide/#vim-community","title":"Vim (Community)","text":"Vim is a terminal based text editor.
Vim plugin for Trivy to install and run Trivy.
\ud83d\udc49 Get it at: https://github.com/aquasecurity/vim-trivy
"},{"location":"ecosystem/ide/#docker-desktop-community","title":"Docker Desktop (Community)","text":"Docker Desktop is an easy way to install Docker container engine on your development machine, and manage it in a GUI .
Trivy Docker Desktop extension for scanning container images for vulnerabilities and generating SBOMs
\ud83d\udc49 Get it at: https://github.com/aquasecurity/trivy-docker-extension
"},{"location":"ecosystem/ide/#rancher-desktop-community","title":"Rancher Desktop (Community)","text":"Rancher Desktop is an easy way to use containers and Kubernetes on your development machine, and manage it in a GUI.
Trivy is natively integrated with Rancher, no installation is needed. More info in Rancher documentation: https://docs.rancherdesktop.io/ui/images/#scanning-images
"},{"location":"ecosystem/ide/#lazytrivy-community","title":"LazyTrivy (Community)","text":"A terminal native UI for Trivy
\ud83d\udc49 Get it at: https://github.com/owenrumney/lazytrivy
"},{"location":"ecosystem/ide/#trivy-vulnerability-explorer-community","title":"Trivy Vulnerability explorer (Community)","text":"Web application that allows to load a Trivy report in json format and displays the vulnerabilities of a single target in an interactive data table
\ud83d\udc49 Get it at: https://github.com/dbsystel/trivy-vulnerability-explorer
"},{"location":"ecosystem/ide/#trivy-pre-commit-community","title":"Trivy pre-commit (Community)","text":"A trivy pre-commit hook that runs a trivy fs in your git repo before committing, preventing you from committing secrets in the first place.
\ud83d\udc49 Get it at: https://github.com/mxab/pre-commit-trivy
"},{"location":"ecosystem/ide/#aws-cdk","title":"AWS CDK","text":"The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation.
"},{"location":"ecosystem/ide/#image-scanner-with-trivy-community","title":"image-scanner-with-trivy (Community)","text":"A CDK Construct Library to scan an image with trivy in CDK codes.
\ud83d\udc49 Get it at: https://constructs.dev/packages/image-scanner-with-trivy
"},{"location":"ecosystem/ide/#headlamp-plugin-community","title":"Headlamp plugin (Community)","text":"Headlamp is a user-friendly Kubernetes UI focused on extensibility. The Kubescape plugin extends Headlamp with views on Trivy reports.
\ud83d\udc49 Get it at: https://github.com/kubebeam/trivy-headlamp-plugin
"},{"location":"ecosystem/prod/","title":"Production and cloud Integrations","text":""},{"location":"ecosystem/prod/#kubernetes","title":"Kubernetes","text":"Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.
"},{"location":"ecosystem/prod/#trivy-operator-official","title":"Trivy Operator (Official)","text":"Using the Trivy Operator you can install Trivy into a Kubernetes cluster so that it automatically and continuously scan your workloads and cluster for security issues.
\ud83d\udc49 Get it at: https://github.com/aquasecurity/trivy-operator
"},{"location":"ecosystem/prod/#harbor-official","title":"Harbor (Official)","text":"Harbor is an open source cloud native container and artifact registry.
Trivy is natively integrated into Harbor, no installation is needed. More info in Harbor documentation: https://goharbor.io/docs/2.6.0/administration/vulnerability-scanning
"},{"location":"ecosystem/prod/#kyverno-community","title":"Kyverno (Community)","text":"Kyverno is a policy management tool for Kubernetes.
You can use Kyverno to ensure and enforce that deployed workloads' images are scanned for vulnerabilities.
\ud83d\udc49 Get it at: https://neonmirrors.net/post/2022-07/attesting-image-scans-kyverno
"},{"location":"ecosystem/prod/#zora-community","title":"Zora (Community)","text":"Zora is an open-source solution that scans Kubernetes clusters with multiple plugins at scheduled times.
Trivy is integrated into Zora as a vulnerability scanner plugin.
\ud83d\udc49 Get it at: https://zora-docs.undistro.io/latest/plugins/trivy/
"},{"location":"ecosystem/prod/#helmper-community","title":"Helmper (Community)","text":"Helmper is a go program that reads Helm Charts from remote OCI registries and pushes the Helm Charts and the Helm Charts container images to your OCI registries with optional OS level vulnerability patching
Trivy is integrated into Helmper as a vulnerability scanner in combination with Copacetic to fix detected vulnerabilities.
\ud83d\udc49 Get it at: https://github.com/ChristofferNissen/helmper
"},{"location":"ecosystem/reporting/","title":"Reporting","text":""},{"location":"ecosystem/reporting/#defectdojo-community","title":"DefectDojo (Community)","text":"DefectDojo can parse Trivy JSON reports. The parser supports deduplication and auto-close features.
\ud83d\udc49 Get it at: https://github.com/DefectDojo/django-DefectDojo
"},{"location":"ecosystem/reporting/#secobserve-community","title":"SecObserve (Community)","text":"SecObserve can parse Trivy results as CycloneDX reports and provides an unified overview of vulnerabilities from different sources. Vulnerabilities can be evaluated with manual and rule based assessments.
\ud83d\udc49 Get it at: https://github.com/SecObserve/SecObserve
"},{"location":"ecosystem/reporting/#scan2html-community","title":"Scan2html (Community)","text":"A Trivy plugin that scans and outputs the results to an interactive html file.
\ud83d\udc49 Get it at: https://github.com/fatihtokus/scan2html
"},{"location":"ecosystem/reporting/#sonarqube-community","title":"SonarQube (Community)","text":"A Trivy plugin that converts JSON report to SonarQube generic issues format.
\ud83d\udc49 Get it at: https://github.com/umax/trivy-plugin-sonarqube
"},{"location":"ecosystem/reporting/#trivy-streamlit-community","title":"Trivy-Streamlit (Community)","text":"Trivy-Streamlit is a Streamlit application that allows you to quickly parse the results from a Trivy JSON report.
\ud83d\udc49 Get it at: https://github.com/mfreeman451/trivy-streamlit
"},{"location":"ecosystem/reporting/#trivy-vulnerability-explorer-community","title":"Trivy-Vulnerability-Explorer (Community)","text":"This project is a web application that allows to load a Trivy report in json format and displays the vulnerabilities of a single target in an interactive data table.
\ud83d\udc49 Get it at: https://github.com/dbsystel/trivy-vulnerability-explorer
"},{"location":"ecosystem/reporting/#plopseccom-community","title":"plopsec.com (Community)","text":"This project is a web application designed to help you visualize Trivy image scan reports. It enriches the data with additional exploitability metrics from EPSS, Metasploit, and Exploit-DB, updated daily.
\ud83d\udc49 Get it at: https://plopsec.com | https://github.com/pl0psec/plopsec.com
"},{"location":"getting-started/","title":"First steps with Trivy","text":""},{"location":"getting-started/#get-trivy","title":"Get Trivy","text":"Trivy is available in most common distribution channels. The complete list of installation options is available in the Installation page. Here are a few popular examples:
- macOS:
brew install trivy - Docker:
docker run aquasec/trivy - Download binary from GitHub Release
- See Installation for more
Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the Ecosystem page. Here are a few popular examples:
- GitHub Actions
- Kubernetes operator
- VS Code plugin
- See Ecosystem for more
"},{"location":"getting-started/#general-usage","title":"General usage","text":"Trivy's Command Line Interface pattern follows its major concepts: targets (what you want to scan), and scanners (what you want to scan for):
trivy <target> [--scanners <scanner1,scanner2>] <subject>\n
"},{"location":"getting-started/#examples","title":"Examples","text":"Scan a container image from a registry with the default scanner, which is the Vulnerabilities scanner:
trivy image python:3.4-alpine\n
Scan a local code repository, for vulnerabilities, exposed secrets and misconfigurations:
trivy fs --scanners vuln,secret,misconfig /path/to/myproject\n
Scan a Kubernetes cluster, with all available scanners, and show a summary report:
trivy k8s --report summary cluster\n
For a more complete introduction, check out the basic Trivy Demo: https://github.com/itaysk/trivy-demo
"},{"location":"getting-started/#learn-more","title":"Learn more","text":"Now that you are up and ready, here are some resources to help you deepen your knowledge:
- Learn more about Trivy's capabilities by exploring the complete documentation.
- Explore community questions under GitHub Discussions.
- Stay up to date by watching for New Releases & Announcements.
- Follow Trivy on Twitter/X: @aquatrivy
- Explore and subscribe to our YouTube channel @AquaSecOSS
"},{"location":"getting-started/#want-more-check-out-aqua","title":"Want more? Check out Aqua","text":"If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering. You can find a high level comparison table specific to Trivy users here. In addition, check out the https://aquasec.com website for more information about our products and services. If you'd like to contact Aqua or request a demo, please use this form: https://www.aquasec.com/demo
"},{"location":"getting-started/faq/","title":"FAQ","text":""},{"location":"getting-started/faq/#faq","title":"FAQ","text":""},{"location":"getting-started/faq/#how-to-pronounce-the-name-trivy","title":"How to pronounce the name \"Trivy\"?","text":"tri is pronounced like trigger, vy is pronounced like envy.
"},{"location":"getting-started/faq/#does-trivy-support-x","title":"Does Trivy support X?","text":"Check out the Scanning coverage page.
"},{"location":"getting-started/faq/#is-there-a-paid-version-of-trivy","title":"Is there a paid version of Trivy?","text":"If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering. You can find a high level comparison table specific to Trivy users here. In addition check out the https://aquasec.com website for more information about our products and services. If you'd like to contact Aqua or request a demo, please use this form: https://www.aquasec.com/demo
"},{"location":"getting-started/faq/#how-to-generate-multiple-reports","title":"How to generate multiple reports?","text":"See here.
"},{"location":"getting-started/faq/#how-to-run-trivy-under-air-gapped-environment","title":"How to run Trivy under air-gapped environment?","text":"See here.
"},{"location":"getting-started/faq/#why-trivy-fs-and-trivy-repo-does-not-scan-jar-files-for-vulnerabilities","title":"Why trivy fs and trivy repo does not scan JAR files for vulnerabilities?","text":"See here.
"},{"location":"getting-started/installation/","title":"Installing Trivy","text":"In this section you will find an aggregation of the different ways to install Trivy. Installation options are labeled as either \"Official\" or \"Community\". Official installations are developed by the Trivy team and supported by it. Community installations could be developed by anyone from the Trivy community, and collected here for your convenience. For support or questions about community installations, please contact the original developers.
Note
If you are looking to integrate Trivy into another system, such as CI/CD, IDE, Kubernetes, etc, please see Ecosystem section to explore integrations of Trivy with other tools.
"},{"location":"getting-started/installation/#container-image-official","title":"Container image (Official)","text":"Use one of the official Trivy images:
Registry Repository Link Docker Hub docker.io/aquasec/trivy https://hub.docker.com/r/aquasec/trivy GitHub Container Registry (GHCR) ghcr.io/aquasecurity/trivy https://github.com/orgs/aquasecurity/packages/container/package/trivy AWS Elastic Container Registry (ECR) public.ecr.aws/aquasecurity/trivy https://gallery.ecr.aws/aquasecurity/trivy Tip
It is advisable to mount a persistent cache dir on the host into the Trivy container.
Tip
For scanning container images with Trivy, mount the container engine socket from the host into the Trivy container.
Example:
docker run -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.68.1 image python:3.4-alpine\n
"},{"location":"getting-started/installation/#github-release-official","title":"GitHub Release (Official)","text":" - Download the file for your operating system/architecture from GitHub Release assets.
- Unpack the downloaded archive (
tar -xzf ./trivy.tar.gz). - Make sure the binary has execution bit turned on (
chmod +x ./trivy).
"},{"location":"getting-started/installation/#install-script-official","title":"Install Script (Official)","text":"For convenience, you can use the install script to download and install Trivy from GitHub Release.
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.68.1\n
"},{"location":"getting-started/installation/#rhelcentos-official","title":"RHEL/CentOS (Official)","text":"RepositoryRPM Add repository setting to /etc/yum.repos.d.
cat << EOF | sudo tee -a /etc/yum.repos.d/trivy.repo\n[trivy]\nname=Trivy repository\nbaseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/\\$basearch/\ngpgcheck=1\nenabled=1\ngpgkey=https://aquasecurity.github.io/trivy-repo/rpm/public.key\nEOF\nsudo yum -y update\nsudo yum -y install trivy\n
rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.68.1/trivy_0.68.1_Linux-64bit.rpm\n
"},{"location":"getting-started/installation/#debianubuntu-official","title":"Debian/Ubuntu (Official)","text":"RepositoryDEB Add repository setting to /etc/apt/sources.list.d.
sudo apt-get install wget gnupg\nwget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null\necho \"deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main\" | sudo tee -a /etc/apt/sources.list.d/trivy.list\nsudo apt-get update\nsudo apt-get install trivy\n
wget https://github.com/aquasecurity/trivy/releases/download/v0.68.1/trivy_0.68.1_Linux-64bit.deb\nsudo dpkg -i trivy_0.68.1_Linux-64bit.deb\n
"},{"location":"getting-started/installation/#homebrew-official","title":"Homebrew (Official)","text":"Homebrew for macOS and Linux.
brew install trivy\n
"},{"location":"getting-started/installation/#windows-official","title":"Windows (Official)","text":" - Download trivy_x.xx.x_windows-64bit.zip file from releases page.
- Unzip file and copy to any folder.
"},{"location":"getting-started/installation/#arch-linux-community","title":"Arch Linux (Community)","text":"Arch Linux Package Repository.
sudo pacman -S trivy\n
References: - https://archlinux.org/packages/extra/x86_64/trivy/ - https://gitlab.archlinux.org/archlinux/packaging/packages/trivy/-/blob/main/PKGBUILD
"},{"location":"getting-started/installation/#opensuse-community","title":"OpenSUSE (Community)","text":"OpenSUSE Package Repository.
sudo zypper install trivy\n
References: - https://software.opensuse.org/package/trivy
"},{"location":"getting-started/installation/#macports-community","title":"MacPorts (Community)","text":"MacPorts for macOS.
sudo port install trivy\n
References: - https://ports.macports.org/port/trivy/details/
"},{"location":"getting-started/installation/#nixnixos-community","title":"Nix/NixOS (Community)","text":"Nix package manager for Linux and macOS.
Command lineConfigurationHome Manager nix-env --install -A nixpkgs.trivy
# your other config ...\nenvironment.systemPackages = with pkgs; [\n # your other packages ...\n trivy\n];\n
# your other config ...\nhome.packages = with pkgs; [\n # your other packages ...\n trivy\n];\n
References:
- https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/admin/trivy/default.nix
"},{"location":"getting-started/installation/#freebsd-official","title":"FreeBSD (Official)","text":"Pkg package manager for FreeBSD.
pkg install trivy\n
"},{"location":"getting-started/installation/#asdfmise-community","title":"asdf/mise (Community)","text":"asdf and mise are quite similar tools you can use to install trivy. See their respective documentation for more information of how to install them and use them:
- asdf
- mise
The plugin used by both tools is developed here
asdfmise A basic global installation is shown below, for specific version or/and local version to a directory see \"asdf\" documentation.
# Install plugin\nasdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git\n\n# Install latest version\nasdf install trivy latest\n\n# Set a version globally (on your ~/.tool-versions file)\nasdf global trivy latest\n\n# Now trivy commands are available\ntrivy --version\n
A basic global installation is shown below, for specific version or/and local version to a directory see \"mise\" documentation.
# Install plugin and install latest version\nmise install trivy@latest\n\n# Set a version globally (on your ~/.tool-versions file)\nmise use -g trivy@latest\n\n# Now trivy commands are available\ntrivy --version\n
"},{"location":"getting-started/signature-verification/","title":"Signature Verification","text":"All binaries and container images are signed by Cosign.
"},{"location":"getting-started/signature-verification/#verifying-container-image","title":"Verifying container image","text":"Use the following command for keyless verification:
cosign verify aquasec/trivy:<version> \\\n--certificate-identity-regexp 'https://github\\.com/aquasecurity/trivy/\\.github/workflows/.+' \\\n--certificate-oidc-issuer \"https://token.actions.githubusercontent.com\"\n
You should get the following output
Verification for index.docker.io/aquasec/trivy:latest --\nThe following checks were performed on each of these signatures:\n - The cosign claims were validated\n - Existence of the claims in the transparency log was verified offline\n - The code-signing certificate was verified using trusted certificate authority certificates\n\n ....\n
"},{"location":"getting-started/signature-verification/#verifying-binary","title":"Verifying binary","text":"Download the required tarball, associated signature and certificate files from the GitHub Release.
Use the following command for keyless verification:
cosign verify-blob <path to binary> \\\n--certificate <path to cert> \\\n--signature <path to sig> \\\n--certificate-identity-regexp 'https://github\\.com/aquasecurity/trivy/\\.github/workflows/.+' \\\n--certificate-oidc-issuer \"https://token.actions.githubusercontent.com\"\n
You should get the following output
Verified OK\n
"},{"location":"getting-started/signature-verification/#verifying-a-gpg-signature","title":"Verifying a GPG signature","text":"RPM and Deb packages are also signed by GPG.
"},{"location":"getting-started/signature-verification/#verifying-rpm","title":"Verifying RPM","text":"The public key is available at https://aquasecurity.github.io/trivy-repo/rpm/public.key.
First, download and import the key:
curl https://aquasecurity.github.io/trivy-repo/rpm/public.key \\\n--output pub.key\nrpm --import pub.key\nrpm -q --queryformat \"%{SUMMARY}\\n\" $(rpm -q gpg-pubkey)\n
You should get the following output:
gpg(trivy)\n
Then you can verify the signature:
curl -L https://github.com/aquasecurity/trivy/releases/download/<version>/<file name>.rpm \\\n--output trivy.rpm\nrpm -K trivy.rpm\n
You should get the following output
trivy.rpm: digests signatures OK\n
"},{"location":"guide/","title":"User Guide","text":"Welcome to the Trivy User Guide! Here you can find complete and thorough information about every aspect of Trivy, how to use it, features available, and configuration options.
\ud83d\udc48 Please use the left side navigation browse the different topics.
"},{"location":"guide/advanced/air-gap/","title":"Connectivity and Network considerations","text":"Trivy requires internet connectivity in order to function normally. If your organization blocks or restricts network traffic, that could prevent Trivy from working correctly. This document explains Trivy's network connectivity requirements, and how to configure Trivy to work in restricted network environments, including completely air-gapped environments.
The following table lists all external resources that are required by Trivy:
External Resource Feature Details Vulnerability Database Vulnerability scanning Trivy DB Java Vulnerability Database Java vulnerability scanning Trivy Java DB Checks Bundle Misconfigurations scanning Trivy Checks VEX Hub VEX Hub VEX Hub Maven Central / Remote Repositories Java vulnerability scanning Java Scanner/Remote Repositories Note
Trivy is an open source project that relies on public free infrastructure. In case of extreme load, you may encounter rate limiting when Trivy attempts to connect to external resources.
The rest of this document details each resource's connectivity requirements and network related considerations.
"},{"location":"guide/advanced/air-gap/#oci-databases","title":"OCI Databases","text":"Trivy's Vulnerability, Java, and Checks Bundle are packaged as OCI images and stored in public container registries.
"},{"location":"guide/advanced/air-gap/#connectivity-requirements","title":"Connectivity requirements","text":"The specific registries and locations are detailed in the databases document.
Communication with OCI Registries follows the OCI Distribution spec.
The following hosts are known to be used by the default container registries:
Registry Hosts Additional info Google Artifact Registry mirror.gcr.iogooglecode.l.googleusercontent.com
Google's IP addresses GitHub Container Registry ghcr.iopkg-containers.githubusercontent.com
GitHub's IP addresses"},{"location":"guide/advanced/air-gap/#self-hosting","title":"Self-hosting","text":"You can host Trivy's databases in your own container registry. Please refer to Self-hosting document for a detailed guide.
"},{"location":"guide/advanced/air-gap/#embedded-checks","title":"Embedded Checks","text":"Checks Bundle is embedded in the Trivy binary (at build time), and will be used as a fallback if the external database is not available. This means that you can still scan for misconfigurations in an air-gapped environment using the database from the time of the Trivy release you are using.
"},{"location":"guide/advanced/air-gap/#vex-hub","title":"VEX Hub","text":""},{"location":"guide/advanced/air-gap/#connectivity-requirements_1","title":"Connectivity Requirements","text":"VEX Hub is hosted at https://github.com/aquasecurity/vexhub.
Trivy is fetching VEX Hub GitHub Repository directly using simple HTTPS requests.
The following hosts are known to be used by GitHub's services:
api.github.comcodeload.github.com
For more information about GitHub connectivity (including specific IP addresses), please refer to GitHub's connectivity troubleshooting guide.
"},{"location":"guide/advanced/air-gap/#self-hosting_1","title":"Self-hosting","text":"You can host a copy of VEX Hub on your own internal server. Please refer to the self-hosting document for a detailed guide.
"},{"location":"guide/advanced/air-gap/#maven-central-remote-repositories","title":"Maven Central / Remote Repositories","text":"Trivy might call out to Maven Central or other remote repositories in order to correctly identify Java packages during a vulnerability scan.
"},{"location":"guide/advanced/air-gap/#connectivity-requirements_2","title":"Connectivity requirements","text":"Trivy might attempt to connect (over HTTPS) to the following URLs:
https://repo.maven.apache.org/maven2
"},{"location":"guide/advanced/air-gap/#offline-mode","title":"Offline mode","text":"There's no way to leverage Maven Central in a network-restricted environment, but you can prevent Trivy from trying to connect to it by using the --offline-scan flag.
"},{"location":"guide/advanced/air-gap/#check-updates-service","title":"Check updates service","text":"Trivy checks for updates and collects usage telemetry by connecting to the following domain: https://check.trivy.dev. Connectivity with this domain is entirely optional and is not necessary for the normal operation of Trivy.
"},{"location":"guide/advanced/modules/","title":"Modules","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy provides a module feature to allow others to extend the Trivy CLI without the need to change the Trivy code base. It changes the behavior during scanning by WebAssembly.
"},{"location":"guide/advanced/modules/#overview","title":"Overview","text":"Trivy modules are add-on tools that integrate seamlessly with Trivy. They provide a way to extend the core feature set of Trivy, but without updating the Trivy binary.
- They can be added and removed from a Trivy installation without impacting the core Trivy tool.
- They can be written in any programming language supporting WebAssembly.
- It supports only Go at the moment.
You can write your own detection logic.
- Evaluate complex vulnerability conditions like Spring4Shell
- Detect a shell script communicating with malicious domains
- Detect malicious python install script (setup.py)
- Even detect misconfigurations in WordPress setting
- etc.
Then, you can update the scan result however you want.
- Change a severity
- Remove a vulnerability
- Add a new vulnerability
- etc.
Modules should be distributed in OCI registries like GitHub Container Registry.
Warning
WebAssembly doesn't allow file access and network access by default. Modules can read required files only, but cannot overwrite them. WebAssembly is sandboxed and secure by design, but Trivy modules available in public are not audited for security. You should install and run third-party modules at your own risk even though
Under the hood Trivy leverages wazero to run WebAssembly modules without CGO.
"},{"location":"guide/advanced/modules/#installing-a-module","title":"Installing a Module","text":"A module can be installed using the trivy module install command. This command takes an url. It will download the module and install it in the module cache.
Trivy adheres to the XDG specification, so the location depends on whether XDG_DATA_HOME is set. Trivy will now search XDG_DATA_HOME for the location of the Trivy modules cache. The preference order is as follows:
- XDG_DATA_HOME if set and .trivy/modules exists within the XDG_DATA_HOME dir
- $HOME/.trivy/modules
For example, to download the WebAssembly module, you can execute the following command:
$ trivy module install ghcr.io/aquasecurity/trivy-module-spring4shell\n
"},{"location":"guide/advanced/modules/#using-modules","title":"Using Modules","text":"Once the module is installed, Trivy will load all available modules in the cache on the start of the next Trivy execution. The modules may inject custom logic into scanning and change the result. You can run Trivy as usual and modules are loaded automatically.
You will see the log messages about WASM modules.
$ trivy image ghcr.io/aquasecurity/trivy-test-images:spring4shell-jre8\n2022-06-12T12:57:13.210+0300 INFO Loading ghcr.io/aquasecurity/trivy-module-spring4shell/spring4shell.wasm...\n2022-06-12T12:57:13.596+0300 INFO Registering WASM module: spring4shell@v1\n...\n2022-06-12T12:57:14.865+0300 INFO Module spring4shell: Java Version: 8, Tomcat Version: 8.5.77\n2022-06-12T12:57:14.865+0300 INFO Module spring4shell: change CVE-2022-22965 severity from CRITICAL to LOW\n\nJava (jar)\n\nTotal: 9 (UNKNOWN: 1, LOW: 3, MEDIUM: 2, HIGH: 3, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 org.springframework.boot:spring-boot (helloworld.war) \u2502 CVE-2022-22965 \u2502 LOW \u2502 2.6.3 \u2502 2.5.12, 2.6.6 \u2502 spring-framework: RCE via Data Binding on JDK 9+ \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2022-22965 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n...(snip)...\n
In the above example, the Spring4Shell module changed the severity from CRITICAL to LOW because the application doesn't satisfy one of conditions.
"},{"location":"guide/advanced/modules/#uninstalling-modules","title":"Uninstalling Modules","text":"Specify a module repository with trivy module uninstall command.
$ trivy module uninstall ghcr.io/aquasecurity/trivy-module-spring4shell\n
"},{"location":"guide/advanced/modules/#building-modules","title":"Building Modules","text":"It supports Go only at the moment.
"},{"location":"guide/advanced/modules/#go","title":"Go","text":"Trivy provides Go SDK including three interfaces. Your own module needs to implement either or both Analyzer and PostScanner in addition to Module.
type Module interface {\n Version() int\n Name() string\n}\n\ntype Analyzer interface {\n RequiredFiles() []string\n Analyze(filePath string) (*serialize.AnalysisResult, error)\n}\n\ntype PostScanner interface {\n PostScanSpec() serialize.PostScanSpec\n PostScan(types.Results) (types.Results, error)\n}\n
In the following tutorial, it creates a WordPress module that detects a WordPress version and a critical vulnerability accordingly.
Tips
You can use logging functions such as Debug and Info for debugging. See examples for the detail.
"},{"location":"guide/advanced/modules/#initialize-your-module","title":"Initialize your module","text":"Replace the repository name with yours.
$ go mod init github.com/aquasecurity/trivy-module-wordpress\n
"},{"location":"guide/advanced/modules/#module-interface","title":"Module interface","text":"Version() returns your module version and should be incremented after updates. Name() returns your module name.
package main\n\nimport (\n \"github.com/aquasecurity/trivy/pkg/module/wasm\"\n)\n\nconst (\n version = 1\n name = \"wordpress-module\"\n)\n\n// main is required for Go to compile the Wasm module\nfunc main() {} \n\nfunc init() {\n wasm.RegisterModule(WordpressModule{})\n}\n\ntype WordpressModule struct{\n // Cannot define fields as modules can't keep state.\n}\n\nfunc (WordpressModule) Version() int {\n return version\n}\n\nfunc (WordpressModule) Name() string {\n return name\n}\n
Info
A struct cannot have any fields. Each method invocation is performed in different states.
"},{"location":"guide/advanced/modules/#analyzer-interface","title":"Analyzer interface","text":"If you implement the Analyzer interface, Analyze method is called when the file path is matched to file patterns returned by RequiredFiles(). A file pattern must be a regular expression. The syntax detail is here.
Analyze takes the matched file path, then the file can be opened by os.Open().
const typeWPVersion = \"wordpress-version\"\n\nfunc (WordpressModule) RequiredFiles() []string {\n return []string{\n `wp-includes\\/version.php`,\n }\n}\n\nfunc (WordpressModule) Analyze(filePath string) (*serialize.AnalysisResult, error) {\n f, err := os.Open(filePath) // e.g. filePath: /usr/src/wordpress/wp-includes/version.php\n if err != nil {\n return nil, err\n }\n defer f.Close()\n\n var wpVersion string\n scanner := bufio.NewScanner(f)\n for scanner.Scan() {\n line := scanner.Text()\n if !strings.HasPrefix(line, \"$wp_version=\") {\n continue\n }\n\n ss := strings.Split(line, \"=\")\n if len(ss) != 2 {\n return nil, fmt.Errorf(\"invalid wordpress version: %s\", line)\n }\n\n // NOTE: it is an example; you actually need to handle comments, etc\n ss[1] = strings.TrimSpace(ss[1])\n wpVersion = strings.Trim(ss[1], `\";`)\n }\n\n if err = scanner.Err(); err != nil {\n return nil, err\n }\n\n return &serialize.AnalysisResult{\n CustomResources: []ftypes.CustomResource{\n {\n Type: typeWPVersion,\n FilePath: filePath,\n Data: wpVersion,\n },\n },\n }, nil\n}\n
Tips
Trivy caches analysis results according to the module version. We'd recommend cleaning the cache or changing the module version every time you update Analyzer.
"},{"location":"guide/advanced/modules/#postscanner-interface","title":"PostScanner interface","text":"PostScan is called after scanning and takes the scan result as an argument from Trivy. In post scanning, your module can perform one of three actions:
- Insert
- Add a new security finding
- e.g. Add a new vulnerability and misconfiguration
- Update
- Update the detected vulnerability and misconfiguration
- e.g. Change a severity
- Delete
- Delete the detected vulnerability and misconfiguration
- e.g. Remove Spring4Shell because it is not actually affected.
PostScanSpec() returns which action the module does. If it is Update or Delete, it also needs to return IDs such as CVE-ID and misconfiguration ID, which your module wants to update or delete.
serialize.Results contains the filtered results matching IDs you specified. Also, it includes CustomResources with the values your Analyze returns, so you can modify the scan result according to the custom resources.
func (WordpressModule) PostScanSpec() serialize.PostScanSpec {\n return serialize.PostScanSpec{\n Action: api.ActionInsert, // Add new vulnerabilities\n }\n}\n\nfunc (WordpressModule) PostScan(results types.Results) (types.Results, error) {\n // e.g. results\n // [\n // {\n // \"Target\": \"\",\n // \"Class\": \"custom\",\n // \"CustomResources\": [\n // {\n // \"Type\": \"wordpress-version\",\n // \"FilePath\": \"/usr/src/wordpress/wp-includes/version.php\",\n // \"Layer\": {\n // \"DiffID\": \"sha256:057649e61046e02c975b84557c03c6cca095b8c9accd3bd20eb4e432f7aec887\"\n // },\n // \"Data\": \"5.7.1\"\n // }\n // ]\n // }\n // ] \n var wpVersion int\n for _, result := range results {\n if result.Class != types.ClassCustom {\n continue\n }\n\n for _, c := range result.CustomResources {\n if c.Type != typeWPVersion {\n continue\n }\n wpVersion = c.Data.(string)\n wasm.Info(fmt.Sprintf(\"WordPress Version: %s\", wpVersion))\n\n ...snip...\n\n if affectedVersion.Check(ver) {\n vulnerable = true\n }\n break\n }\n }\n\n if vulnerable {\n // Add CVE-2020-36326\n results = append(results, types.Result{\n Target: wpPath,\n Class: types.ClassLangPkg,\n Type: \"wordpress\",\n Vulnerabilities: []types.DetectedVulnerability {\n {\n VulnerabilityID: \"CVE-2020-36326\",\n PkgName: \"wordpress\",\n InstalledVersion: wpVersion,\n FixedVersion: \"5.7.2\",\n Vulnerability: dbTypes.Vulnerability{\n Title: \"PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname.\",\n Severity: \"CRITICAL\",\n },\n },\n },\n })\n }\n return results, nil\n}\n
The new vulnerability will be added to the scan results. This example shows how the module inserts a new finding. If you are interested in Update, you can see an example of Spring4Shell.
In the Delete action, PostScan needs to return results you want to delete. If PostScan returns an empty, Trivy will not delete anything.
"},{"location":"guide/advanced/modules/#build","title":"Build","text":"Follow the install guide and install Go.
$ GOOS=wasip1 GOARCH=wasm go build -o wordpress.wasm -buildmode=c-shared wordpress.go\n
Put the built binary to the module directory that is under the home directory by default.
$ mkdir -p ~/.trivy/modules\n$ cp wordpress.wasm ~/.trivy/modules\n
"},{"location":"guide/advanced/modules/#distribute-your-module","title":"Distribute Your Module","text":"You can distribute your own module in OCI registries. Please follow the oras installation instruction.
oras push ghcr.io/aquasecurity/trivy-module-wordpress:latest wordpress.wasm:application/vnd.module.wasm.content.layer.v1+wasm\nUploading 3daa3dac086b wordpress.wasm\nPushed ghcr.io/aquasecurity/trivy-module-wordpress:latest\nDigest: sha256:6416d0199d66ce52ced19f01d75454b22692ff3aa7737e45f7a189880840424f\n
"},{"location":"guide/advanced/modules/#examples","title":"Examples","text":" - Spring4Shell
- WordPress
"},{"location":"guide/advanced/self-hosting/","title":"Self-Hosting Trivy's Databases","text":"This document explains how to host Trivy's external dependencies in your own infrastructure to prevent external network access. If you haven't already, please familiarize yourself with the Databases document that explains about the different databases used by Trivy and the different configuration options that control them. This guide assumes you are already familiar with the concepts explained there.
"},{"location":"guide/advanced/self-hosting/#oci-databases","title":"OCI databases","text":"The following Trivy Databases are packaged as OCI images:
trivy-dbtrivy-java-dbtrivy-checks
To host these databases in your own infrastructure:
"},{"location":"guide/advanced/self-hosting/#make-a-local-copy","title":"Make a local copy","text":"Use any container registry manipulation tool (e.g , crane, ORAS, regclient) to copy the images to your destination registry.
Note
You will need to keep the databases updated in order to maintain relevant scanning results over time.
"},{"location":"guide/advanced/self-hosting/#configure-trivy","title":"Configure Trivy","text":"Use the appropriate database location flags to change the db-repository location:
--db-repository--java-db-repository--checks-bundle-repository
"},{"location":"guide/advanced/self-hosting/#authentication","title":"Authentication","text":"If the registry requires authentication, you can configure it as described in the private registry authentication document.
"},{"location":"guide/advanced/self-hosting/#oci-media-types","title":"OCI Media Types","text":"When serving, proxying, or manipulating Trivy's databases, note that the media type of the OCI layer is not a standard container image type:
DB Media Type Reference trivy-db application/vnd.aquasec.trivy.db.layer.v1.tar+gzip https://github.com/aquasecurity/trivy-db/pkgs/container/trivy-db trivy-java-db application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip https://github.com/aquasecurity/trivy-java-db/pkgs/container/trivy-java-db trivy-checks application/vnd.oci.image.manifest.v1+json https://github.com/aquasecurity/trivy-checks/pkgs/container/trivy-checks"},{"location":"guide/advanced/self-hosting/#manual-cache-population","title":"Manual cache population","text":"Trivy uses a local cache directory to store the database files, as described in the cache document. You can download the databases files and surgically populate the Trivy cache directory with them.
"},{"location":"guide/advanced/self-hosting/#downloading-the-db-files","title":"Downloading the DB files","text":"On a machine with internet access, pull the database container archive from the public registry into your local workspace:
Note that these examples operate in the current working directory.
Using ORASUsing Trivy This example uses ORAS, but you can use any other container registry manipulation tool.
oras pull ghcr.io/aquasecurity/trivy-db:2\n
You should now have a file called db.tar.gz. Next, extract it to reveal the db files:
tar -xzf db.tar.gz\n
This example uses Trivy to pull the database container archive. The --cache-dir flag makes Trivy download the database files into our current working directory. The --download-db-only flag tells Trivy to only download the database files, not to scan any images.
trivy image --cache-dir . --download-db-only\n
You should now have 2 new files, metadata.json and trivy.db. These are the Trivy DB files, copy them over to the air-gapped environment.
"},{"location":"guide/advanced/self-hosting/#populating-the-trivy-cache","title":"Populating the Trivy Cache","text":"In order to populate the cache, you need to identify the location of the cache directory. If it is under the default location, you can run the following command to find it:
trivy -h | grep cache\n
For the example, we will assume the TRIVY_CACHE_DIR variable holds the cache location:
TRIVY_CACHE_DIR=/home/user/.cache/trivy\n
Put the Trivy DB files in the Trivy cache directory under a db subdirectory:
# ensure cache db directory exists\nmkdir -p ${TRIVY_CACHE_DIR}/db\n# copy the db files\ncp /path/to/trivy.db /path/to/metadata.json ${TRIVY_CACHE_DIR}/db/\n
"},{"location":"guide/advanced/self-hosting/#java-db-adaptations","title":"Java DB adaptations","text":"For Java DB the process is the same, except for the following:
- Image location is
ghcr.io/aquasecurity/trivy-java-db:1 - Archive file name is
javadb.tar.gz - Java DB files names are
trivy-java.db and metadata.json - The cache subdirectory is
java-db.
"},{"location":"guide/advanced/self-hosting/#vex-hub","title":"VEX Hub","text":""},{"location":"guide/advanced/self-hosting/#make-a-local-copy_1","title":"Make a local copy","text":"To make a copy of VEX Hub in a location that is accessible to Trivy.
- Download the VEX Hub archive from: https://github.com/aquasecurity/vexhub/archive/refs/heads/main.zip.
- Download the VEX Hub Repository Manifest file from: https://github.com/aquasecurity/vexhub/blob/main/vex-repository.json.
- Create or identify an internal HTTP server that can serve the VEX Hub repository in your environment (e.g
https://server.local). - Make the downloaded archive file available for serving from your server (e.g
https://server.local/main.zip). - Modify the downloaded manifest file's Location URL field to the URL of the archive file on your server (e.g
url: https://server.local/main.zip). - Make the manifest file available for serving from your server under the
/.well-known path (e.g https://server.local/.well-known/vex-repository.json).
"},{"location":"guide/advanced/self-hosting/#configure-trivy_1","title":"Configure Trivy","text":"To configure Trivy to use the local VEX Repository:
- Locate your Trivy VEX configuration file by running
trivy vex repo init. Make the following changes to the file. - Disable the default VEX Hub repo (
enabled: false) - Add your internal VEX Hub repository as a custom repository with the URL pointing to your local server (e.g
url: https://server.local).
"},{"location":"guide/advanced/self-hosting/#authentication_1","title":"Authentication","text":"If your server requires authentication, you can configure it as described in the VEX Repository Authentication document.
"},{"location":"guide/advanced/telemetry-flags/","title":"Telemetry flags","text":"--clear-cache\n--debug\n--dependency-tree\n--detection-priority\n--distro\n--exit-code\n--exit-on-eol\n--format\n--ignore-status\n--ignore-unfixed\n--image-config-scanners\n--include-deprecated-checks\n--include-dev-deps\n--include-non-failures\n--insecure\n--license-full\n--list-all-pkgs\n--misconfig-scanners\n--offline-scan\n--parallel\n--password-stdin\n--pkg-relationships\n--pkg-types\n--quiet\n--redis-tls\n--rego-error-limit\n--removed-pkgs\n--report\n--scanners\n--severity\n--show-suppressed\n--skip-check-update\n--skip-version-check\n--skip-vex-repo-update\n--slow\n--tf-exclude-downloaded-modules\n--timeout\n--trace-http\n--trace-rego\n--vuln-severity-source\n
"},{"location":"guide/advanced/telemetry/","title":"Usage Telemetry","text":"Trivy collects anonymous usage data in order to help us improve the product. This document explains what is collected and how you can control it.
"},{"location":"guide/advanced/telemetry/#data-collected","title":"Data collected","text":"The following information could be collected:
- Environmental information:
- Installation identifier
- Trivy version
- Operating system
- Scan:
- Non-revealing scan options (see below for comprehensive list)
"},{"location":"guide/advanced/telemetry/#captured-scan-options","title":"Captured scan options","text":"The following flags will be included with their value:
--clear-cache\n--debug\n--dependency-tree\n--detection-priority\n--distro\n--exit-code\n--exit-on-eol\n--format\n--ignore-status\n--ignore-unfixed\n--image-config-scanners\n--include-deprecated-checks\n--include-dev-deps\n--include-non-failures\n--insecure\n--license-full\n--list-all-pkgs\n--misconfig-scanners\n--offline-scan\n--parallel\n--password-stdin\n--pkg-relationships\n--pkg-types\n--quiet\n--redis-tls\n--rego-error-limit\n--removed-pkgs\n--report\n--scanners\n--severity\n--show-suppressed\n--skip-check-update\n--skip-version-check\n--skip-vex-repo-update\n--slow\n--tf-exclude-downloaded-modules\n--timeout\n--trace-http\n--trace-rego\n--vuln-severity-source\n
"},{"location":"guide/advanced/telemetry/#privacy","title":"Privacy","text":"No personal information, scan results, or sensitive data is specifically collected. We take the following measures to ensure that:
- Installation identifier: one-way hash of machine fingerprint, resulting in opaque ID.
- Scan: any option that is user-controlled is omitted (never collected). For example, file paths, image names, etc are never collected.
Trivy is an Aqua Security product and adheres to the company's privacy policy: https://aquasec.com/privacy.
"},{"location":"guide/advanced/telemetry/#disabling-telemetry","title":"Disabling telemetry","text":"You can disable telemetry altogether using the --disable-telemetry flag. Like other Trivy flags, this can be set on the command line, YAML configuration file, or environment variable. For more details see here.
For example:
trivy image --disable-telemetry alpine\n
"},{"location":"guide/advanced/container/embed-in-dockerfile/","title":"Embed in Dockerfile","text":"Scan your image as part of the build process by embedding Trivy in the Dockerfile. This approach can be used to update Dockerfiles currently using Aqua\u2019s Microscanner.
$ cat Dockerfile\nFROM alpine:3.7\n\nRUN apk add curl \\\n && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \\\n && trivy rootfs --exit-code 1 --no-progress /\n\n$ docker build -t vulnerable-image .\n
Alternatively you can use Trivy in a multistage build. Thus avoiding the insecure curl | sh. Also the image is not changed. [...]\n# Run vulnerability scan on build image\nFROM build AS vulnscan\nCOPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy\nRUN trivy rootfs --exit-code 1 --no-progress /\n[...]\n
"},{"location":"guide/advanced/container/unpacked-filesystem/","title":"Unpacked Filesystem","text":"Scan an unpacked container image filesystem.
In this case, Trivy works the same way when scanning containers
$ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -\n$ trivy rootfs /tmp/rootfs\n
Result 2021-03-08T05:22:26.378Z INFO Need to update DB\n2021-03-08T05:22:26.380Z INFO Downloading DB...\n20.37 MiB / 20.37 MiB [-------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8.24 MiB p/s 2s\n2021-03-08T05:22:30.134Z INFO Detecting Alpine vulnerabilities...\n\n/tmp/rootfs (alpine 3.10.2)\n===========================\nTotal: 20 (UNKNOWN: 0, LOW: 2, MEDIUM: 10, HIGH: 8, CRITICAL: 0)\n\n+--------------+------------------+----------+-------------------+---------------+---------------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+--------------+------------------+----------+-------------------+---------------+---------------------------------------+\n| libcrypto1.1 | CVE-2020-1967 | HIGH | 1.1.1c-r0 | 1.1.1g-r0 | openssl: Segmentation |\n| | | | | | fault in SSL_check_chain |\n| | | | | | causes denial of service |\n| | | | | | -->avd.aquasec.com/nvd/cve-2020-1967 |\n+ +------------------+ + +---------------+---------------------------------------+\n| | CVE-2021-23839 | | | 1.1.1j-r0 | openssl: incorrect SSLv2 |\n| | | | | | rollback protection |\n| | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2021-23840 | | | | openssl: integer |\n| | | | | | overflow in CipherUpdate |\n| | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2021-23841 | | | | openssl: NULL pointer dereference |\n| | | | | | in X509_issuer_and_serial_hash() |\n| | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 |\n+ +------------------+----------+ +---------------+---------------------------------------+\n| | CVE-2019-1547 | MEDIUM | | 1.1.1d-r0 | openssl: side-channel weak |\n| | | | | | encryption vulnerability |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-1547 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2019-1549 | | | | openssl: information |\n| | | | | | disclosure in fork() |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-1549 |\n+ +------------------+ + +---------------+---------------------------------------+\n| | CVE-2019-1551 | | | 1.1.1d-r2 | openssl: Integer overflow in RSAZ |\n| | | | | | modular exponentiation on x86_64 |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-1551 |\n+ +------------------+ + +---------------+---------------------------------------+\n| | CVE-2020-1971 | | | 1.1.1i-r0 | openssl: EDIPARTYNAME |\n| | | | | | NULL pointer de-reference |\n| | | | | | -->avd.aquasec.com/nvd/cve-2020-1971 |\n+ +------------------+----------+ +---------------+---------------------------------------+\n| | CVE-2019-1563 | LOW | | 1.1.1d-r0 | openssl: information |\n| | | | | | disclosure in PKCS7_dataDecode |\n| | | | | | and CMS_decrypt_set1_pkey |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-1563 |\n+--------------+------------------+----------+ +---------------+---------------------------------------+\n| libssl1.1 | CVE-2020-1967 | HIGH | | 1.1.1g-r0 | openssl: Segmentation |\n| | | | | | fault in SSL_check_chain |\n| | | | | | causes denial of service |\n| | | | | | -->avd.aquasec.com/nvd/cve-2020-1967 |\n+ +------------------+ + +---------------+---------------------------------------+\n| | CVE-2021-23839 | | | 1.1.1j-r0 | openssl: incorrect SSLv2 |\n| | | | | | rollback protection |\n| | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2021-23840 | | | | openssl: integer |\n| | | | | | overflow in CipherUpdate |\n| | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2021-23841 | | | | openssl: NULL pointer dereference |\n| | | | | | in X509_issuer_and_serial_hash() |\n| | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 |\n+ +------------------+----------+ +---------------+---------------------------------------+\n| | CVE-2019-1547 | MEDIUM | | 1.1.1d-r0 | openssl: side-channel weak |\n| | | | | | encryption vulnerability |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-1547 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2019-1549 | | | | openssl: information |\n| | | | | | disclosure in fork() |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-1549 |\n+ +------------------+ + +---------------+---------------------------------------+\n| | CVE-2019-1551 | | | 1.1.1d-r2 | openssl: Integer overflow in RSAZ |\n| | | | | | modular exponentiation on x86_64 |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-1551 |\n+ +------------------+ + +---------------+---------------------------------------+\n| | CVE-2020-1971 | | | 1.1.1i-r0 | openssl: EDIPARTYNAME |\n| | | | | | NULL pointer de-reference |\n| | | | | | -->avd.aquasec.com/nvd/cve-2020-1971 |\n+ +------------------+----------+ +---------------+---------------------------------------+\n| | CVE-2019-1563 | LOW | | 1.1.1d-r0 | openssl: information |\n| | | | | | disclosure in PKCS7_dataDecode |\n| | | | | | and CMS_decrypt_set1_pkey |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-1563 |\n+--------------+------------------+----------+-------------------+---------------+---------------------------------------+\n| musl | CVE-2020-28928 | MEDIUM | 1.1.22-r3 | 1.1.22-r4 | In musl libc through 1.2.1, |\n| | | | | | wcsnrtombs mishandles particular |\n| | | | | | combinations of destination buffer... |\n| | | | | | -->avd.aquasec.com/nvd/cve-2020-28928 |\n+--------------+ + + + + +\n| musl-utils | | | | | |\n| | | | | | |\n| | | | | | |\n| | | | | | |\n+--------------+------------------+----------+-------------------+---------------+---------------------------------------+\n
"},{"location":"guide/advanced/private-registries/","title":"Overview","text":"Trivy can download images from a private registry without the need for installing Docker or any other 3rd party tools. This makes it easy to run within a CI process.
"},{"location":"guide/advanced/private-registries/#login","title":"Login","text":"You can log in to a private registry using the trivy registry login command. It uses the Docker configuration file (~/.docker/config.json) to store the credentials under the hood, and the configuration file path can be configured by DOCKER_CONFIG environment variable.
$ cat ~/my_password.txt | trivy registry login --username foo --password-stdin ghcr.io\n$ trivy image ghcr.io/your/private_image\n
"},{"location":"guide/advanced/private-registries/#passing-credentials","title":"Passing Credentials","text":"You can also provide your credentials when scanning.
$ TRIVY_USERNAME=YOUR_USERNAME TRIVY_PASSWORD=YOUR_PASSWORD trivy image YOUR_PRIVATE_IMAGE\n
Warning
When passing credentials via environment variables or CLI flags, Trivy will attempt to use these credentials for all registries encountered during scanning, regardless of the target registry. This can potentially lead to unintended credential exposure. To mitigate this risk:
- Set credentials cautiously and only when necessary.
- Prefer using
trivy registry login to pre-configure credentials with specific registries, which ensures credentials are only sent to appropriate registries.
Trivy also supports providing credentials through CLI flags:
$ TRIVY_PASSWORD=YOUR_PASSWORD trivy image --username YOUR_USERNAME YOUR_PRIVATE_IMAGE\n
Warning
The CLI flag --password is available, but its use is not recommended for security reasons.
You can also store your credentials in trivy.yaml. For more information, please refer to the documentation.
It can handle multiple sets of credentials as well:
$ export TRIVY_USERNAME=USERNAME1,USERNAME2\n$ export TRIVY_PASSWORD=PASSWORD1,PASSWORD2\n$ trivy image YOUR_PRIVATE_IMAGE\n
In the example above, Trivy attempts to use two pairs of credentials:
- USERNAME1/PASSWORD1
- USERNAME2/PASSWORD2
Please note that the number of usernames and passwords must be the same.
Note
--password-stdin doesn't support comma-separated passwords.
"},{"location":"guide/advanced/private-registries/acr/","title":"Requirements","text":"None, Trivy uses Azure SDK for Go. You don't need to install az command.
"},{"location":"guide/advanced/private-registries/acr/#privileges","title":"Privileges","text":"Service principal must have the AcrPull permissions.
"},{"location":"guide/advanced/private-registries/acr/#creation-of-a-service-principal","title":"Creation of a service principal","text":"export SP_DATA=$(az ad sp create-for-rbac --name TrivyTest --role AcrPull --scope \"/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ContainerRegistry/registries/<registry_name>\")\n
"},{"location":"guide/advanced/private-registries/acr/#usage","title":"Usage","text":"# must set TRIVY_USERNAME empty char\nexport AZURE_CLIENT_ID=$(echo $SP_DATA | jq -r '.appId')\nexport AZURE_CLIENT_SECRET=$(echo $SP_DATA | jq -r '.password')\nexport AZURE_TENANT_ID=$(echo $SP_DATA | jq -r '.tenant')\n
"},{"location":"guide/advanced/private-registries/acr/#testing","title":"Testing","text":"You can test credentials in the following manner.
docker run -it --rm -v /tmp:/tmp \\\n -e AZURE_CLIENT_ID -e AZURE_CLIENT_SECRET -e AZURE_TENANT_ID \\\n aquasec/trivy image your_special_project.azurecr.io/your_special_image:your_special_tag\n
"},{"location":"guide/advanced/private-registries/docker-hub/","title":"Docker Hub","text":"See here for the detail. You don't need to provide a credential when download from public repository.
"},{"location":"guide/advanced/private-registries/ecr/","title":"AWS ECR (Elastic Container Registry)","text":"Trivy uses AWS SDK. You don't need to install aws CLI tool. You can use AWS CLI's ENV Vars.
"},{"location":"guide/advanced/private-registries/ecr/#aws-private-registry-permissions","title":"AWS private registry permissions","text":"You may need to grant permissions to allow Trivy to pull images from private ECR.
It depends on how you want to provide AWS Role to trivy.
- IAM Role Service account
- Kube2iam or Kiam
"},{"location":"guide/advanced/private-registries/ecr/#iam-role-service-account","title":"IAM Role Service account","text":"Add the AWS role in trivy's service account annotations:
trivy:\n\n serviceAccount:\n annotations: {}\n # eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME\n
"},{"location":"guide/advanced/private-registries/ecr/#kube2iam-or-kiam","title":"Kube2iam or Kiam","text":"Add the AWS role to pod's annotations:
podAnnotations: {}\n ## kube2iam/kiam annotation\n # iam.amazonaws.com/role: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME\n
"},{"location":"guide/advanced/private-registries/gcr/","title":"Requirements","text":"None, Trivy uses Google Cloud SDK. You don't need to install gcloud command.
"},{"location":"guide/advanced/private-registries/gcr/#privileges","title":"Privileges","text":"Credential file must have the roles/storage.objectViewer permissions. More information can be found in Google's documentation
"},{"location":"guide/advanced/private-registries/gcr/#json-file-format","title":"JSON File Format","text":"The JSON file specified should have the following format provided by google's service account mechanisms:
{\n \"type\": \"service_account\",\n \"project_id\": \"your_special_project\",\n \"private_key_id\": \"XXXXXXXXXXXXXXXXXXXXxx\",\n \"private_key\": \"-----BEGIN PRIVATE KEY-----\\nNONONONO\\n-----END PRIVATE KEY-----\\n\",\n \"client_email\": \"somedude@your_special_project.iam.gserviceaccount.com\",\n \"client_id\": \"1234567890\",\n \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\n \"token_uri\": \"https://oauth2.googleapis.com/token\",\n \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\n \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/somedude%40your_special_project.iam.gserviceaccount.com\"\n}\n
"},{"location":"guide/advanced/private-registries/gcr/#usage","title":"Usage","text":"If you want to use target project's repository, you can set them via GOOGLE_APPLICATION_CREDENTIALS.
# must set TRIVY_USERNAME empty char\nexport GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json\n
"},{"location":"guide/advanced/private-registries/gcr/#testing","title":"Testing","text":"You can test credentials in the following manner (assuming they are in /tmp on host machine).
docker run -it --rm -v /tmp:/tmp\\\n -e GOOGLE_APPLICATION_CREDENTIALS=/tmp/service_account.json\\\n aquasec/trivy image gcr.io/your_special_project/your_special_image:your_special_tag\n
"},{"location":"guide/advanced/private-registries/self/","title":"Self-Hosted","text":"BasicAuth server needs TRIVY_USERNAME and TRIVY_PASSWORD.
export TRIVY_USERNAME={USERNAME}\nexport TRIVY_PASSWORD={PASSWORD}\n\n# if you want to use 80 port, use NonSSL\nexport TRIVY_NON_SSL=true\n
"},{"location":"guide/compliance/compliance/","title":"Built-in Compliance Reports","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy\u2019s compliance flag lets you curate a specific set of checks into a report. In a typical Trivy scan, there are hundreds of different checks for many different components and configurations, but sometimes you already know which specific checks you are interested in. Often this would be an industry accepted set of checks such as CIS, or some vendor specific guideline, or your own organization policy that you want to comply with. These are all possible using the flexible compliance infrastructure that's built into Trivy. Compliance reports are defined as simple YAML documents that select checks to include in the report.
"},{"location":"guide/compliance/compliance/#usage","title":"Usage","text":"Compliance report is currently supported in the following targets (trivy sub-commands):
trivy imagetrivy k8s
Add the --compliance flag to the command line, and set its value to the desired report. For example: trivy k8s cluster --compliance k8s-nsa (see below for built-in and custom reports)
"},{"location":"guide/compliance/compliance/#options","title":"Options","text":"The following flags are compatible with the --compliance flag and allow customizing its output:
flag effect --report summary shows a summary of the results. for every control shows the number of failed checks. --report all shows fully detailed results. for every control shows where it failed and why. --format table shows results in textual table format (good for human readability). --format json shows results in json format (good for machine readability)."},{"location":"guide/compliance/compliance/#built-in-compliance","title":"Built-in compliance","text":"Trivy has a number of built-in compliance reports that you can assess right out of the box. To specify a built-in compliance report, select it by ID like trivy --compliance <compliance_id>.
For the list of built-in compliance reports, please see the relevant section:
- Docker compliance
- Kubernetes compliance
"},{"location":"guide/compliance/compliance/#contribute-a-built-in-compliance-report","title":"Contribute a Built-in Compliance Report","text":""},{"location":"guide/compliance/compliance/#define-a-compliance-spec-based-on-cis-benchmark-or-other-specs","title":"Define a Compliance spec, based on CIS benchmark or other specs","text":"Here is an example for CIS compliance report:
---\nspec:\n id: k8s-cis-1.23\n title: CIS Kubernetes Benchmarks v1.23\n description: CIS Kubernetes Benchmarks\n platform: k8s\n type: cis\n version: '1.23'\n relatedResources:\n - https://www.cisecurity.org/benchmark/kubernetes\n controls:\n - id: 1.1.1\n name: Ensure that the API server pod specification file permissions are set to\n 600 or more restrictive\n description: Ensure that the API server pod specification file has permissions\n of 600 or more restrictive\n checks:\n - id: AVD-KCV-0073\n commands:\n - id: CMD-0001\n severity: HIGH\n
"},{"location":"guide/compliance/compliance/#compliance-id","title":"Compliance ID","text":"ID field is the name used to execute the compliance scan via trivy example:
trivy k8s --compliance k8s-cis-1.23\n
ID naming convention: {platform}-{type}-{version}
"},{"location":"guide/compliance/compliance/#compliance-platform","title":"Compliance Platform","text":"The platform field specifies the type of platform on which to run this compliance report. Supported platforms:
- k8s (native kubernetes cluster)
- eks (elastic kubernetes service)
- aks (azure kubernetes service)
- gke (google kubernetes engine)
- rke2 (rancher kubernetes engine v2)
- ocp (OpenShift Container Platform)
- docker (docker engine)
- aws (amazon web services)
"},{"location":"guide/compliance/compliance/#compliance-type","title":"Compliance Type","text":"The type field specifies the kind compliance report.
- cis (Center for Internet Security)
- nsa (National Security Agency)
- pss (Pod Security Standards)
"},{"location":"guide/compliance/compliance/#compliance-version","title":"Compliance Version","text":"The version field specifies the version of the compliance report.
- 1.23
"},{"location":"guide/compliance/compliance/#compliance-check-id","title":"Compliance Check ID","text":"Specify the check ID that needs to be evaluated based on the information collected from the command data output to assess the control.
Example of how to define check data under checks folder:
# METADATA\n# title: \"Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive\"\n# description: \"Ensure that the kubelet.conf file has permissions of 600 or more restrictive.\"\n# scope: package\n# schemas:\n# - input: schema[\"kubernetes\"]\n# related_resources:\n# - https://www.cisecurity.org/benchmark/kubernetes\n# custom:\n# id: KCV0073\n# avd_id: AVD-KCV-0073\n# severity: HIGH\n# short_code: ensure-kubelet.conf-file-permissions-600-or-more-restrictive.\n# recommended_action: \"Change the kubelet.conf file permissions to 600 or more restrictive if exist\"\n# input:\n# selector:\n# - type: kubernetes\npackage builtin.kubernetes.KCV0073\n\nimport data.lib.kubernetes\n\ntypes := [\"master\", \"worker\"]\n\nvalidate_kubelet_file_permission(sp) := {\"kubeletConfFilePermissions\": violation} {\n sp.kind == \"NodeInfo\"\n sp.type == types[_]\n violation := {permission | permission = sp.info.kubeletConfFilePermissions.values[_]; permission > 600}\n count(violation) > 0\n}\n\ndeny[res] {\n output := validate_kubelet_file_permission(input)\n msg := \"Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive\"\n res := result.new(msg, output)\n}\n
"},{"location":"guide/compliance/compliance/#compliance-command-id","title":"Compliance Command ID","text":"Note: This field is not mandatory, it is relevant to k8s compliance report when node-collector is in use
Specify the command ID (#ref) that needs to be executed to collect the information required to evaluate the control.
Example of how to define command data under commands folder
---\n- id: CMD-0001\n key: kubeletConfFilePermissions\n title: kubelet.conf file permissions\n nodeType: worker\n audit: stat -c %a $kubelet.kubeconfig\n platforms:\n - k8s\n - aks\n
"},{"location":"guide/compliance/compliance/#command-id","title":"Command ID","text":"Find the next command ID by running the command on trivy-checks project.
make command-id\n
"},{"location":"guide/compliance/compliance/#command-key","title":"Command Key","text":" - Re-use an existing key or specify a new one (make sure key name has no spaces)
Note: The key value should match the key name evaluated by the Rego check.
"},{"location":"guide/compliance/compliance/#command-title","title":"Command Title","text":"Represent the purpose of the command
"},{"location":"guide/compliance/compliance/#command-nodetype","title":"Command NodeType","text":"Specify the node type on which the command is supposed to run.
- worker
- master
"},{"location":"guide/compliance/compliance/#command-audit","title":"Command Audit","text":"Specify here the shell command to be used please make sure to add error suppression (2>/dev/null)
"},{"location":"guide/compliance/compliance/#command-platforms","title":"Command Platforms","text":"The list of platforms that support this command. Name should be taken from this list Platforms
"},{"location":"guide/compliance/compliance/#command-config-files","title":"Command Config Files","text":"The commands use a configuration file that helps obtain the paths to binaries and configuration files based on different platforms (e.g., Rancher, native Kubernetes, etc.).
For example:
kubelet:\n bins:\n - kubelet\n - hyperkube kubelet\n confs:\n - /etc/kubernetes/kubelet-config.yaml\n - /var/lib/kubelet/config.yaml\n
"},{"location":"guide/compliance/compliance/#commands-files-location","title":"Commands Files Location","text":"Currently checks files location are :https://github.com/aquasecurity/trivy-checks/tree/main/checks
Command files location: https://github.com/aquasecurity/trivy-checks/tree/main/commands under command file
Note: command config files will be located under https://github.com/aquasecurity/trivy-checks/tree/main/commands as well
"},{"location":"guide/compliance/compliance/#node-collector-output","title":"Node-collector output","text":"The node collector will read commands and execute each command, and incorporate the output into the NodeInfo resource.
example:
{\n \"apiVersion\": \"v1\",\n \"kind\": \"NodeInfo\",\n \"metadata\": {\n \"creationTimestamp\": \"2023-01-04T11:37:11+02:00\"\n },\n \"type\": \"master\",\n \"info\": {\n \"adminConfFileOwnership\": {\n \"values\": [\n \"root:root\"\n ]\n },\n \"adminConfFilePermissions\": {\n \"values\": [\n 600\n ]\n }\n ...\n }\n}\n
"},{"location":"guide/compliance/compliance/#custom-compliance","title":"Custom compliance","text":"You can create your own custom compliance report. A compliance report is a simple YAML document in the following format:
spec:\n id: \"k8s-myreport\" # report unique identifier. this should not contain spaces.\n title: \"My custom Kubernetes report\" # report title. Any one-line title.\n description: \"Describe your report\" # description of the report. Any text.\n relatedResources :\n - https://some.url # useful references. URLs only.\n version: \"1.0\" # spec version (string)\n controls:\n - name: \"Non-root containers\" # Name for the control (appears in the report as is). Any one-line name.\n description: 'Check that container is not running as root' # Description (appears in the report as is). Any text.\n id: \"1.0\" # control identifier (string)\n checks: # list of existing Trivy checks that define the control\n - id: AVD-KSV-0012 # check ID. Must start with `AVD-` or `CVE-` \n severity: \"MEDIUM\" # Severity for the control (note that checks severity isn't used)\n - name: \"Immutable container file systems\"\n description: 'Check that container root file system is immutable'\n id: \"1.1\"\n checks:\n - id: AVD-KSV-0014\n severity: \"LOW\"\n
The check id field (controls[].checks[].id) is referring to existing check by it's \"AVD ID\". This AVD ID is easily located in the check's source code metadata header, or by browsing Aqua vulnerability DB, specifically in the Misconfigurations and Vulnerabilities sections.
Once you have a compliance spec, you can select it by file path: trivy --compliance @</path/to/compliance.yaml> (note the @ indicating file path instead of report id).
"},{"location":"guide/compliance/contrib-compliance/","title":"Custom Compliance Spec","text":"Trivy supports several different compliance specs. The details on compliance scanning with Trivy are provided in the compliance documentation. All of the Compliance Specs currently available in Trivy can be found in the trivy-checks/pkg/specs/compliance/ directory (Link).
New checks are based on the custom compliance report detailed in the main documentation. If you would like to create your custom compliance report, please reference the information in the main documentation. This section details how community members can contribute new Compliance Specs to Trivy.
All compliance specs in Trivy are based on formal compliance reports such as CIS Benchmarks.
"},{"location":"guide/compliance/contrib-compliance/#contributing-new-compliance-specs","title":"Contributing new Compliance Specs","text":"Compliance specs can be based on new compliance reports becoming available e.g. a new CIS Benchmark version, or identifying missing compliance specs that Trivy users would like to access.
"},{"location":"guide/compliance/contrib-compliance/#create-a-new-compliance-spec","title":"Create a new Compliance Spec","text":"The existing compliance specs in Trivy are located under the trivy-checks/pkg/specs/compliance/ directory (Link).
Create a new file under trivy-checks/specs/compliance/ and name the file in the format of \"provider-resource-spectype-version.yaml\". For example, the file name for AWS CIS Benchmarks for EKS version 1.4 is: aws-eks-cis-1.4.yaml. Note that if the compliance spec is not specific to a provider, the provider field can be ignored.
"},{"location":"guide/compliance/contrib-compliance/#minimum-spec-structure","title":"Minimum spec structure","text":"The structure of the compliance spec is detailed in the main documentation.
The first section in the spec is focused on the metadata of the spec. Replace all the fields of the metadata with the information relevant to the compliance spec that will be added. This information can be taken from the official report e.g. the CIS Benchmark report.
"},{"location":"guide/compliance/contrib-compliance/#populating-the-control-section","title":"Populating the control section","text":"Compliance specs detail a set of checks that should pass so that the resource is compliant with the official benchmark specifications. There are two ways in which Trivy compliance checks can enforce the compliance specification:
- The check is available in Trivy, as part of the
trivy-checks and can be referenced in the Compliance Spec - The check is not available in Trivy and a manual check has to be added to the Compliance Spec
Additional information is provided below.
"},{"location":"guide/compliance/contrib-compliance/#1-referencing-a-check-that-is-already-part-of-trivy","title":"1. Referencing a check that is already part of Trivy","text":"Trivy has a comprehensive list of checks as part of its misconfiguration scanning. These can be found in the trivy-checks/checks directory (Link). If the check is present, the AVD_ID and other information from the check has to be used.
Note: Take a look at the more generic compliance specs that are already available in Trivy. If you are adding new compliance spec to Kubernetes e.g. AWS EKS CIS Benchmarks, chances are high that the check you would like to add to the new spec has already been defined in the general k8s-ci-v.000.yaml compliance spec. The same applies for creating specific Cloud Provider Compliance Specs and the generic compliance specs available.
For example, the following check is detailed in the AWS EKS CIS v1.4 Benchmark: 3.1.2 Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual)
This check can be found in the general K8s CIS Compliance Benchmark: k8s-cis-1.23.yaml (Link)
Thus, we can use the information already present:
- id: 3.1.2\n name: Ensure that the kubelet service file ownership is set to root:root (Manual)\n description: Ensure that the kubelet service file ownership is set to root:root\n checks:\n - id: AVD-KCV-0070\n severity: HIGH\n
- The
ID, name, and description is taken directly from the AWS EKS CIS Benchmarks - The
check and severity are taken from the existing compliance check in the k8s-cis-1.23.yaml
"},{"location":"guide/compliance/contrib-compliance/#2-referencing-a-check-manually-that-is-not-part-of-the-trivy-default-checks","title":"2. Referencing a check manually that is not part of the Trivy default checks","text":"If the check does not already exist in the Aqua Vulnerability Database (AVD) and is not part of the trivy-checks, the fields in the compliance spec for the check have to be populated manually. This is done by referencing the information in the official compliance specification.
Below is the beginning of the information of the EKS CIS Benchmarks v1.4.0:
The corresponding check in the control section will look like this:
- id: 2.1.1\n name: Enable audit Logs (Manual)\n description: |\n Control plane logs provide visibility into operation of the EKS Control plane components systems. \n The API server audit logs record all accepted and rejected requests in the cluster. \n When enabled via EKS configuration the control plane logs for a cluster are exported to a CloudWatch \n Log Group for persistence.\n checks: null\n severity: MEDIUM\n
- Again, the
id, name and description are taken directly from the EKS CIS Benchmarks v1.4.0 - The
checks is in this case null as the check is not currently present in the AVD and does not have a check in the trivy policies repository - Since the check does not exist in Trivy, the
severity will be MEDIUM. However, in some cases, the compliance report e.g. the CIS Benchmark report will specify the severity
"},{"location":"guide/compliance/contrib-compliance/#contributing-new-checks-to-trivy-checks","title":"Contributing new checks to trivy-checks","text":"All of the checks in trivy-policies can be referenced in the compliance specs. To write new Rego checks for Trivy, please take a look at the contributing documentation for checks.
"},{"location":"guide/compliance/contrib-compliance/#test-the-compliance-spec","title":"Test the Compliance Spec","text":"To test the compliance check, pass the new path into the Trivy scan through the --compliance flag. For instance, to pass the check to the Trivy Kubernetes scan use the following command structure:
trivy k8s cluster --compliance @</path/to/compliance.yaml> --report summary\n
Note: The @ is required before the filepath.
"},{"location":"guide/configuration/","title":"Configuration","text":"Trivy's settings can be configured in any of the following methods, which will apply in the following precedence:
- CLI flags (overrides all other settings)
- Environment variables (overrides config file settings)
- Configuration file
"},{"location":"guide/configuration/#cli-flags","title":"CLI Flags","text":"You can view the list of available flags by adding the --help flag to a Trivy command, or by exploring the CLI reference.
"},{"location":"guide/configuration/#environment-variables","title":"Environment Variables","text":"Any CLI option can be set as an environment variable. The environment variable names are similar to the CLI option names, with the following augmentations:
- Add
TRIVY_ prefix - All uppercase letters
- Replace
- with _
For example:
--debug => TRIVY_DEBUG--cache-dir => TRIVY_CACHE_DIR
$ TRIVY_DEBUG=true TRIVY_SEVERITY=CRITICAL trivy image alpine:3.15\n
"},{"location":"guide/configuration/#configuration-file","title":"Configuration File","text":"Any setting can be set in a YAML file. By default, config file named trivy.yaml is read from the current directory where Trivy is run. To load configuration from a different file, use the --config flag and specify the config path to load: trivy --config /etc/trivy/myconfig.yaml.
The structure and settings of the YAML config file is documented in the Config file document.
"},{"location":"guide/configuration/cache/","title":"Cache","text":"The cache directory includes
- Cache of previous scans (Scan cache).
- Vulnerability Database1
- Java Index Database2
- Misconfiguration Checks3
- VEX Repositories
The cache option is common to all scanners.
"},{"location":"guide/configuration/cache/#clear-caches","title":"Clear Caches","text":"trivy clean subcommand removes caches.
$ trivy clean --scan-cache\n
Result 2024-06-21T21:58:21+04:00 INFO Removing scan cache...\n
If you want to delete cached vulnerability databases, use --vuln-db. You can also delete all caches with --all. See trivy clean --help for details.
"},{"location":"guide/configuration/cache/#cache-directory","title":"Cache Directory","text":"Specify where the cache is stored with --cache-dir.
$ trivy --cache-dir /tmp/trivy/ image python:3.4-alpine3.9\n
"},{"location":"guide/configuration/cache/#scan-cache-backend","title":"Scan Cache Backend","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy utilizes a scan cache to store analysis results, such as package lists. It supports three types of backends for this cache:
- Local File System (
fs) - The cache path can be specified by
--cache-dir
- Memory (
memory) - Redis (
redis://) redis://[HOST]:[PORT]- TTL can be configured via
--cache-ttl
"},{"location":"guide/configuration/cache/#local-file-system","title":"Local File System","text":"The local file system backend is the default choice for container image, VM image and repository scans.
Note
Internally, this backend uses BoltDB, which has an important limitation: only one process can access the cache at a time. Subsequent processes attempting to access the cache will be locked. For more details on this limitation, refer to the troubleshooting guide.
"},{"location":"guide/configuration/cache/#memory","title":"Memory","text":"The memory backend stores analysis results in memory, which means the cache is discarded when the process ends. This makes it useful in scenarios where caching is not required or desired. It serves as the default for filesystem and SBOM scans and can also be employed for container image scans when caching is unnecessary.
To use the memory backend for a container image scan, you can use the following command:
$ trivy image debian:11 --cache-backend memory\n
"},{"location":"guide/configuration/cache/#redis","title":"Redis","text":"The Redis backend is particularly useful when you need to share the cache across multiple Trivy instances. You can set up Trivy to use a Redis backend with a command like this:
$ trivy server --cache-backend redis://localhost:6379\n
This approach allows for centralized caching, which can be beneficial in distributed or high-concurrency environments.
If you want to use TLS with Redis, you can enable it by specifying the --redis-tls flag.
$ trivy server --cache-backend redis://localhost:6379 --redis-tls\n
Trivy also supports connecting to Redis with your certificates. You need to specify --redis-ca , --redis-cert , and --redis-key options.
$ trivy server --cache-backend redis://localhost:6379 \\\n --redis-ca /path/to/ca-cert.pem \\\n --redis-cert /path/to/cert.pem \\\n --redis-key /path/to/key.pem\n
-
Downloaded when scanning for vulnerabilities\u00a0\u21a9
-
Downloaded when scanning jar/war/par/ear files\u00a0\u21a9
-
Downloaded when scanning for misconfigurations\u00a0\u21a9
"},{"location":"guide/configuration/db/","title":"Trivy Databases","text":"When you install Trivy, the installed artifact contains the scanner engine but is lacking relevant security information needed to make security detections and recommendations. These so called \"databases\" are automatically fetched and maintained by Trivy as needed, so normally you shouldn't notice or worry about them. This document elaborates on the database management mechanism and its configuration options.
Trivy relies on the following databases:
DB Artifact name Contents Purpose Vulnerabilities DB trivy-db CVE information collected from various feeds used only for vulnerability scanning Java DB trivy-java-db Index of Java artifacts and their hash digest used to identify Java artifacts only in JAR scanning Checks Bundle trivy-checks Logic of misconfiguration checks used only in misconfiguration/IaC scanning Note
This is not an exhaustive list of Trivy's external connectivity requirements. There are additional external resources which may be required by specific Trivy features. To learn about external connectivity requirements, see the Advanced Network Scenarios.
"},{"location":"guide/configuration/db/#locations","title":"Locations","text":"Trivy's databases are published to the following locations:
Registry Image Address Link GHCR ghcr.io/aquasecurity/trivy-db https://ghcr.io/aquasecurity/trivy-db ghcr.io/aquasecurity/trivy-java-db https://ghcr.io/aquasecurity/trivy-java-db ghcr.io/aquasecurity/trivy-checks https://ghcr.io/aquasecurity/trivy-checks Docker Hub aquasec/trivy-db https://hub.docker.com/r/aquasec/trivy-db aquasec/trivy-java-db https://hub.docker.com/r/aquasec/trivy-java-db aquasec/trivy-checks https://hub.docker.com/r/aquasec/trivy-checks AWS ECR public.ecr.aws/aquasecurity/trivy-db https://gallery.ecr.aws/aquasecurity/trivy-db public.ecr.aws/aquasecurity/trivy-java-db https://gallery.ecr.aws/aquasecurity/trivy-java-db public.ecr.aws/aquasecurity/trivy-checks https://gallery.ecr.aws/aquasecurity/trivy-checks In addition, images are also available via pull-through cache registries like Google Container Registry Mirror.
"},{"location":"guide/configuration/db/#default-locations","title":"Default Locations","text":"Trivy will attempt to pull images from the following registries in the order specified.
mirror.gcr.io/aquasecghcr.io/aquasecurity
You can specify additional alternative repositories as explained in the configuring database locations section.
"},{"location":"guide/configuration/db/#db-management-configuration","title":"DB Management Configuration","text":""},{"location":"guide/configuration/db/#database-locations","title":"Database Locations","text":"You can configure Trivy to download databases from alternative locations by using the flags:
--db-repository--java-db-repository--checks-bundle-repository
The value should be an image address in a container registry.
For example:
trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db alpine\n
The flag accepts multiple values, which can be used to specify multiple alternative repository locations. In case of transient errors (e.g. status 429 or 5xx), Trivy will fall back to alternative registries in the order specified.
For example:
trivy image --db-repository my.registry.local/trivy-db --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db alpine\n
The Checks Bundle registry location option does not support fallback through multiple options. This is because in case of a failure pulling the Checks Bundle, Trivy will use the embedded checks as a fallback.
Note
Setting the repository location flags overrides the default values which include the official db locations. In case you want to preserve the default locations, you should include them in the list you set as repository locations.
Note
When pulling trivy-db or trivy-java-db, if image tag is not specified, Trivy defaults to the db schema number instead of the latest tag.
"},{"location":"guide/configuration/db/#skip-updates","title":"Skip updates","text":"You can configure Trivy to not attempt to download any or all database(s), using the flags:
--skip-db-update--skip-java-db-update--skip-check-update
For example:
trivy image --skip-db-update --skip-java-db-update --skip-check-update alpine\n
"},{"location":"guide/configuration/db/#only-update","title":"Only update","text":"You can ask Trivy to only update the database without performing a scan. This action will ensure Trivy is up to date, and populate Trivy's database cache for subsequent scans.
--download-db-only--download-java-db-only
For example:
trivy image --download-db-only\n
Note that currently there is no option to download only the Checks Bundle.
"},{"location":"guide/configuration/db/#remove-databases","title":"Remove Databases","text":"trivy clean command removes caches and databases. You can select which cache component to remove:
option description -a/--all remove all caches --checks-bundle remove checks bundle --java-db remove Java database --scan-cache remove scan cache (container and VM image analysis results) --vuln-db remove vulnerability database Example:
$ trivy clean --vuln-db --java-db\n2024-06-24T11:42:31+06:00 INFO Removing vulnerability database...\n2024-06-24T11:42:31+06:00 INFO Removing Java database...\n
"},{"location":"guide/configuration/filtering/","title":"Filtering","text":"Trivy provides various methods for filtering the results.
flowchart LR\n Issues(\"Detected\\nIssues\") --> Severity\n\n subgraph Filtering\n subgraph Prioritization\n direction TB\n Severity(\"By Severity\") --> Status(\"By Status\")\n end\n subgraph Suppression\n Status --> Ignore(\"By Finding IDs\")\n Ignore --> Rego(\"By Rego\")\n Rego --> VEX(\"By VEX\")\n end\n end\n VEX --> Results
Similar to the functionality of filtering results, you can also limit the sub-targets for each scanner. For information on these settings, please refer to the scanner-specific documentation (vulnerability , misconfiguration, etc.).
"},{"location":"guide/configuration/filtering/#prioritization","title":"Prioritization","text":"You can filter the results by
- Severity
- Status
"},{"location":"guide/configuration/filtering/#by-severity","title":"By Severity","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713 Use --severity option.
$ trivy image --severity HIGH,CRITICAL ruby:2.4.0\n
Result 2019-05-16T01:51:46.255+0900 INFO Updating vulnerability database...\n2019-05-16T01:51:49.213+0900 INFO Detecting Debian vulnerabilities...\n\nruby:2.4.0 (debian 8.7)\n=======================\nTotal: 1785 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1680, CRITICAL: 105)\n\n+-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+\n| apt | CVE-2019-3462 | CRITICAL | 1.0.9.8.3 | 1.0.9.8.5 | Incorrect sanitation of the |\n| | | | | | 302 redirect field in HTTP |\n| | | | | | transport method of... |\n+-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+\n| bash | CVE-2019-9924 | HIGH | 4.3-11 | 4.3-11+deb8u2 | bash: BASH_CMD is writable in |\n| | | | | | restricted bash shells |\n+ +------------------+ + +----------------------------------+-------------------------------------------------+\n| | CVE-2016-7543 | | | 4.3-11+deb8u1 | bash: Specially crafted |\n| | | | | | SHELLOPTS+PS4 variables allows |\n| | | | | | command substitution |\n+-----------------------------+------------------+ +---------------------------+----------------------------------+-------------------------------------------------+\n| binutils | CVE-2017-8421 | | 2.25-5 | | binutils: Memory exhaustion in |\n| | | | | | objdump via a crafted PE file |\n+ +------------------+ + +----------------------------------+-------------------------------------------------+\n| | CVE-2017-14930 | | | | binutils: Memory leak in |\n| | | | | | decode_line_info |\n+ +------------------+ + +----------------------------------+-------------------------------------------------+\n| | CVE-2017-7614 | | | | binutils: NULL |\n| | | | | | pointer dereference in |\n| | | | | | bfd_elf_final_link function |\n+ +------------------+ + +----------------------------------+-------------------------------------------------+\n| | CVE-2014-9939 | | | | binutils: buffer overflow in |\n| | | | | | ihex.c |\n+ +------------------+ + +----------------------------------+-------------------------------------------------+\n| | CVE-2017-13716 | | | | binutils: Memory leak with the |\n| | | | | | C++ symbol demangler routine |\n| | | | | | in libiberty |\n+ +------------------+ + +----------------------------------+-------------------------------------------------+\n| | CVE-2018-12699 | | | | binutils: heap-based buffer |\n| | | | | | overflow in finish_stab in |\n| | | | | | stabs.c |\n+-----------------------------+------------------+ +---------------------------+----------------------------------+-------------------------------------------------+\n| bsdutils | CVE-2015-5224 | | 2.25.2-6 | | util-linux: File name |\n| | | | | | collision due to incorrect |\n| | | | | | mkstemp use |\n+ +------------------+ + +----------------------------------+-------------------------------------------------+\n| | CVE-2016-2779 | | | | util-linux: runuser tty hijack |\n| | | | | | via TIOCSTI ioctl |\n+-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+\n
trivy config --severity HIGH,CRITICAL examples/misconf/mixed\n
Result 2022-05-16T13:50:42.718+0100 INFO Detected config files: 3\n\nDockerfile (dockerfile)\n=======================\nTests: 17 (SUCCESSES: 16, FAILURES: 1)\nFailures: 1 (HIGH: 1, CRITICAL: 0)\n\nHIGH: Last USER command in Dockerfile should not be 'root'\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.\n\nSee https://avd.aquasec.com/misconfig/ds002\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n Dockerfile:3\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 3 [ USER root\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\n\ndeployment.yaml (kubernetes)\n============================\nTests: 8 (SUCCESSES: 8, FAILURES: 0)\nFailures: 0 (HIGH: 0, CRITICAL: 0)\n\n\nmain.tf (terraform)\n===================\nTests: 1 (SUCCESSES: 0, FAILURES: 1)\nFailures: 1 (HIGH: 0, CRITICAL: 1)\n\nCRITICAL: Classic resources should not be used.\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nAWS Classic resources run in a shared environment with infrastructure owned by other AWS customers. You should run\nresources in a VPC instead.\n\nSee https://avd.aquasec.com/misconfig/avd-aws-0081\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n main.tf:2-4\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 2 \u250c resource \"aws_db_security_group\" \"sg\" {\n 3 \u2502\n 4 \u2514 }\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n
"},{"location":"guide/configuration/filtering/#by-status","title":"By Status","text":"Scanner Supported Vulnerability \u2713 Misconfiguration Secret License Trivy supports the following vulnerability statuses:
unknownnot_affected: this package is not affected by this vulnerability on this platformaffected: this package is affected by this vulnerability on this platform, but there is no patch released yetfixed: this vulnerability is fixed on this platformunder_investigation: it is currently unknown whether or not this vulnerability affects this package on this platform, and it is under investigationwill_not_fix: this package is affected by this vulnerability on this platform, but there is currently no intention to fix it (this would primarily be for flaws that are of Low or Moderate impact that pose no significant risk to customers)fix_deferred: this package is affected by this vulnerability on this platform, and may be fixed in the futureend_of_life: this package has been identified to contain the impacted component, but analysis to determine whether it is affected or not by this vulnerability was not performed
Note that vulnerabilities with the unknown, not_affected or under_investigation status are not detected. These are only defined for comprehensiveness, and you will not have the opportunity to specify these statuses.
Some statuses are supported in limited distributions.
OS Fixed Affected Under Investigation Will Not Fix Fix Deferred End of Life Debian \u2713 \u2713 \u2713 \u2713 RHEL \u2713 \u2713 \u2713 \u2713 \u2713 \u2713 Other OSes \u2713 \u2713 To ignore vulnerabilities with specific statuses, use the --ignore-status <list_of_statuses> option.
$ trivy image --ignore-status affected,fixed ruby:2.4.0\n
Result 2019-05-16T12:50:14.786+0900 INFO Detecting Debian vulnerabilities...\n\nruby:2.4.0 (debian 8.7)\n=======================\nTotal: 527 (UNKNOWN: 0, LOW: 276, MEDIUM: 83, HIGH: 158, CRITICAL: 10)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Status \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 binutils \u2502 CVE-2014-9939 \u2502 CRITICAL \u2502 will_not_fix \u2502 2.25-5 \u2502 \u2502 binutils: buffer overflow in ihex.c \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2014-9939 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2017-6969 \u2502 \u2502 \u2502 \u2502 \u2502 binutils: Heap-based buffer over-read in readelf when \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 processing corrupt RL78 binaries \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2017-6969 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n...\n
Tip
To skip all unfixed vulnerabilities, you can use the --ignore-unfixed flag . It is a shorthand of --ignore-status affected,will_not_fix,fix_deferred,end_of_life. It displays \"fixed\" vulnerabilities only.
$ trivy image --ignore-unfixed ruby:2.4.0\n
"},{"location":"guide/configuration/filtering/#suppression","title":"Suppression","text":"You can filter the results by
- Finding IDs
- Rego
- Vulnerability Exploitability Exchange (VEX)
To show the suppressed results, use the --show-suppressed flag.
Note
It's exported as ExperimentalModifiedFindings in the JSON output.
$ trivy image --vex debian11.csaf.vex --ignorefile .trivyignore.yaml --show-suppressed debian:11\n...\n\nSuppressed Vulnerabilities (Total: 9)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Status \u2502 Statement \u2502 Source \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 libdb5.3 \u2502 CVE-2019-8457 \u2502 CRITICAL \u2502 not_affected \u2502 vulnerable_code_not_in_execute_path \u2502 CSAF VEX \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 bsdutils \u2502 CVE-2022-0563 \u2502 LOW \u2502 ignored \u2502 Accept the risk \u2502 .trivyignore.yaml \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 libblkid1 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 libmount1 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 libsmartcols1 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 libuuid1 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 mount \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502\n\u2502 tar \u2502 CVE-2005-2541 \u2502 \u2502 \u2502 The vulnerable configuration is not enabled \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502\n\u2502 util-linux \u2502 CVE-2022-0563 \u2502 \u2502 \u2502 Accept the risk \u2502 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/configuration/filtering/#by-finding-ids","title":"By Finding IDs","text":"Trivy supports the .trivyignore and .trivyignore.yaml ignore files.
"},{"location":"guide/configuration/filtering/#trivyignore","title":".trivyignore","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713 $ cat .trivyignore\n# Accept the risk\nCVE-2018-14618\n\n# Accept the risk until 2023-01-01\nCVE-2019-14697 exp:2023-01-01\n\n# No impact in our settings\nCVE-2019-1543\n\n# Ignore misconfigurations\nAVD-DS-0002\n\n# Ignore secrets\ngeneric-unwanted-rule\naws-account-id\n\n# Ignore licenses\nGPL-3.0\nApache-2.0 WITH LLVM-exception\n
$ trivy image python:3.4-alpine3.9\n
Result 2019-05-16T12:53:10.076+0900 INFO Updating vulnerability database...\n2019-05-16T12:53:28.134+0900 INFO Detecting Alpine vulnerabilities...\n\npython:3.4-alpine3.9 (alpine 3.9.2)\n===================================\nTotal: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n
"},{"location":"guide/configuration/filtering/#trivyignoreyaml","title":".trivyignore.yaml","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713 EXPERIMENTAL
This feature might change without preserving backwards compatibility.
When the extension of the specified ignore file is either .yml or .yaml, Trivy will load the file as YAML. For the .trivyignore.yaml file, you can set ignored IDs separately for vulnerabilities, misconfigurations, secrets, or licenses1.
Available fields:
Field Required Type Description id \u2713 string The identifier of the vulnerability, misconfiguration, secret, or license1. paths2 string array The list of file paths to ignore. If paths is not set, the ignore finding is applied to all files. purls string array The list of PURLs to ignore packages. If purls is not set, the ignore finding is applied to all packages. This field is currently available only for vulnerabilities. expired_at date (yyyy-mm-dd) The expiration date of the ignore finding. If expired_at is not set, the ignore finding is always valid. statement string The reason for ignoring the finding. (This field is not used for filtering.) $ cat .trivyignore.yaml\nvulnerabilities:\n - id: CVE-2022-40897\n paths:\n - \"usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA\"\n statement: Accept the risk\n - id: CVE-2023-2650\n - id: CVE-2023-3446\n - id: CVE-2023-3817\n purls:\n - \"pkg:deb/debian/libssl1.1\"\n - id: CVE-2023-29491\n expired_at: 2023-09-01\n\nmisconfigurations:\n - id: AVD-DS-0001\n - id: AVD-DS-0002\n paths:\n - \"docs/Dockerfile\"\n statement: The image needs root privileges\n\nsecrets:\n - id: aws-access-key-id\n - id: aws-secret-access-key\n paths:\n - \"foo/bar/aws.secret\"\n\nlicenses:\n - id: GPL-3.0 # License name is used as ID\n paths:\n - \"usr/share/gcc/python/libstdcxx/v6/__init__.py\"\n - id: MIT AND GPL-2.0-or-later # Compound license expressions are supported\n - id: Apache-2.0 WITH LLVM-exception # License expressions with exceptions are supported\n - id: LLVM-exception # Individual license components or exceptions can be ignored\n
Enhanced License Expression Support
Trivy supports filtering complex SPDX license expressions including:
- Compound expressions with AND/OR operators:
MIT AND GPL-2.0-or-later - License exceptions with WITH operator:
Apache-2.0 WITH LLVM-exception - Individual components: You can ignore specific license components or exceptions from compound expressions
When filtering compound expressions:
- AND/OR expressions: All individual license components must be explicitly ignored for the entire expression to be ignored
- WITH expressions: License expressions with exceptions are treated as single entities and can be ignored as a whole
- Component matching: You can also ignore individual license names or exception names to filter specific parts of compound expressions
Since this feature is experimental, you must explicitly specify the YAML file path using the --ignorefile flag. Once this functionality is stable, the YAML file will be loaded automatically.
$ trivy image --ignorefile ./.trivyignore.yaml python:3.9.16-alpine3.16\n
Result 2023-08-31T11:10:27.155+0600 INFO Vulnerability scanning is enabled\n2023-08-31T11:10:27.155+0600 INFO Secret scanning is enabled\n2023-08-31T11:10:27.155+0600 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning\n2023-08-31T11:10:27.155+0600 INFO Please see also https://trivy.dev/dev/docs/scanner/secret/#recommendation for faster secret detection\n2023-08-31T11:10:29.164+0600 INFO Detected OS: alpine\n2023-08-31T11:10:29.164+0600 INFO Detecting Alpine vulnerabilities...\n2023-08-31T11:10:29.169+0600 INFO Number of language-specific files: 1\n2023-08-31T11:10:29.170+0600 INFO Detecting python-pkg vulnerabilities...\n\npython:3.9.16-alpine3.16 (alpine 3.16.5)\n========================================\nTotal: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n
"},{"location":"guide/configuration/filtering/#by-rego","title":"By Rego","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713 EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Rego is a policy language that allows you to express decision logic in a concise syntax. Rego is part of the popular Open Policy Agent (OPA) CNCF project. For advanced filtering, Trivy allows you to use Rego language to filter vulnerabilities.
Use the --ignore-policy flag which takes a path to a Rego file that defines the filtering policy. The Rego package name must be trivy and it must include a \"rule\" named ignore which determines if each individual scan result should be excluded (ignore=true) or not (ignore=false). The input for the evaluation is each DetectedVulnerability and DetectedMisconfiguration.
A practical way to observe the filtering policy input in your case, is to run a scan with the --format json option and look at the resulting structure:
trivy image -f json centos:7\n\n...\n \"Results\": [\n {\n \"Target\": \"centos:7 (centos 7.9.2009)\",\n \"Class\": \"os-pkgs\",\n \"Type\": \"centos\",\n \"Vulnerabilities\": [\n {\n \"VulnerabilityID\": \"CVE-2015-5186\",\n \"PkgID\": \"audit-libs@2.8.5-4.el7.x86_64\",\n \"PkgName\": \"audit-libs\",\n \"InstalledVersion\": \"2.8.5-4.el7\",\n \"Layer\": {\n \"Digest\": \"sha256:2d473b07cdd5f0912cd6f1a703352c82b512407db6b05b43f2553732b55df3bc\",\n \"DiffID\": \"sha256:174f5685490326fc0a1c0f5570b8663732189b327007e47ff13d2ca59673db02\"\n },\n \"SeveritySource\": \"redhat\",\n \"PrimaryURL\": \"https://avd.aquasec.com/nvd/cve-2015-5186\",\n \"Title\": \"log terminal emulator escape sequences handling\",\n \"Description\": \"Audit before 2.4.4 in Linux does not sanitize escape characters in filenames.\",\n \"Severity\": \"MEDIUM\",\n \"CweIDs\": [\n \"CWE-20\"\n ],\n...\n
Each individual Vulnerability, Misconfiguration, License and Secret (under Results.Vulnerabilities, Results.Misconfigurations, Results.Licenses, Results.Secrets) is evaluated for exclusion or inclusion by the ignore rule.
The following is a Rego ignore policy that filters out every vulnerability with a specific CWE ID (as seen in the JSON example above):
package trivy\n\ndefault ignore = false\n\nignore {\n input.CweIDs[_] == \"CWE-20\"\n}\n
trivy image --ignore-policy examples/ignore-policies/basic.rego centos:7\n
To filter findings of a specific type based on a field that may exist in multiple structures (for example, PkgName in both DetectedVulnerability and DetectedLicense), you can use the Type field. This field is automatically added when exporting findings to Rego and indicates the kind of finding. Possible values are: vulnerability, misconfiguration, secret, and license.
For example, the following policy ignores vulnerabilities with a specific package name without affecting other finding types:
package trivy\n\nignore {\n input.Type == \"vulnerability\"\n input.PkgName == \"foo\"\n}\n
For more advanced use cases, there is a built-in Rego library with helper functions that you can import into your policy using: import data.lib.trivy. More info about the helper functions are in the library here.
You can create a whitelist of checks using Rego, see the detailed example. Additional examples are available here.
"},{"location":"guide/configuration/filtering/#by-vulnerability-exploitability-exchange-vex","title":"By Vulnerability Exploitability Exchange (VEX)","text":"Scanner Supported Vulnerability \u2713 Misconfiguration Secret License Please refer to the VEX documentation for the details.
-
license name is used as id for .trivyignore.yaml files.\u00a0\u21a9\u21a9
-
This doesn't work for os package licenses (e.g. apk, dpkg, rpm). For projects which manage dependencies through a dependency file (e.g. go.mod, yarn.lock) path should point to that particular file.\u00a0\u21a9
"},{"location":"guide/configuration/others/","title":"Others","text":""},{"location":"guide/configuration/others/#enabledisable-scanners","title":"Enable/Disable Scanners","text":"You can enable/disable scanners with the --scanners flag.
Supported values:
- vuln
- misconfig
- secret
- license
For example, container image scanning enables vulnerability and secret scanners by default. If you don't need secret scanning, it can be disabled.
$ trivy image --scanners vuln alpine:3.15\n
"},{"location":"guide/configuration/others/#exit-code","title":"Exit Code","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713 By default, Trivy exits with code 0 even when security issues are detected. Use the --exit-code option if you want to exit with a non-zero exit code.
$ trivy image --exit-code 1 python:3.4-alpine3.9\n
Result 2019-05-16T12:51:43.500+0900 INFO Updating vulnerability database...\n2019-05-16T12:52:00.387+0900 INFO Detecting Alpine vulnerabilities...\n\npython:3.4-alpine3.9 (alpine 3.9.2)\n===================================\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n\n+---------+------------------+----------+-------------------+---------------+--------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+---------+------------------+----------+-------------------+---------------+--------------------------------+\n| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |\n| | | | | | with long nonces |\n+---------+------------------+----------+-------------------+---------------+--------------------------------+\n
This option is useful for CI/CD. In the following example, the test will fail only when a critical vulnerability is found.
$ trivy image --exit-code 0 --severity MEDIUM,HIGH ruby:2.4.0\n$ trivy image --exit-code 1 --severity CRITICAL ruby:2.4.0\n
"},{"location":"guide/configuration/others/#exit-on-eol","title":"Exit on EOL","text":"Scanner Supported Vulnerability \u2713 Misconfiguration Secret License Sometimes you may surprisingly get 0 vulnerabilities in an old image:
- Enabling
--ignore-unfixed option while all packages have no fixed versions. - Scanning a rather outdated OS (e.g. Ubuntu 10.04).
An OS at the end of service/life (EOL) usually gets into this situation, which is definitely full of vulnerabilities. --exit-on-eol can fail scanning on EOL OS with a non-zero code. This flag is available with the following targets.
- Container images (
trivy image) - Virtual machine images (
trivy vm) - SBOM (
trivy sbom) - Root filesystem (
trivy rootfs)
$ trivy image --exit-on-eol 1 alpine:3.10\n
Result 2023-03-01T11:07:15.455+0200 INFO Vulnerability scanning is enabled\n...\n2023-03-01T11:07:17.938+0200 WARN This OS version is no longer supported by the distribution: alpine 3.10.9\n2023-03-01T11:07:17.938+0200 WARN The vulnerability detection may be insufficient because security updates are not provided\n\nalpine:3.10 (alpine 3.10.9)\n===========================\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 apk-tools \u2502 CVE-2021-36159 \u2502 CRITICAL \u2502 2.10.6-r0 \u2502 2.10.7-r0 \u2502 libfetch before 2021-07-26, as used in apk-tools, xbps, and \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 other products, mishandles... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-36159 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n2023-03-01T11:07:17.941+0200 ERROR Detected EOL OS: alpine 3.10.9\n
This option is useful for CI/CD. The following example will fail when a critical vulnerability is found or the OS is EOSL:
$ trivy image --exit-code 1 --exit-on-eol 1 --severity CRITICAL alpine:3.16.3\n
"},{"location":"guide/configuration/others/#mirror-registries","title":"Mirror Registries","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy supports mirrors for remote container images and databases.
To configure them, add a list of mirrors along with the host to the trivy config file.
Note
Use the index.docker.io host for images from Docker Hub, even if you don't use that prefix.
Example for index.docker.io:
registry:\n mirrors:\n index.docker.io:\n - mirror.gcr.io\n
"},{"location":"guide/configuration/others/#registry-check-procedure","title":"Registry check procedure","text":"Trivy uses the following registry order to get the image:
- mirrors in the same order as they are specified in the configuration file
- source registry
In cases where we can't get the image from the mirror registry (e.g. when authentication fails, image doesn't exist, etc.) - Trivy will check other mirrors (or the source registry if all mirrors have already been checked).
Example:
registry:\n mirrors:\n index.docker.io:\n - mirror.with.bad.auth // We don't have credentials for this registry\n - mirror.without.image // Registry doesn't have this image\n
When we want to get the image alpine with the settings above. The logic will be as follows:
- Try to get the image from
mirror.with.bad.auth/library/alpine, but we get an error because there are no credentials for this registry. - Try to get the image from
mirror.without.image/library/alpine, but we get an error because this registry doesn't have this image (but most likely it will be an error about authorization). - Get the image from
index.docker.io (the original registry).
"},{"location":"guide/configuration/others/#check-for-updates","title":"Check for updates","text":"Trivy periodically checks for updates and notices, and displays a message to the user with recommendations. Updates checking is non-blocking and has no impact on scanning time, performance, results, or any user experience aspect besides displaying the message. You can disable updates checking by specifying the --skip-version-check flag.
"},{"location":"guide/configuration/others/#telemetry","title":"Telemetry","text":"Trivy collected usage data for product improvement. More details in the Telemetry document. You can disable telemetry collection using the --disable-telemetry flag.
"},{"location":"guide/configuration/reporting/","title":"Reporting","text":""},{"location":"guide/configuration/reporting/#format","title":"Format","text":"Trivy supports the following formats:
- Table
- JSON
- SARIF
- Template
- SBOM
- GitHub dependency snapshot
"},{"location":"guide/configuration/reporting/#table-default","title":"Table (Default)","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713 $ trivy image -f table golang:1.22.11-alpine3.20\n
Result ...\n\nReport Summary\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Target \u2502 Type \u2502 Vulnerabilities \u2502 Secrets \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 golang:1.22.11-alpine3.20 (alpine 3.20.5) \u2502 alpine \u2502 6 \u2502 - \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 usr/local/go/bin/go \u2502 gobinary \u2502 1 \u2502 - \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n...\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 usr/local/go/pkg/tool/linux_amd64/vet \u2502 gobinary \u2502 1 \u2502 - \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\nLegend:\n- '-': Not scanned\n- '0': Clean (no security findings detected)\n\n\ngolang:1.22.11-alpine3.20 (alpine 3.20.5)\n\nTotal: 6 (UNKNOWN: 2, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Status \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 libcrypto3 \u2502 CVE-2024-12797 \u2502 HIGH \u2502 fixed \u2502 3.3.2-r1 \u2502 3.3.3-r0 \u2502 openssl: RFC7250 handshakes with unauthenticated servers \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 don't abort as expected \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2024-12797 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2024-13176 \u2502 MEDIUM \u2502 \u2502 \u2502 3.3.2-r2 \u2502 openssl: Timing side-channel in ECDSA signature computation \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2024-13176 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 libssl3 \u2502 CVE-2024-12797 \u2502 HIGH \u2502 \u2502 \u2502 3.3.3-r0 \u2502 openssl: RFC7250 handshakes with unauthenticated servers \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 don't abort as expected \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2024-12797 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2024-13176 \u2502 MEDIUM \u2502 \u2502 \u2502 3.3.2-r2 \u2502 openssl: Timing side-channel in ECDSA signature computation \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2024-13176 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 musl \u2502 CVE-2025-26519 \u2502 UNKNOWN \u2502 \u2502 1.2.5-r0 \u2502 1.2.5-r1 \u2502 musl libc 0.9.13 through 1.2.5 before 1.2.6 has an \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 out-of-bounds write ...... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2025-26519 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 musl-utils \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n\nusr/local/go/bin/go (gobinary)\n\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Status \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 stdlib \u2502 CVE-2025-22866 \u2502 MEDIUM \u2502 fixed \u2502 v1.22.11 \u2502 1.22.12, 1.23.6, 1.24.0-rc.3 \u2502 crypto/internal/nistec: golang: Timing sidechannel for P-256 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 on ppc64le in crypto/internal/nistec \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2025-22866 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n\n...\n
"},{"location":"guide/configuration/reporting/#table-mode","title":"Table mode","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy supports the following modes for table format:
Mode Enabled by default summary \u27131 detailed \u2713 You can use --table-mode flag to enable/disable table mode(s).
"},{"location":"guide/configuration/reporting/#summary-table","title":"Summary table","text":"Summary table contains general information about the scan performed.
Nuances of table contents:
- Table includes columns for enabled scanners only. Use
--scanners flag to enable/disable scanners. - Table includes separate lines for the same targets but different scanners.
- means that the scanner didn't scan this target.0 means that the scanner scanned this target, but found no security issues.
Note
For the secret/license scanner, the Trivy report contains only findings. Therefore, we can\u2019t say for sure whether Trivy scanned at least one file or simply didn\u2019t find any findings. That\u2019s why, for these scanners, the summary table uses \u201c-\u201d if no findings are found.
Report Summary \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Target \u2502 Type \u2502 Vulnerabilities \u2502 Misconfigurations \u2502 Secrets \u2502 Licenses \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 test (alpine 3.20.3) \u2502 alpine \u2502 2 \u2502 - \u2502 - \u2502 - \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 Java \u2502 jar \u2502 2 \u2502 - \u2502 - \u2502 - \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 app/Dockerfile \u2502 dockerfile \u2502 - \u2502 2 \u2502 - \u2502 - \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 requirements.txt \u2502 text \u2502 0 \u2502 - \u2502 - \u2502 - \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 requirements.txt \u2502 text \u2502 - \u2502 - \u2502 1 \u2502 - \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 OS Packages \u2502 - \u2502 - \u2502 - \u2502 - \u2502 1 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 Java \u2502 - \u2502 - \u2502 - \u2502 - \u2502 0 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/configuration/reporting/#detailed-tables","title":"Detailed tables","text":"Detailed tables contain information about found security issues for each target with more detailed information (CVE-ID, severity, version, etc.).
Detailed tables usr/local/go/bin/go (gobinary)\n\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Status \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 stdlib \u2502 CVE-2025-22866 \u2502 MEDIUM \u2502 fixed \u2502 v1.22.11 \u2502 1.22.12, 1.23.6, 1.24.0-rc.3 \u2502 crypto/internal/nistec: golang: Timing sidechannel for P-256 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 on ppc64le in crypto/internal/nistec \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2025-22866 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/configuration/reporting/#show-origins-of-vulnerable-dependencies","title":"Show origins of vulnerable dependencies","text":"Scanner Supported Vulnerability \u2713 Misconfiguration Secret License EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Modern software development relies on the use of third-party libraries. Third-party dependencies also depend on others so a list of dependencies can be represented as a dependency graph. In some cases, vulnerable dependencies are not linked directly, and it requires analyses of the tree. To make this task simpler Trivy can show a dependency origin tree with the --dependency-tree flag. This flag is only available with the --format table flag.
The following OS package managers are currently supported:
OS Package Managers apk dpkg rpm The following languages are currently supported:
Language File Node.js package-lock.json pnpm-lock.yaml yarn.lock .NET packages.lock.json Python poetry.lock uv.lock Ruby Gemfile.lock Rust cargo-auditable binaries Go go.mod PHP composer.lock Java pom.xml *gradle.lockfile *.sbt.lock Dart pubspec.lock This tree is the reverse of the dependency graph. However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.
In table output, it looks like:
$ trivy fs --severity HIGH,CRITICAL --dependency-tree /path/to/your_node_project\n\npackage-lock.json (npm)\n=======================\nTotal: 2 (HIGH: 1, CRITICAL: 1)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 follow-redirects \u2502 CVE-2022-0155 \u2502 HIGH \u2502 1.14.6 \u2502 1.14.7 \u2502 follow-redirects: Exposure of Private Personal Information \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 to an Unauthorized Actor \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2022-0155 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 glob-parent \u2502 CVE-2020-28469 \u2502 CRITICAL \u2502 3.1.0 \u2502 5.1.2 \u2502 nodejs-glob-parent: Regular expression denial of service \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2020-28469 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n\nDependency Origin Tree (Reversed)\n=================================\npackage-lock.json\n\u251c\u2500\u2500 follow-redirects@1.14.6, (HIGH: 1, CRITICAL: 0)\n\u2502 \u2514\u2500\u2500 axios@0.21.4\n\u2514\u2500\u2500 glob-parent@3.1.0, (HIGH: 0, CRITICAL: 1)\n \u2514\u2500\u2500 chokidar@2.1.8\n \u2514\u2500\u2500 watchpack-chokidar2@2.0.1\n \u2514\u2500\u2500 watchpack@1.7.5\n \u2514\u2500\u2500 webpack@4.46.0\n \u2514\u2500\u2500 cra-append-sw@2.7.0\n
Vulnerable dependencies are shown in the top level of the tree. Lower levels show how those vulnerabilities are introduced. In the example above axios@0.21.4 included in the project directly depends on the vulnerable follow-redirects@1.14.6. Also, glob-parent@3.1.0 with some vulnerabilities is included through chain of dependencies that is added by cra-append-sw@2.7.0.
Then, you can try to update axios@0.21.4 and cra-append-sw@2.7.0 to resolve vulnerabilities in follow-redirects@1.14.6 and glob-parent@3.1.0.
"},{"location":"guide/configuration/reporting/#json","title":"JSON","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713 $ trivy image -f json -o results.json alpine:latest\n
JSON {\n \"SchemaVersion\": 2,\n \"CreatedAt\": \"2024-12-26T21:58:15.943876+05:30\",\n \"ArtifactName\": \"alpine:latest\",\n \"ArtifactType\": \"container_image\",\n \"Metadata\": {\n \"OS\": {\n \"Family\": \"alpine\",\n \"Name\": \"3.20.3\"\n },\n \"ImageID\": \"sha256:511a44083d3a23416fadc62847c45d14c25cbace86e7a72b2b350436978a0450\",\n \"DiffIDs\": [\n \"sha256:651d9022c23486dfbd396c13db293af6845731cbd098a5f5606db4bc9f5573e8\"\n ],\n \"RepoTags\": [\n \"alpine:latest\"\n ],\n \"RepoDigests\": [\n \"alpine@sha256:1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a\"\n ],\n \"ImageConfig\": {\n \"architecture\": \"arm64\",\n \"created\": \"2024-09-06T12:05:36Z\",\n \"history\": [\n {\n \"created\": \"2024-09-06T12:05:36Z\",\n \"created_by\": \"ADD alpine-minirootfs-3.20.3-aarch64.tar.gz / # buildkit\",\n \"comment\": \"buildkit.dockerfile.v0\"\n },\n {\n \"created\": \"2024-09-06T12:05:36Z\",\n \"created_by\": \"CMD [\\\"/bin/sh\\\"]\",\n \"comment\": \"buildkit.dockerfile.v0\",\n \"empty_layer\": true\n }\n ],\n \"os\": \"linux\",\n \"rootfs\": {\n \"type\": \"layers\",\n \"diff_ids\": [\n \"sha256:651d9022c23486dfbd396c13db293af6845731cbd098a5f5606db4bc9f5573e8\"\n ]\n },\n \"config\": {\n \"Cmd\": [\n \"/bin/sh\"\n ],\n \"Env\": [\n \"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"\n ],\n \"WorkingDir\": \"/\",\n \"ArgsEscaped\": true\n }\n }\n },\n \"Results\": [\n {\n \"Target\": \"alpine:latest (alpine 3.20.3)\",\n \"Class\": \"os-pkgs\",\n \"Type\": \"alpine\",\n \"Vulnerabilities\": [\n {\n \"VulnerabilityID\": \"CVE-2024-9143\",\n \"PkgID\": \"libcrypto3@3.3.2-r0\",\n \"PkgName\": \"libcrypto3\",\n \"PkgIdentifier\": {\n \"PURL\": \"pkg:apk/alpine/libcrypto3@3.3.2-r0?arch=aarch64\\u0026distro=3.20.3\",\n \"UID\": \"f705555b49cd2259\"\n },\n \"InstalledVersion\": \"3.3.2-r0\",\n \"FixedVersion\": \"3.3.2-r1\",\n \"Status\": \"fixed\",\n \"Layer\": {\n \"DiffID\": \"sha256:651d9022c23486dfbd396c13db293af6845731cbd098a5f5606db4bc9f5573e8\"\n },\n \"PrimaryURL\": \"https://avd.aquasec.com/nvd/cve-2024-9143\",\n \"DataSource\": {\n \"ID\": \"alpine\",\n \"Name\": \"Alpine Secdb\",\n \"URL\": \"https://secdb.alpinelinux.org/\"\n },\n \"Title\": \"openssl: Low-level invalid GF(2^m) parameters lead to OOB memory access\",\n \"Description\": \"Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\\nor writes.\\n\\nImpact summary: Out of bound memory writes can lead to an application crash or\\neven a possibility of a remote code execution, however, in all the protocols\\ninvolving Elliptic Curve Cryptography that we're aware of, either only \\\"named\\ncurves\\\" are supported, or, if explicit curve parameters are supported, they\\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can't represent\\nproblematic input values. Thus the likelihood of existence of a vulnerable\\napplication is low.\\n\\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\\nso problematic inputs cannot occur in the context of processing X.509\\ncertificates. Any problematic use-cases would have to be using an \\\"exotic\\\"\\ncurve encoding.\\n\\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\\nand various supporting BN_GF2m_*() functions.\\n\\nApplications working with \\\"exotic\\\" explicit binary (GF(2^m)) curve parameters,\\nthat make it possible to represent invalid field polynomials with a zero\\nconstant term, via the above or similar APIs, may terminate abruptly as a\\nresult of reading or writing outside of array bounds. Remote code execution\\ncannot easily be ruled out.\\n\\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\",\n \"Severity\": \"LOW\",\n \"CweIDs\": [\n \"CWE-787\"\n ],\n \"VendorSeverity\": {\n \"amazon\": 3,\n \"redhat\": 1,\n \"ubuntu\": 1\n },\n \"CVSS\": {\n \"redhat\": {\n \"V3Vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\",\n \"V3Score\": 3.7\n }\n },\n \"References\": [\n \"https://access.redhat.com/security/cve/CVE-2024-9143\",\n \"https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712\",\n \"https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700\",\n \"https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4\",\n \"https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154\",\n \"https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a\",\n \"https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41\",\n \"https://nvd.nist.gov/vuln/detail/CVE-2024-9143\",\n \"https://openssl-library.org/news/secadv/20241016.txt\",\n \"https://www.cve.org/CVERecord?id=CVE-2024-9143\"\n ],\n \"PublishedDate\": \"2024-10-16T17:15:18.13Z\",\n \"LastModifiedDate\": \"2024-11-08T16:35:21.58Z\"\n },\n {\n \"VulnerabilityID\": \"CVE-2024-9143\",\n \"PkgID\": \"libssl3@3.3.2-r0\",\n \"PkgName\": \"libssl3\",\n \"PkgIdentifier\": {\n \"PURL\": \"pkg:apk/alpine/libssl3@3.3.2-r0?arch=aarch64\\u0026distro=3.20.3\",\n \"UID\": \"c4a39ef718e71832\"\n },\n \"InstalledVersion\": \"3.3.2-r0\",\n \"FixedVersion\": \"3.3.2-r1\",\n \"Status\": \"fixed\",\n \"Layer\": {\n \"DiffID\": \"sha256:651d9022c23486dfbd396c13db293af6845731cbd098a5f5606db4bc9f5573e8\"\n },\n \"PrimaryURL\": \"https://avd.aquasec.com/nvd/cve-2024-9143\",\n \"DataSource\": {\n \"ID\": \"alpine\",\n \"Name\": \"Alpine Secdb\",\n \"URL\": \"https://secdb.alpinelinux.org/\"\n },\n \"Title\": \"openssl: Low-level invalid GF(2^m) parameters lead to OOB memory access\",\n \"Description\": \"Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\\nor writes.\\n\\nImpact summary: Out of bound memory writes can lead to an application crash or\\neven a possibility of a remote code execution, however, in all the protocols\\ninvolving Elliptic Curve Cryptography that we're aware of, either only \\\"named\\ncurves\\\" are supported, or, if explicit curve parameters are supported, they\\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can't represent\\nproblematic input values. Thus the likelihood of existence of a vulnerable\\napplication is low.\\n\\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\\nso problematic inputs cannot occur in the context of processing X.509\\ncertificates. Any problematic use-cases would have to be using an \\\"exotic\\\"\\ncurve encoding.\\n\\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\\nand various supporting BN_GF2m_*() functions.\\n\\nApplications working with \\\"exotic\\\" explicit binary (GF(2^m)) curve parameters,\\nthat make it possible to represent invalid field polynomials with a zero\\nconstant term, via the above or similar APIs, may terminate abruptly as a\\nresult of reading or writing outside of array bounds. Remote code execution\\ncannot easily be ruled out.\\n\\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\",\n \"Severity\": \"LOW\",\n \"CweIDs\": [\n \"CWE-787\"\n ],\n \"VendorSeverity\": {\n \"amazon\": 3,\n \"redhat\": 1,\n \"ubuntu\": 1\n },\n \"CVSS\": {\n \"redhat\": {\n \"V3Vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\",\n \"V3Score\": 3.7\n }\n },\n \"References\": [\n \"https://access.redhat.com/security/cve/CVE-2024-9143\",\n \"https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712\",\n \"https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700\",\n \"https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4\",\n \"https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154\",\n \"https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a\",\n \"https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41\",\n \"https://nvd.nist.gov/vuln/detail/CVE-2024-9143\",\n \"https://openssl-library.org/news/secadv/20241016.txt\",\n \"https://www.cve.org/CVERecord?id=CVE-2024-9143\"\n ],\n \"PublishedDate\": \"2024-10-16T17:15:18.13Z\",\n \"LastModifiedDate\": \"2024-11-08T16:35:21.58Z\"\n }\n ]\n }\n ]\n}\n
VulnerabilityID, PkgName, InstalledVersion, and Severity in Vulnerabilities are always filled with values, but other fields might be empty.
"},{"location":"guide/configuration/reporting/#sarif","title":"SARIF","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713 SARIF (Static Analysis Results Interchange Format) complying with SARIF 2.1.0 OASIS standard can be generated with the --format sarif flag.
$ trivy image --format sarif -o report.sarif golang:1.12-alpine\n
This SARIF file can be uploaded to several platforms, including:
- GitHub code scanning results, and there is a Trivy GitHub Action for automating this process
- SonarQube
"},{"location":"guide/configuration/reporting/#github-dependency-snapshot","title":"GitHub dependency snapshot","text":"Trivy supports the following packages:
- OS packages
- Language-specific packages
GitHub dependency snapshots can be generated with the --format github flag.
$ trivy image --format github -o report.gsbom alpine\n
This snapshot file can be submitted to your GitHub repository.
"},{"location":"guide/configuration/reporting/#template","title":"Template","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713"},{"location":"guide/configuration/reporting/#custom-template","title":"Custom Template","text":"$ trivy image --format template --template \"{{ range . }} {{ .Target }} {{ end }}\" golang:1.12-alpine\n
Result 2020-01-02T18:02:32.856+0100 INFO Detecting Alpine vulnerabilities...\n golang:1.12-alpine (alpine 3.10.2)\n
You can compute different figures within the template using sprig functions. As an example you can summarize the different classes of issues:
$ trivy image --format template --template '{{- $critical := 0 }}{{- $high := 0 }}{{- range . }}{{- range .Vulnerabilities }}{{- if eq .Severity \"CRITICAL\" }}{{- $critical = add $critical 1 }}{{- end }}{{- if eq .Severity \"HIGH\" }}{{- $high = add $high 1 }}{{- end }}{{- end }}{{- end }}Critical: {{ $critical }}, High: {{ $high }}' golang:1.12-alpine\n
Result Critical: 0, High: 2\n
For other features of sprig, see the official sprig documentation.
"},{"location":"guide/configuration/reporting/#load-templates-from-a-file","title":"Load templates from a file","text":"You can load templates from a file prefixing the template path with an @.
$ trivy image --format template --template \"@/path/to/template\" golang:1.12-alpine\n
"},{"location":"guide/configuration/reporting/#default-templates","title":"Default Templates","text":"If Trivy is installed using rpm then default templates can be found at /usr/local/share/trivy/templates.
"},{"location":"guide/configuration/reporting/#junit","title":"JUnit","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713 In the following example using the template junit.tpl XML can be generated.
$ trivy image --format template --template \"@contrib/junit.tpl\" -o junit-report.xml golang:1.12-alpine\n
"},{"location":"guide/configuration/reporting/#asff","title":"ASFF","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License Trivy also supports an ASFF template for reporting findings to AWS Security Hub
"},{"location":"guide/configuration/reporting/#html","title":"HTML","text":"Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret License $ trivy image --format template --template \"@contrib/html.tpl\" -o report.html golang:1.12-alpine\n
The following example shows use of default HTML template when Trivy is installed using rpm.
$ trivy image --format template --template \"@/usr/local/share/trivy/templates/html.tpl\" -o report.html golang:1.12-alpine\n
"},{"location":"guide/configuration/reporting/#sbom","title":"SBOM","text":"See here for details.
"},{"location":"guide/configuration/reporting/#output","title":"Output","text":"Trivy supports the following output destinations:
- File
- Plugin
"},{"location":"guide/configuration/reporting/#file","title":"File","text":"By specifying --output <file_path>, you can output the results to a file. Here is an example:
$ trivy image --format json --output result.json debian:12\n
"},{"location":"guide/configuration/reporting/#plugin","title":"Plugin","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Plugins capable of receiving Trivy's results via standard input, called \"output plugin\", can be seamlessly invoked using the --output flag.
$ trivy <target> [--format <format>] --output plugin=<plugin_name> [--output-plugin-arg <plugin_flags>] <target_name>\n
This is useful for cases where you want to convert the output into a custom format, or when you want to send the output somewhere. For more details, please check here.
"},{"location":"guide/configuration/reporting/#converting","title":"Converting","text":"To generate multiple reports, you can generate the JSON report first and convert it to other formats with the convert subcommand.
$ trivy image --format json -o result.json debian:11\n$ trivy convert --format cyclonedx --output result.cdx result.json\n
Filtering options such as --severity are also available with convert.
# Output all severities in JSON\n$ trivy image --format json -o result.json debian:11\n\n# Output only critical issues in table format\n$ trivy convert --format table --severity CRITICAL result.json\n
Note
JSON reports from \"trivy k8s\" are not yet supported.
-
To show summary table in convert mode - you need to enable the scanners used during JSON report generation.\u00a0\u21a9
"},{"location":"guide/configuration/skipping/","title":"Selecting files for scanning","text":"When scanning a target (image, code repository, etc), Trivy traverses all directories and files in that target and looks for known files to scan. For example, vulnerability scanner might look for /lib/apk/db/installed for Alpine APK scanning or requirements.txt file for Python pip scanning, and misconfiguration scanner might look for Dockerfile for Dockerfile scanning. This document explains how to control which files Trivy looks (including skipping files) for and how it should process them.
Note
Selecting/skipping files is different from filtering/ignoring results, which is covered in the Filtering document
"},{"location":"guide/configuration/skipping/#skip-files-and-directories","title":"Skip Files and Directories","text":"You can skip specific files and directories using the --skip-files and --skip-dirs flags.
For example:
trivy image --skip-files \"/Gemfile.lock\" --skip-dirs \"/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0\" quay.io/fluentd_elasticsearch/fluentd:v2.9.0\n
This feature is relevant for the following scanners:
Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret \u2713 License \u2713 It's possible to specify glob patterns when referring to a file or directory. The glob expression follows the \"doublestar\" library syntax.
Examples:
# skip any file named `bar` in the subdirectories of testdata\ntrivy image --skip-files \"./testdata/*/bar\" .\n
# skip any files with the extension `.tf` in subdirectories of foo at any depth\ntrivy config --skip-files \"./foo/**/*.tf\" .\n
# skip all subdirectories of the testdata directory.\ntrivy image --skip-dirs \"./testdata/*\" .\n
# skip subdirectories at any depth named `.terraform/`. \n# this will match `./foo/.terraform` or `./foo/bar/.terraform`, but not `./.terraform`\ntrivy config --skip-dirs \"**/.terraform\" .\n
Like any other flag, this is available as Trivy YAML configuration.
For example:
image:\n skip-files:\n - foo\n - \"testdata/*/bar\"\n skip-dirs:\n - foo/bar/\n - \"**/.terraform\"\n
"},{"location":"guide/configuration/skipping/#customizing-file-handling","title":"Customizing file handling","text":"You can customize which files Trivy scans and how it interprets them with the --file-patterns flag. A file pattern configuration takes the following form: <analyzer>:<path>, such that files matching the <path> will be processed with the respective <analyzer>.
For example:
trivy fs --file-patterns \"pip:.requirements-test.txt .\"\n
This feature is relevant for the following scanners:
Scanner Supported Vulnerability \u2713 Misconfiguration \u2713 Secret License \u27131 The list of analyzers can be found here. Note that this flag is not applicable for parsers that accepts files of different extensions, for example the Terraform file parser which handles .tf and .tf.json files.
The file path can use a regular expression. For example:
# interpret any file with .txt extension as a python pip requirements file\ntrivy fs --file-patterns \"pip:requirements-.*\\.txt .\n
The flag can be repeated for specifying multiple file patterns. For example:
# look for Dockerfile called production.docker and a python pip requirements file called requirements-test.txt\ntrivy fs --scanners misconfig,vuln --file-patterns \"dockerfile:.production.docker\" --file-patterns \"pip:.requirements-test.txt .\"\n
"},{"location":"guide/configuration/skipping/#avoid-full-filesystem-traversal","title":"Avoid full filesystem traversal","text":"In specific scenarios Trivy can avoid traversing the entire filesystem, which makes scanning faster and more efficient. For more information see here
-
Only work with the license-full flag\u00a0\u21a9
"},{"location":"guide/coverage/","title":"Scanning Coverage","text":"Trivy can detect security issues in many different platforms, languages and configuration files. This section gives a general overview of that coverage, and can help answer the frequently asked question \"Does Trivy support X?\". For more detailed information about the specific platforms and languages, check the relevant documentation.
- OS Packages
- Language-specific Packages
- IaC files
- Kubernetes clusters
"},{"location":"guide/coverage/kubernetes/","title":"Kubernetes","text":"When scanning a Kubernetes cluster, Trivy differentiates between the following:
- Cluster infrastructure (e.g api-server, kubelet, addons)
- Cluster configuration (e.g Roles, ClusterRoles).
- Application workloads (e.g nginx, postgresql).
Whenever Trivy scans either of these Kubernetes resources, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource. When scanning any of the above, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
Container image is scanned for:
- Vulnerabilities
- Misconfigurations
- Exposed secrets
Kubernetes resource definition is scanned for:
- Vulnerabilities - partially supported through KBOM scanning
- Misconfigurations
- Exposed secrets
To learn more, please see the documentation for Kubernetes scanning.
"},{"location":"guide/coverage/iac/","title":"Infrastructure as Code","text":""},{"location":"guide/coverage/iac/#scanner","title":"Scanner","text":"Trivy scans Infrastructure as Code (IaC) files for
- Misconfigurations
- Secrets
"},{"location":"guide/coverage/iac/#supported-configurations","title":"Supported configurations","text":"Config type File patterns Kubernetes *.yml, *.yaml, *.json Docker Dockerfile, Containerfile Terraform *.tf, *.tf.json, *.tfvars Terraform Plan tfplan, *.tfplan, *.json CloudFormation *.yml, *.yaml, *.json Azure ARM Template *.json Helm *.yaml, *.tpl, *.tar.gz, etc. YAML *.yaml, *.yml JSON *.json"},{"location":"guide/coverage/iac/azure-arm/","title":"Azure ARM Template","text":"Trivy supports the scanners listed in the table below.
Scanner Supported Misconfiguration \u2713 Secret \u2713 It supports the following configurations:
Format Supported ARM template \u2713 Bicep \u27131 To scan Bicep codes, you need to convert them into ARM templates first.
az bicep build -f main.bicep\nor\nbicep build main.bicep\n
"},{"location":"guide/coverage/iac/azure-arm/#misconfiguration","title":"Misconfiguration","text":"Trivy recursively searches directories and scans all found Azure ARM templates.
"},{"location":"guide/coverage/iac/azure-arm/#secret","title":"Secret","text":"The secret scan is performed on plain text files, with no special treatment for Azure ARM templates.
-
Bicep is not natively supported. It needs to be converted into Azure ARM templates.\u00a0\u21a9
"},{"location":"guide/coverage/iac/cloudformation/","title":"CloudFormation","text":"Trivy supports the scanners listed in the table below.
Scanner Supported Misconfiguration \u2713 Secret \u2713 It supports the following formats.
Format Supported JSON \u2713 YAML \u2713"},{"location":"guide/coverage/iac/cloudformation/#misconfiguration","title":"Misconfiguration","text":"Trivy recursively searches directories and scans all found CloudFormation files. It evaluates properties, functions, and other elements within CloudFormation files to detect misconfigurations.
"},{"location":"guide/coverage/iac/cloudformation/#value-overrides","title":"Value Overrides","text":"You can provide cf-params with path to CloudFormation Parameters file to Trivy to scan your CloudFormation code with parameters.
trivy config --cf-params params.json ./infrastructure/cf\n
You can check a CloudFormation Parameters Example
"},{"location":"guide/coverage/iac/cloudformation/#secret","title":"Secret","text":"The secret scan is performed on plain text files, with no special treatment for CloudFormation.
"},{"location":"guide/coverage/iac/docker/","title":"Docker","text":"Trivy supports the scanners listed in the table below.
Scanner Supported Misconfiguration \u2713 Secret \u2713 It supports the following configurations.
Config Supported Dockerfile \u2713 Containerfile \u2713 Compose -"},{"location":"guide/coverage/iac/docker/#misconfiguration","title":"Misconfiguration","text":"Trivy recursively searches directories and scans all found Docker files.
"},{"location":"guide/coverage/iac/docker/#secret","title":"Secret","text":"The secret scan is performed on plain text files, with no special treatment for Dockerfile.
"},{"location":"guide/coverage/iac/helm/","title":"Helm","text":"Trivy supports two types of Helm scanning, templates and packaged charts. The following scanners are supported.
Format Misconfiguration Secret Template \u2713 \u2713 Chart \u2713 -"},{"location":"guide/coverage/iac/helm/#misconfiguration","title":"Misconfiguration","text":"Trivy recursively searches directories and scans all found Helm files.
It evaluates variables, functions, and other elements within Helm templates and resolve the chart to Kubernetes manifests then run the Kubernetes checks. See here for more details on the built-in checks.
"},{"location":"guide/coverage/iac/helm/#value-overrides","title":"Value overrides","text":"There are a number of options for overriding values in Helm charts. When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact.
"},{"location":"guide/coverage/iac/helm/#setting-inline-value-overrides","title":"Setting inline value overrides","text":"Overrides can be set inline on the command line
trivy config --helm-set securityContext.runAsUser=0 ./charts/mySql\n
"},{"location":"guide/coverage/iac/helm/#setting-value-file-overrides","title":"Setting value file overrides","text":"Overrides can be in a file that has the key=value set.
# Example override file (overrides.yaml)\n\nsecurityContext:\n runAsUser: 0\n
trivy config --helm-values overrides.yaml ./charts/mySql\n
"},{"location":"guide/coverage/iac/helm/#setting-value-as-explicit-string","title":"Setting value as explicit string","text":"the --helm-set-string is the same as --helm-set but explicitly retains the value as a string
trivy config --helm-set-string name=false ./infrastructure/tf\n
"},{"location":"guide/coverage/iac/helm/#setting-specific-values-from-files","title":"Setting specific values from files","text":"Specific override values can come from specific files
trivy config --helm-set-file environment=dev.values.yaml ./charts/mySql\n
"},{"location":"guide/coverage/iac/helm/#secret","title":"Secret","text":"The secret scan is performed on plain text files, with no special treatment for Helm. Secret scanning is not conducted on the contents of packaged Charts, such as tar or tar.gz.
"},{"location":"guide/coverage/iac/kubernetes/","title":"Kubernetes","text":"Trivy supports the scanners listed in the table below.
Scanner Supported Misconfiguration \u2713 Secret \u2713 In addition to raw YAML and JSON, it supports the following templates:
Template Supported Helm \u2713 Kustomize \u27131 Note
Trivy does not support Kustomize overlays, so it scans files defined in the base. Or, you can scan the output of kustomize build.
"},{"location":"guide/coverage/iac/kubernetes/#misconfiguration","title":"Misconfiguration","text":"Trivy recursively searches directories and scans all found Kubernetes files.
"},{"location":"guide/coverage/iac/kubernetes/#secret","title":"Secret","text":"The secret scan is performed on plain text files, with no special treatment for Kubernetes. This means that Base64 encoded secrets are not scanned, and only secrets written in plain text are detected.
-
Kustomize is not natively supported.\u00a0\u21a9
"},{"location":"guide/coverage/iac/terraform/","title":"Terraform","text":"Trivy supports the scanners listed in the table below.
Scanner Supported Misconfiguration \u2713 Secret \u2713 It supports the following formats:
Format Supported JSON \u2713 HCL \u2713 Plan Snapshot \u2713 Plan JSON \u2713 Trivy can scan Terraform Plan files (snapshots) or their JSON representations. To create a Terraform Plan and scan it, run the following command:
terraform plan --out tfplan\ntrivy config tfplan\n
To scan a Terraform Plan representation in JSON format, run the following command:
terraform show -json tfplan > tfplan.json\ntrivy config tfplan.json\n
"},{"location":"guide/coverage/iac/terraform/#misconfiguration","title":"Misconfiguration","text":"Trivy recursively searches directories and scans all found Terraform files. It also evaluates variables, imports, and other elements within Terraform files to detect misconfigurations.
"},{"location":"guide/coverage/iac/terraform/#value-overrides","title":"Value Overrides","text":"You can provide tf-vars files to Trivy to override default values specified in the Terraform HCL code.
trivy config --tf-vars dev.terraform.tfvars ./infrastructure/tf\n
"},{"location":"guide/coverage/iac/terraform/#exclude-downloaded-terraform-modules","title":"Exclude Downloaded Terraform Modules","text":"By default, downloaded modules are also scanned. If you don't want to scan them, you can use the --tf-exclude-downloaded-modules flag.
trivy config --tf-exclude-downloaded-modules ./configs\n
"},{"location":"guide/coverage/iac/terraform/#secret","title":"Secret","text":"The secret scan is performed on plain text files, with no special treatment for Terraform.
"},{"location":"guide/coverage/iac/terraform/#limitations","title":"Limitations","text":""},{"location":"guide/coverage/iac/terraform/#terraform-plan-json","title":"Terraform Plan JSON","text":""},{"location":"guide/coverage/iac/terraform/#for-each-and-count-objects-in-expression","title":"For each and count objects in expression","text":"The plan created by Terraform does not provide complete information about references in expressions that use each or count objects. For this reason, in some situations it is not possible to establish references between resources that are needed for checks when detecting misconfigurations. An example of such a configuration is:
locals {\n buckets = toset([\"test\"])\n}\n\nresource \"aws_s3_bucket\" \"this\" {\n for_each = local.buckets\n bucket = each.key\n}\n\nresource \"aws_s3_bucket_acl\" \"this\" {\n for_each = local.buckets\n bucket = aws_s3_bucket.this[each.key].id\n acl = \"private\"\n}\n
With this configuration, the plan will not contain information about which attribute of the aws_s3_bucket resource is referenced by the aws_s3_bucket_acl resource.
See more here.
"},{"location":"guide/coverage/language/","title":"Programming Language","text":"Trivy supports programming languages for
- SBOM
- Vulnerabilities
- Licenses
"},{"location":"guide/coverage/language/#supported-languages","title":"Supported languages","text":"The files analyzed vary depending on the target. This is because Trivy primarily categorizes targets into two groups:
- Pre-build
- Post-build
If the target is a pre-build project, like a code repository, Trivy will analyze files used for building, such as lock files. On the other hand, when the target is a post-build artifact, like a container image, Trivy will analyze installed package metadata like .gemspec, binary files, and so on.
Language File Image4 Rootfs5 Filesystem6 Repository7 Ruby Gemfile.lock - - \u2705 \u2705 gemspec \u2705 \u2705 - - Python Pipfile.lock - - \u2705 \u2705 poetry.lock - - \u2705 \u2705 uv.lock - - \u2705 \u2705 requirements.txt - - \u2705 \u2705 egg package1 \u2705 \u2705 - - wheel package2 \u2705 \u2705 - - PHP composer.lock - - \u2705 \u2705 installed.json \u2705 \u2705 - - Node.js package-lock.json - - \u2705 \u2705 yarn.lock - - \u2705 \u2705 pnpm-lock.yaml - - \u2705 \u2705 bun.lock - - \u2705 \u2705 package.json \u2705 \u2705 - - .NET packages.lock.json \u2705 \u2705 \u2705 \u2705 packages.config \u2705 \u2705 \u2705 \u2705 .deps.json \u2705 \u2705 \u2705 \u2705 *Packages.props9 \u2705 \u2705 \u2705 \u2705 Java JAR/WAR/PAR/EAR3 \u2705 \u2705 - - pom.xml - - \u2705 \u2705 *gradle.lockfile - - \u2705 \u2705 *.sbt.lock - - \u2705 \u2705 Go Binaries built by Go \u2705 \u2705 - - go.mod - - \u2705 \u2705 Rust Cargo.lock \u2705 \u2705 \u2705 \u2705 Binaries built with cargo-auditable \u2705 \u2705 - - C/C++ conan.lock - - \u2705 \u2705 Elixir mix.lock8 - - \u2705 \u2705 Dart pubspec.lock - - \u2705 \u2705 Swift Podfile.lock - - \u2705 \u2705 Package.resolved - - \u2705 \u2705 Julia Manifest.toml \u2705 \u2705 \u2705 \u2705 The path of these files does not matter.
Example: Dockerfile
-
*.egg-info, *.egg-info/PKG-INFO, *.egg and EGG-INFO/PKG-INFO \u21a9
-
.dist-info/METADATA \u21a9
-
*.jar, *.war, *.par and *.ear \u21a9
-
\u2705 means \"enabled\" and - means \"disabled\" in the image scanning\u00a0\u21a9
-
\u2705 means \"enabled\" and - means \"disabled\" in the rootfs scanning\u00a0\u21a9
-
\u2705 means \"enabled\" and - means \"disabled\" in the filesystem scanning\u00a0\u21a9
-
\u2705 means \"enabled\" and - means \"disabled\" in the git repository scanning\u00a0\u21a9
-
To scan a filename other than the default filename use file-patterns \u21a9
-
Directory.Packages.props and legacy Packages.props file names are supported\u00a0\u21a9
"},{"location":"guide/coverage/language/c/","title":"C/C++","text":"Trivy supports Conan C/C++ Package Manager (v1 and v2 with limitations).
The following scanners are supported.
Package manager SBOM Vulnerability License Conan \u2713 \u2713 \u27131 The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies Dependency graph Position Conan (lockfile v1) conan.lock2 \u2713 Excluded \u2713 \u2713 Conan (lockfile v2) conan.lock2 \u2713 3 Excluded - \u2713"},{"location":"guide/coverage/language/c/#conan","title":"Conan","text":"In order to detect dependencies, Trivy searches for conan.lock1.
"},{"location":"guide/coverage/language/c/#licenses","title":"Licenses","text":"The Conan lock file doesn't contain any license information. To obtain licenses we parse the conanfile.py files from the conan v1 cache directory and conan v2 cache directory. To correctly detection licenses, ensure that the cache directory contains all dependencies used.
-
The local cache should contain the dependencies used. See licenses.\u00a0\u21a9\u21a9
-
conan.lock is default name. To scan a custom filename use file-patterns.\u00a0\u21a9\u21a9
-
For conan.lock in version 2, indirect dependencies are included in analysis but not flagged explicitly in dependency tree\u00a0\u21a9
"},{"location":"guide/coverage/language/dart/","title":"Dart","text":"Trivy supports Dart.
The following scanners are supported.
Package manager SBOM Vulnerability License Dart \u2713 \u2713 - The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies Dependency graph Position Detection Priority Dart pubspec.lock \u2713 Included \u2713 - \u2713"},{"location":"guide/coverage/language/dart/#dart_1","title":"Dart","text":"In order to detect dependencies, Trivy searches for pubspec.lock.
Trivy marks indirect dependencies, but pubspec.lock file doesn't have options to separate root and dev transitive dependencies. So Trivy includes all dependencies in report.
"},{"location":"guide/coverage/language/dart/#sdk-dependencies","title":"SDK dependencies","text":"Dart uses version 0.0.0 for SDK dependencies (e.g. Flutter). It is not possible to accurately determine the versions of these dependencies. Trivy just treats them as 0.0.0.
If --detection-priority comprehensive is passed, Trivy uses the minimum version of the constraint for the SDK. For example, in the following case, the version of flutter would be 3.3.0:
flutter:\n dependency: \"direct main\"\n description: flutter\n source: sdk\n version: \"0.0.0\"\nsdks:\n dart: \">=2.18.0 <3.0.0\"\n flutter: \"^3.3.0\"\n
"},{"location":"guide/coverage/language/dart/#dependency-tree","title":"Dependency tree","text":"To build dependency tree Trivy parses cache directory. Currently supported default directories and PUB_CACHE environment (absolute path only).
Note
Make sure the cache directory contains all the dependencies installed in your application. To download missing dependencies, use dart pub get command.
"},{"location":"guide/coverage/language/dotnet/","title":".NET","text":"Trivy supports .NET core and NuGet package managers.
The following scanners are supported.
Artifact SBOM Vulnerability License .Net Core \u2713 \u2713 - NuGet \u2713 \u2713 \u2713 The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies Dependency graph Position .Net Core *.deps.json \u2713 Excluded \u2713 \u2713 NuGet packages.config \u2713 Excluded - - NuGet *Packages.props - Excluded - - NuGet packages.lock.json \u2713 Included \u2713 \u2713"},{"location":"guide/coverage/language/dotnet/#depsjson","title":"*.deps.json","text":"Trivy parses *.deps.json files. Trivy currently excludes dev dependencies from the report.
Note
Trivy only includes runtime dependencies in the report.
"},{"location":"guide/coverage/language/dotnet/#packagesconfig","title":"packages.config","text":"Trivy only finds dependency names and versions from packages.config files. To build dependency graph, it is better to use packages.lock.json files.
"},{"location":"guide/coverage/language/dotnet/#packagesprops","title":"*Packages.props","text":"Trivy parses *Packages.props files. Both legacy Packages.props and modern Directory.Packages.props are supported.
"},{"location":"guide/coverage/language/dotnet/#license-detection","title":"license detection","text":"packages.config files don't have information about the licenses used. Trivy uses *.nuspec files from global packages folder to detect licenses.
Note
The licenseUrl field is deprecated. Trivy doesn't parse this field and only checks the license field (license expression type only).
Currently only the default path and NUGET_PACKAGES environment variable are supported.
"},{"location":"guide/coverage/language/dotnet/#packageslockjson","title":"packages.lock.json","text":"Don't forgot to enable lock files in your project.
Tip
Please make sure your lock file is up-to-date after modifying dependencies.
"},{"location":"guide/coverage/language/dotnet/#license-detection_1","title":"license detection","text":"Same as packages.config
"},{"location":"guide/coverage/language/elixir/","title":"Elixir","text":"Trivy supports Hex repository for Elixir.
The following scanners are supported.
Package manager SBOM Vulnerability License hex \u2713 \u2713 - The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies Dependency graph Position hex mix.lock1 \u2713 Excluded - \u2713"},{"location":"guide/coverage/language/elixir/#hex","title":"Hex","text":"In order to detect dependencies, Trivy searches for mix.lock1.
Configure your project to use mix.lock1 file.
-
mix.lock is default name. To scan a custom filename use file-patterns \u21a9\u21a9\u21a9
"},{"location":"guide/coverage/language/golang/","title":"Go","text":""},{"location":"guide/coverage/language/golang/#overview","title":"Overview","text":"Trivy supports two types of Go scanning, Go Modules and binaries built by Go.
The following scanners are supported.
Artifact SBOM Vulnerability License Modules \u2713 \u2713 \u2713 Binaries \u2713 \u2713 - The table below provides an outline of the features Trivy offers.
Artifact Offline1 Dev dependencies Dependency graph Stdlib Detection Priority Modules \u2705 Include \u2705 \u2705 \u2705 Binaries \u2705 Exclude - \u2705 Not needed Note
When scanning Go projects (go.mod or binaries built with Go), Trivy scans only dependencies of the project, and does not detect vulnerabilities of application itself. For example, when scanning the Docker project (Docker's source code with go.mod or the Docker binary), Trivy might find vulnerabilities in Go modules that Docker depends on, but won't find vulnerabilities of Docker itself. Moreover, when scanning the Trivy project, which happens to use Docker, Docker's vulnerabilities might be detected as dependencies of Trivy.
"},{"location":"guide/coverage/language/golang/#data-sources","title":"Data Sources","text":"The data sources are listed here. Trivy uses Go Vulnerability Database for standard library and uses GitHub Advisory Database for other Go modules.
"},{"location":"guide/coverage/language/golang/#go-module","title":"Go Module","text":"Depending on Go versions, the required files are different.
Version Required files Offline >=1.17 go.mod \u2705 <1.17 go.mod, go.sum \u2705 In Go 1.17+ projects, Trivy uses go.mod for direct/indirect dependencies. On the other hand, it uses go.mod for direct dependencies and go.sum for indirect dependencies in Go 1.16 or less.
Go 1.17+ holds actually needed indirect dependencies in go.mod, and it reduces false detection. go.sum in Go 1.16 or less contains all indirect dependencies that are even not needed for compiling. If you want to have better detection, please consider updating the Go version in your project.
Note
The Go version doesn't mean your Go tool version, but the Go version in your go.mod.
module github.com/aquasecurity/trivy\n\ngo 1.18\n\nrequire (\n github.com/CycloneDX/cyclonedx-go v0.5.0\n ...\n)\n
To update the Go version in your project, you need to run the following command.
$ go mod tidy -go=1.18\n
"},{"location":"guide/coverage/language/golang/#gomod-main","title":"Main Module","text":"Trivy scans only dependencies of the project, and does not detect vulnerabilities of the main module. For example, when scanning the Docker project (Docker's source code with go.mod), Trivy might find vulnerabilities in Go modules that Docker depends on, but won't find vulnerabilities of Docker itself. Moreover, when scanning the Trivy project, which happens to use Docker, Docker's vulnerabilities might be detected as dependencies of Trivy.
"},{"location":"guide/coverage/language/golang/#gomod-stdlib","title":"Standard Library","text":"Detecting the version of Go used in the project can be tricky. The go.mod file include hints that allows Trivy to guess the Go version but it eventually depends on the Go tool version in the build environment. Since this strategy is not fully deterministic and accurate, it is enabled only in --detection-priority comprehensive mode. When enabled, Trivy detects stdlib version as the minimum between the go and the toolchain directives in the go.mod file. To obtain reproducible scan results Trivy doesn't check the locally installed version of Go.
Note
Trivy detects stdlib only for Go 1.21 or higher.
The version from the go line (for Go 1.20 or early) is not a minimum required version. For details, see this.
It possibly produces false positives. See the caveat for details.
"},{"location":"guide/coverage/language/golang/#license","title":"License","text":"To identify licenses, you need to download modules to local cache beforehand, such as go mod download, go mod tidy, go mod vendor, etc. If the vendor directory exists, Trivy uses this directory when scanning for license files. For other cases Trivy traverses $GOPATH/pkg/moddir and collects those extra information.
"},{"location":"guide/coverage/language/golang/#dependency-graph","title":"Dependency Graph","text":"Same as licenses, you need to download modules to local cache beforehand.
"},{"location":"guide/coverage/language/golang/#go-binary","title":"Go Binary","text":"Trivy scans Go binaries when it encounters them during scans such as container images or file systems. When scanning binaries built by Go, Trivy finds dependencies and Go version information as embedded in the binary by Go tool at build time.
$ trivy rootfs ./your_binary\n
Note
It doesn't work with UPX-compressed binaries.
"},{"location":"guide/coverage/language/golang/#main-module","title":"Main Module","text":"Go binaries installed using the go install command contains correct (semver) version for the main module and therefore are detected by Trivy. In other cases, Go uses the (devel) version2. In this case, Trivy will attempt to parse any -ldflags as it's a common practice to pass versions this way. If unsuccessful, the version will be empty3.
"},{"location":"guide/coverage/language/golang/#go-binary-stdlib","title":"Standard Library","text":"Trivy detects the Go version used to compile the binary and detects its vulnerabilities in the standard libraries. It possibly produces false positives. See the caveat for details.
"},{"location":"guide/coverage/language/golang/#caveats","title":"Caveats","text":""},{"location":"guide/coverage/language/golang/#stdlib-vulnerabilities","title":"Stdlib Vulnerabilities","text":"Trivy does not know if or how you use stdlib functions, therefore it is possible that stdlib vulnerabilities are not applicable to your use case. There are a few ways to mitigate this:
- Analyze vulnerability reachability using a tool such as govulncheck. This will ensure that reported vulnerabilities are applicable to your project.
- Suppress non-applicable vulnerabilities using either ignore file for self-use or VEX Hub for public use.
"},{"location":"guide/coverage/language/golang/#empty-version","title":"Empty Version","text":"As described in the Main Module section, the main module of Go binaries might have an empty version. Also, dependencies replaced with local ones will have an empty version.
-
It doesn't require the Internet access.\u00a0\u21a9
-
See https://github.com/aquasecurity/trivy/issues/1837#issuecomment-1832523477 \u21a9
-
See https://github.com/golang/go/issues/63432#issuecomment-1751610604 \u21a9
"},{"location":"guide/coverage/language/java/","title":"Java","text":"Trivy supports four types of Java scanning: JAR/WAR/PAR/EAR, pom.xml, *gradle.lockfile and *.sbt.lock files.
Each artifact supports the following scanners:
Artifact SBOM Vulnerability License JAR/WAR/PAR/EAR \u2713 \u2713 - pom.xml \u2713 \u2713 \u2713 *gradle.lockfile \u2713 \u2713 \u2713 *.sbt.lock \u2713 \u2713 - The following table provides an outline of the features Trivy offers.
Artifact Internet access Dev dependencies Dependency graph Position Detection Priority JAR/WAR/PAR/EAR Trivy Java DB Include - - Not needed pom.xml Maven repository 1 Exclude \u2713 \u27137 - *gradle.lockfile - Exclude \u2713 \u2713 Not needed *.sbt.lock - Exclude - \u2713 Not needed These may be enabled or disabled depending on the target. See here for the detail.
"},{"location":"guide/coverage/language/java/#jarwarparear","title":"JAR/WAR/PAR/EAR","text":"To find information about your JAR2 file, Trivy parses pom.properties and MANIFEST.MF files in your JAR2 file and takes required properties3.
If those files don't exist or don't contain enough information - Trivy will try to find this JAR2 file in trivy-java-db. The Java DB will be automatically downloaded/updated when any JAR2 file is found. It is stored in the cache directory.
EXPERIMENTAL
Finding JARs in trivy-java-db is an experimental function.
Base JAR2 may contain inner JARs2 within itself. To find information about these JARs2, the same logic is used as for the base JAR2.
table format only contains the name of root JAR2 . To get the full path to inner JARs2 use the json format.
"},{"location":"guide/coverage/language/java/#pomxml","title":"pom.xml","text":"Trivy parses your pom.xml file and tries to find files with dependencies from these local locations.
- project directory4
- relativePath field5
- local repository directory6.
"},{"location":"guide/coverage/language/java/#remote-repositories","title":"remote repositories","text":"If your machine doesn't have the necessary files - Trivy tries to find the information about these dependencies in the remote repositories:
- repositories from pom files
- maven central repository
Trivy reproduces Maven's repository selection and priority:
- for snapshot artifacts:
- check only snapshot repositories from pom files (if exists)
- for other artifacts:
- check release repositories from pom files (if exists)
- check maven central
Note
Trivy only takes information about packages. We don't take a list of vulnerabilities for packages from the maven repository. Information about data sources for Java you can see here.
You can disable connecting to the maven repository with the --offline-scan flag. The --offline-scan flag does not affect the Trivy database. The vulnerability database will be downloaded anyway.
Warning
Trivy may skip some dependencies (that were not found on your local machine) when the --offline-scan flag is passed.
"},{"location":"guide/coverage/language/java/#supported-scopes","title":"supported scopes","text":"Trivy only scans import, compile, runtime and empty maven scopes. Other scopes and Optional dependencies are not currently being analyzed.
"},{"location":"guide/coverage/language/java/#empty-dependency-version","title":"empty dependency version","text":"There are cases when Trivy cannot determine the version of dependencies:
- Unable to determine the version from the parent because the parent is not reachable;
- The dependency uses a hard requirement with more than one version.
In these cases, Trivy uses an empty version for the dependency.
Warning
Trivy doesn't detect child dependencies for dependencies without a version.
"},{"location":"guide/coverage/language/java/#maven-invoker-plugin","title":"maven-invoker-plugin","text":"Typically, the integration tests directory (**/[src|target]/it/*/pom.xml) of maven-invoker-plugin doesn't contain actual pom.xml files and should be skipped to avoid noise.
Trivy marks dependencies from these files as the development dependencies and skip them by default. If you need to show them, use the --include-dev-deps flag.
"},{"location":"guide/coverage/language/java/#gradlelock","title":"Gradle.lock","text":"gradle.lock files only contain information about used dependencies.
Note
All necessary files are checked locally. Gradle file scanning doesn't require internet access.
By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them in the results.
"},{"location":"guide/coverage/language/java/#dependency-tree","title":"Dependency-tree","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy finds child dependencies from *.pom files in the cache8 directory.
But there is no reliable way to determine direct dependencies (even using other files). Therefore, we mark all dependencies as indirect to use logic to guess direct dependencies and build a dependency tree.
"},{"location":"guide/coverage/language/java/#licenses","title":"Licenses","text":"Trivy also can detect licenses for dependencies.
Make sure that you have cache8 directory to find licenses from *.pom dependency files.
"},{"location":"guide/coverage/language/java/#sbt","title":"SBT","text":"build.sbt.lock files only contain information about used dependencies. This requires a lockfile generated using the sbt-dependency-lock plugin.
Note
All necessary files are checked locally. SBT file scanning doesn't require internet access.
-
Uses maven repository to get information about dependencies. Internet access required.\u00a0\u21a9
-
It means *.jar, *.war, *.par and *.ear file\u00a0\u21a9\u21a9\u21a9\u21a9\u21a9\u21a9\u21a9\u21a9\u21a9\u21a9
-
ArtifactID, GroupID and Version \u21a9
-
e.g. when parent pom.xml file has ../pom.xml path\u00a0\u21a9
-
When you use dependency path in relativePath field in pom.xml file\u00a0\u21a9
-
/Users/<username>/.m2/repository (for Linux and Mac) and C:/Users/<username>/.m2/repository (for Windows) by default\u00a0\u21a9
-
To avoid confusion, Trivy only finds locations for direct dependencies from the base pom.xml file.\u00a0\u21a9
-
The supported directories are $GRADLE_USER_HOME/caches and $HOME/.gradle/caches (%HOMEPATH%\\.gradle\\caches for Windows).\u00a0\u21a9\u21a9
"},{"location":"guide/coverage/language/julia/","title":"Julia","text":""},{"location":"guide/coverage/language/julia/#features","title":"Features","text":"Trivy supports Pkg.jl, which is the Julia package manager. The following scanners are supported.
Package manager SBOM Vulnerability License Pkg.jl \u2713 - - The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies License Dependency graph Position Pkg.jl Manifest.toml \u2705 Excluded1 - \u2705 \u2705"},{"location":"guide/coverage/language/julia/#pkgjl","title":"Pkg.jl","text":"Trivy searches for Manifest.toml to detect dependencies.
Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project. Since this information is not included in Manifest.toml, Trivy parses Project.toml, which should be located next to Project.toml. If you want to see the dependency tree, please ensure that Project.toml is present.
Scanning Manifest.toml and Project.toml together also removes developer dependencies.
Dependency extensions are currently ignored.
-
When you scan Manifest.toml and Project.toml together.\u00a0\u21a9
"},{"location":"guide/coverage/language/nodejs/","title":"Node.js","text":"Trivy supports four types of Node.js package managers: npm, Yarn, pnpm and Bun1.
The following scanners are supported.
Artifact SBOM Vulnerability License npm \u2713 \u2713 \u2713 Yarn \u2713 \u2713 \u2713 pnpm \u2713 \u2713 \u2713 Bun \u2713 \u2713 \u2713 The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies Dependency graph Position npm package-lock.json \u2713 Excluded \u2713 \u2713 Yarn yarn.lock \u2713 Excluded \u2713 \u2713 pnpm pnpm-lock.yaml \u2713 Excluded \u2713 - Bun bun.lock \u2713 Excluded \u2713 \u2713 In addition, Trivy scans installed packages with package.json.
File Dependency graph Position License package.json - - \u2705 These may be enabled or disabled depending on the target. See here for the detail.
"},{"location":"guide/coverage/language/nodejs/#package-managers","title":"Package managers","text":"Trivy parses your files generated by package managers in filesystem/repository scanning.
Tip
Please make sure your lock file is up-to-date after modifying package.json.
"},{"location":"guide/coverage/language/nodejs/#npm","title":"npm","text":"Trivy parses package-lock.json. To identify licenses, you need to download dependencies to node_modules beforehand. Trivy analyzes node_modules for licenses.
By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them.
"},{"location":"guide/coverage/language/nodejs/#yarn","title":"Yarn","text":"Trivy parses yarn.lock.
Trivy also analyzes additional files to gather more information about the detected dependencies.
- package.json
- node_modules/**
"},{"location":"guide/coverage/language/nodejs/#package-relationships","title":"Package relationships","text":"yarn.lock files don't contain information about package relationships, such as direct or indirect dependencies. To enrich this information, Trivy parses the package.json file located next to the yarn.lock file as well as workspace package.json files.
By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them in the results.
"},{"location":"guide/coverage/language/nodejs/#development-dependencies","title":"Development dependencies","text":"yarn.lock files don't contain information about package groups, such as production and development dependencies. To identify dev dependencies and support aliases, Trivy parses the package.json file located next to the yarn.lock file as well as workspace package.json files.
"},{"location":"guide/coverage/language/nodejs/#licenses","title":"Licenses","text":"Trivy analyzes the .yarn directory (for Yarn 2+) or the node_modules directory (for Yarn Classic) located next to the yarn.lock file to detect licenses.
"},{"location":"guide/coverage/language/nodejs/#pnpm","title":"pnpm","text":"Trivy parses pnpm-lock.yaml, then finds production dependencies and builds a tree of dependencies with vulnerabilities. To identify licenses, you need to download dependencies to node_modules beforehand. Trivy analyzes node_modules for licenses.
"},{"location":"guide/coverage/language/nodejs/#lock-file-v9-version","title":"lock file v9 version","text":"Trivy supports Dev field for pnpm-lock.yaml v9 or later. Use the --include-dev-deps flag to include the developer's dependencies in the result.
"},{"location":"guide/coverage/language/nodejs/#bun","title":"Bun","text":"Trivy also supports scanning bun.lock file generated by Bun. You can use Bun v1.2 which uses this file as default or use bun install --save-text-lockfile in Bun v1.1.39 to generate it.
For previous Bun versions you can use the command bun install -y to generate a Yarn-compatible yarn.lock and then scan it with Trivy.
"},{"location":"guide/coverage/language/nodejs/#development-dependencies_1","title":"Development dependencies","text":"bun.lock contains information about package groups, such as production and development dependencies. By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them.
Note
bun.lockb is not supported.
"},{"location":"guide/coverage/language/nodejs/#packages","title":"Packages","text":"Trivy parses the manifest files of installed packages in container image scanning and so on.
"},{"location":"guide/coverage/language/nodejs/#packagejson","title":"package.json","text":"Trivy searches for package.json files under node_modules and identifies installed packages. It only extracts package names, versions and licenses for those packages.
-
yarn.lock must be generated\u00a0\u21a9
"},{"location":"guide/coverage/language/php/","title":"PHP","text":"Trivy supports Composer, which is a tool for dependency management in PHP.
The following scanners are supported.
Package manager SBOM Vulnerability License Composer \u2713 \u2713 \u2713 The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies Dependency graph Position Composer composer.lock \u2713 Excluded \u2713 \u2713 Composer installed.json \u2713 Excluded - \u2713"},{"location":"guide/coverage/language/php/#composerlock","title":"composer.lock","text":"In order to detect dependencies, Trivy searches for composer.lock.
Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project. Since this information is not included in composer.lock, Trivy parses composer.json, which should be located next to composer.lock. If you want to see the dependency tree, please ensure that composer.json is present.
"},{"location":"guide/coverage/language/php/#installedjson","title":"installed.json","text":"Trivy also supports dependency detection for installed.json files. By default, you can find this file at path_to_app/vendor/composer/installed.json.
"},{"location":"guide/coverage/language/python/","title":"Python","text":"Trivy supports three types of Python package managers: pip, Pipenv and Poetry. The following scanners are supported for package managers.
Package manager SBOM Vulnerability License pip \u2713 \u2713 \u2713 Pipenv \u2713 \u2713 - Poetry \u2713 \u2713 - uv \u2713 \u2713 - In addition, Trivy supports three formats of Python packages: egg, wheel and conda. The following scanners are supported for Python packages.
Packaging SBOM Vulnerability License Egg \u2713 \u2713 \u2713 Wheel \u2713 \u2713 \u2713 Conda \u2713 - - The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies Dependency graph Position Detection Priority pip requirements.txt - Include - \u2713 \u2713 Pipenv Pipfile.lock \u2713 Include - \u2713 Not needed Poetry poetry.lock \u2713 Exclude \u2713 - Not needed uv uv.lock \u2713 Exclude \u2713 - Not needed Packaging Dependency graph Egg \u2713 Wheel \u2713 These may be enabled or disabled depending on the target. See here for the detail.
"},{"location":"guide/coverage/language/python/#package-managers","title":"Package managers","text":"Trivy parses your files generated by package managers in filesystem/repository scanning.
"},{"location":"guide/coverage/language/python/#pip","title":"pip","text":""},{"location":"guide/coverage/language/python/#dependency-detection","title":"Dependency detection","text":"By default, Trivy only parses version specifiers with == comparison operator and without .*.
Using the --detection-priority comprehensive option ensures that the tool establishes a minimum version, which is particularly useful in scenarios where identifying the exact version is challenging. In such case Trivy parses specifiers >=,~= and a trailing .*.
keyring >= 4.1.1 # Minimum version 4.1.1\nMopidy-Dirble ~= 1.1 # Minimum version 1.1\npython-gitlab==2.0.* # Minimum version 2.0.0\n
Also, there is a way to convert unsupported version specifiers - use either the pip-compile tool (which doesn't install the packages) or call pip freeze from the virtual environment where the requirements are already installed. $ cat requirements.txt \nboto3~=1.24.60\nclick>=8.0\njson-fix==0.5.*\n$ pip install -r requirements.txt\n...\n$ pip freeze > requirements.txt \n$ cat requirements.txt \nboto3==1.24.96\nbotocore==1.27.96\nclick==8.1.7\njmespath==1.0.1\njson-fix==0.5.2\npython-dateutil==2.8.2\ns3transfer==0.6.2\nsetuptools==69.0.2\nsix==1.16.0\nurllib3==1.26.18\nwheel==0.42.0\n
requirements.txt files usually contain only the direct dependencies and not contain the transitive dependencies. Therefore, Trivy scans only for the direct dependencies with requirements.txt.
To detect transitive dependencies as well, you need to generate requirements.txt that contains them. Like described above, tou can do it with pip freeze or pip-compile.
$ cat requirements.txt # it will only find `requests@2.28.2`.\nrequests==2.28.2 \n$ pip install -r requirements.txt\n...\n\n$ pip freeze > requirements.txt \n$ cat requirements.txt # it will also find the transitive dependencies of `requests@2.28.2`.\ncertifi==2022.12.7\ncharset-normalizer==3.1.0\nidna==3.4\nPyJWT==2.1.0\nrequests==2.28.2\nurllib3==1.26.15\n
pip freeze also helps to resolve extras(optional) dependencies (like package[extras]=0.0.0).
requirements.txt files don't contain information about dependencies used for development. Trivy could detect vulnerabilities on the development packages, which not affect your production environment.
"},{"location":"guide/coverage/language/python/#license-detection","title":"License detection","text":"requirements.txt files don't contain information about licenses. Therefore, Trivy checks METADATA files from lib/site-packages directory.
Trivy uses 3 ways to detect site-packages directory:
- Checks
VIRTUAL_ENV environment variable. - Detects path to
python1 binary and checks ../lib/pythonX.Y/site-packages directory. - Detects path to
python1 binary and checks ../../lib/site-packages directory.
"},{"location":"guide/coverage/language/python/#pipenv","title":"Pipenv","text":"Trivy parses Pipfile.lock. Pipfile.lock files don't contain information about dependencies used for development. Trivy could detect vulnerabilities on the development packages, which not affect your production environment.
License detection is not supported for Pipenv.
"},{"location":"guide/coverage/language/python/#poetry","title":"Poetry","text":"Trivy uses poetry.lock to identify dependencies and find vulnerabilities. To build the correct dependency graph, pyproject.toml also needs to be present next to poetry.lock.
License detection is not supported for Poetry.
By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them.
"},{"location":"guide/coverage/language/python/#uv","title":"uv","text":"Trivy uses uv.lock to identify dependencies and find vulnerabilities.
License detection is not supported for uv.
By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them.
"},{"location":"guide/coverage/language/python/#packaging","title":"Packaging","text":"Trivy parses the manifest files of installed packages in container image scanning and so on. See here for the detail.
"},{"location":"guide/coverage/language/python/#egg","title":"Egg","text":"Trivy looks for *.egg-info, *.egg-info/METADATA, *.egg-info/PKG-INFO, *.egg and EGG-INFO/PKG-INFO to identify Python packages.
"},{"location":"guide/coverage/language/python/#wheel","title":"Wheel","text":"Trivy looks for .dist-info/METADATA to identify Python packages.
-
Trivy checks python, python3, python2 and python.exe file names.\u00a0\u21a9\u21a9
"},{"location":"guide/coverage/language/ruby/","title":"Ruby","text":"Trivy supports Bundler and RubyGems. The following scanners are supported for Bundler and RubyGems.
Package manager SBOM Vulnerability License Bundler \u2713 \u2713 - RubyGems \u2713 \u2713 \u2713 The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies Dependency graph Position Bundler Gemfile.lock \u2713 Included \u2713 \u2713 RubyGems .gemspec - Included - -"},{"location":"guide/coverage/language/ruby/#bundler","title":"Bundler","text":"Trivy searches for Gemfile.lock to detect dependencies.
"},{"location":"guide/coverage/language/ruby/#rubygems","title":"RubyGems","text":".gemspec files doesn't contains transitive dependencies. You need to scan each .gemspec file separately.
"},{"location":"guide/coverage/language/rust/","title":"Rust","text":"Trivy supports Cargo, which is the Rust package manager. The following scanners are supported for Cargo.
Package manager SBOM Vulnerability License Cargo \u2713 \u2713 - In addition, it supports binaries built with cargo-auditable.
Artifact SBOM Vulnerability License Binaries \u2713 \u2713 -"},{"location":"guide/coverage/language/rust/#features","title":"Features","text":"The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies Dependency graph Position Cargo Cargo.lock \u2713 Excluded1 \u2713 \u2713 Artifact Transitive dependencies Dev dependencies Dependency graph Position Binaries \u2713 Excluded - -"},{"location":"guide/coverage/language/rust/#cargo","title":"Cargo","text":"Trivy searches for Cargo.lock to detect dependencies.
Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project. Since this information is not included in Cargo.lock, Trivy parses Cargo.toml, which should be located next to Cargo.lock. If you want to see the dependency tree, please ensure that Cargo.toml is present.
Scan Cargo.lock and Cargo.toml together also removes developer dependencies.
"},{"location":"guide/coverage/language/rust/#binaries","title":"Binaries","text":"Trivy scans binaries built with cargo-auditable. If such a binary exists, Trivy will identify it as being built with cargo-audit and scan it.
-
When you scan Cargo.lock and Cargo.toml together.\u00a0\u21a9
"},{"location":"guide/coverage/language/swift/","title":"Swift","text":"Trivy supports CocoaPods and Swift package managers.
The following scanners are supported.
Package manager SBOM Vulnerability License Swift \u2713 \u2713 - CocoaPods \u2713 \u2713 - The following table provides an outline of the features Trivy offers.
Package manager File Transitive dependencies Dev dependencies Dependency graph Position Swift Package.resolved \u2713 Included - \u2713 CocoaPods Podfile.lock \u2713 Included \u2713 - These may be enabled or disabled depending on the target. See here for the detail.
"},{"location":"guide/coverage/language/swift/#swift_1","title":"Swift","text":"Trivy parses Package.resolved file to find dependencies. Don't forget to update (swift package update command) this file before scanning.
"},{"location":"guide/coverage/language/swift/#cocoapods","title":"CocoaPods","text":"CocoaPods uses package names in PodFile.lock, but GitHub Advisory Database (GHSA) Trivy relies on uses Git URLs. We parse the CocoaPods Specs to match package names and links.
Limitation
Since GHSA holds only Git URLs, such as github.com/apple/swift-nio, Trivy can't identify affected submodules, and detect all submodules maintained by the same URL. For example, SwiftNIOHTTP1 and SwiftNIOWebSocket both are maintained under github.com/apple/swift-nio, and Trivy detect CVE-2022-3215 for both of them, even though only SwiftNIOHTTP1 is actually affected.
"},{"location":"guide/coverage/os/","title":"OS","text":""},{"location":"guide/coverage/os/#scanner","title":"Scanner","text":"Trivy supports operating systems for
- SBOM
- Vulnerabilities
- Licenses
"},{"location":"guide/coverage/os/#supported-os","title":"Supported OS","text":"OS Supported Versions Package Managers Alpine Linux 2.2 - 2.7, 3.0 - 3.22, edge apk Wolfi Linux (n/a) apk Chainguard (n/a) apk MinimOS (n/a) apk Red Hat Enterprise Linux 6, 7, 8, 9 dnf/yum/rpm Red Hat Enterprise Linux 10 (SBOM only) dnf/yum/rpm CentOS1 6, 7, 8 dnf/yum/rpm AlmaLinux 8, 9, 10 dnf/yum/rpm Rocky Linux 8, 9 dnf/yum/rpm Oracle Linux 5, 6, 7, 8 dnf/yum/rpm Azure Linux (CBL-Mariner) 1.0, 2.0, 3.0 tdnf/dnf/yum/rpm Amazon Linux 1, 2, 2023 dnf/yum/rpm openSUSE Leap 42, 15 zypper/rpm openSUSE Tumbleweed (n/a) zypper/rpm SUSE Linux Enterprise 11, 12, 15 zypper/rpm SUSE Linux Enterprise Micro 5, 6 zypper/rpm Photon OS 1.0, 2.0, 3.0, 4.0, 5.0 tndf/yum/rpm CoreOS3 All versions (SBOM only) rpm Echo (n/a) apt/dpkg Debian GNU/Linux 7, 8, 9, 10, 11, 12 apt/dpkg Ubuntu All versions supported by Canonical apt/dpkg Bottlerocket 1.7.0 and upper bottlerocket OSs with installed Conda - conda"},{"location":"guide/coverage/os/#supported-container-images","title":"Supported container images","text":"Container image Supported Versions Package Managers Google Distroless2 Any apt/dpkg Bitnami Any - Each page gives more details.
-
CentOS Stream is not supported\u00a0\u21a9
-
https://github.com/GoogleContainerTools/distroless \u21a9
-
Fedora CoreOS and the deprecated CoreOS Container Linux\u00a0\u21a9
"},{"location":"guide/coverage/os/alma/","title":"AlmaLinux","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities - Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/alma/#sbom","title":"SBOM","text":"Trivy detects packages that have been installed through package managers such as dnf and yum.
"},{"location":"guide/coverage/os/alma/#vulnerability","title":"Vulnerability","text":"AlmaLinux offers its own security advisories, and these are utilized when scanning AlmaLinux for vulnerabilities.
"},{"location":"guide/coverage/os/alma/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/alma/#fixed-version","title":"Fixed Version","text":"When looking at fixed versions, it's crucial to consider the patches supplied by AlmaLinux. For example, for CVE-2023-0464, the fixed version for AlmaLinux 9 is listed as 3.0.7-16.el9_2 in their advisory. Note that this is different from the upstream fixed version, which is 3.0.9, 3.1.1, and son on. Typically, only the upstream information gets listed on NVD, so it's important not to get confused.
"},{"location":"guide/coverage/os/alma/#severity","title":"Severity","text":"Trivy calculates the severity of an issue based on the severity provided by AlmaLinux. If the severity is not provided or defined yet by AlmaLinux, the severity from the NVD is taken into account.
Using CVE-2023-0464 as an example, while it is rated as \"High\" in NVD, AlmaLinux has marked as \"moderate\". As a result, Trivy will display it as \"Medium\".
The table below is the mapping of AlmaLinux's severity to Trivy's severity levels.
AlmaLinux Trivy Low Low Moderate Medium Important High Critical Critical"},{"location":"guide/coverage/os/alma/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for AlmaLinux.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation Will Not Fix Fix Deferred End of Life"},{"location":"guide/coverage/os/alma/#license","title":"License","text":"Trivy identifies licenses by examining the metadata of RPM packages.
"},{"location":"guide/coverage/os/alpine/","title":"Alpine Linux","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities - Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/alpine/#sbom","title":"SBOM","text":"Trivy detects packages that have been installed through apk.
"},{"location":"guide/coverage/os/alpine/#vulnerability","title":"Vulnerability","text":"Alpine Linux offers its own security advisories, and these are utilized when scanning Alpine for vulnerabilities.
"},{"location":"guide/coverage/os/alpine/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/alpine/#fixed-version","title":"Fixed Version","text":"When looking at fixed versions, it's crucial to consider the patches supplied by Alpine. For example, for CVE-2023-0464, the fixed version for Alpine Linux is listed as 3.1.0-r1 in the secfixes. Note that this is different from the upstream fixed version, which is 3.1.1. Typically, only the upstream information gets listed on NVD, so it's important not to get confused.
"},{"location":"guide/coverage/os/alpine/#severity","title":"Severity","text":"For Alpine vulnerabilities, the severity is determined using the values set by NVD.
"},{"location":"guide/coverage/os/alpine/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for Alpine.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation Will Not Fix Fix Deferred End of Life"},{"location":"guide/coverage/os/alpine/#license","title":"License","text":"Trivy identifies licenses by examining the metadata of APK packages.
"},{"location":"guide/coverage/os/amazon/","title":"Amazon Linux","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities - Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/amazon/#sbom","title":"SBOM","text":"Trivy detects packages that have been installed through package managers such as dnf and yum.
"},{"location":"guide/coverage/os/amazon/#vulnerability","title":"Vulnerability","text":"Amazon Linux offers its own security advisories, and these are utilized when scanning Amazon Linux for vulnerabilities.
"},{"location":"guide/coverage/os/amazon/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/amazon/#fixed-version","title":"Fixed Version","text":"When looking at fixed versions, it's crucial to consider the patches supplied by Amazon. For example, for CVE-2023-0464, the fixed version for Amazon Linux 2023 is listed as 3.0.8-1.amzn2023.0.2 in ALAS2023-2023-181. Note that this is different from the upstream fixed version, which is 3.0.9, 3.1.1, and so on. Typically, only the upstream information gets listed on NVD, so it's important not to get confused.
"},{"location":"guide/coverage/os/amazon/#severity","title":"Severity","text":"Trivy determines vulnerability severity based on the severity metric provided by Amazon. For example, the security patch for CVE-2023-0464 in Amazon Linux 2023 is provided as ALAS2023-2023-181. Its severity is rated as \"Medium\". Thus, even though it's evaluated as \"HIGH\" in the NVD, Trivy displays it with a severity of \"MEDIUM\".
The table below is the mapping of Amazon's severity to Trivy's severity levels.
Amazon Trivy Low Low Medium Medium Important High Critical Critical"},{"location":"guide/coverage/os/amazon/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for Amazon Linux.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation Will Not Fix Fix Deferred End of Life"},{"location":"guide/coverage/os/amazon/#license","title":"License","text":"Trivy identifies licenses by examining the metadata of RPM packages.
"},{"location":"guide/coverage/os/azure/","title":"Azure Linux (CBL-Mariner)","text":"CBL-Mariner was rebranded to Azure Linux for version 3.0 onwards.
Trivy supports the following scanners for OS packages.
Version SBOM Vulnerability License 1.0 \u2714 \u2714 \u2714 1.0 (Distroless) \u2714 \u2714 2.0 \u2714 \u2714 \u2714 2.0 (Distroless) \u2714 \u2714 3.0 \u2714 \u2714 \u2714 3.0 (Distroless) \u2714 \u2714 The following table provides an outline of the targets Trivy supports.
Version Container image Virtual machine Arch 1.0 \u2714 \u2714 amd64, arm64 2.0 \u2714 \u2714 amd64, arm64 3.0 \u2714 \u2714 amd64, arm64 The table below outlines the features offered by Trivy.
Feature Supported Detect unfixed vulnerabilities \u2713 Dependency graph \u2713 End of life awareness -"},{"location":"guide/coverage/os/azure/#sbom","title":"SBOM","text":"Trivy detects packages that have been installed through package managers such as tdnf, dnf and yum.
"},{"location":"guide/coverage/os/azure/#vulnerability","title":"Vulnerability","text":"Azure Linux offers its own security advisories, and these are utilized when scanning Azure Linux for vulnerabilities.
"},{"location":"guide/coverage/os/azure/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/azure/#fixed-version","title":"Fixed Version","text":"Trivy takes fixed versions from Azure Linux OVAL.
"},{"location":"guide/coverage/os/azure/#severity","title":"Severity","text":"Trivy calculates the severity of an issue based on the severity provided in Azure Linux OVAL.
"},{"location":"guide/coverage/os/azure/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for Azure Linux.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation Will Not Fix Fix Deferred End of Life"},{"location":"guide/coverage/os/azure/#license","title":"License","text":"Trivy identifies licenses by examining the metadata of RPM packages.
Note
License detection is not supported for Azure Linux Distroless images.
"},{"location":"guide/coverage/os/bottlerocket/","title":"Bottlerocket","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability - License - Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported End of life awareness -"},{"location":"guide/coverage/os/bottlerocket/#sbom","title":"SBOM","text":"Trivy detects packages that are listed in the software inventory.
"},{"location":"guide/coverage/os/centos/","title":"CentOS","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities \u2713 Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/centos/#sbom","title":"SBOM","text":"Same as RHEL.
"},{"location":"guide/coverage/os/centos/#vulnerability","title":"Vulnerability","text":"CentOS does not provide straightforward machine-readable security advisories. As a result, Trivy utilizes the security advisories from Red Hat Enterprise Linux (RHEL) for detecting vulnerabilities in CentOS. This approach might lead to situations where, even though Trivy displays a fixed version, CentOS might not have the patch available yet. Since patches released for RHEL often become available in CentOS after some time, it's usually just a matter of waiting.
Note
The case for CentOS Stream, which is not supported by Trivy, is entirely different from CentOS.
As Trivy relies on Red Hat's advisories, please refer to Red Hat for details regarding vulnerability severity and status.
"},{"location":"guide/coverage/os/centos/#license","title":"License","text":"Same as RHEL.
"},{"location":"guide/coverage/os/chainguard/","title":"Chainguard","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 The table below outlines the features offered by Trivy.
Feature Supported Detect unfixed vulnerabilities - Dependency graph \u2713 End of life awareness -"},{"location":"guide/coverage/os/chainguard/#sbom","title":"SBOM","text":"Same as Alpine Linux.
"},{"location":"guide/coverage/os/chainguard/#vulnerability","title":"Vulnerability","text":"Chainguard offers its own security advisories, and these are utilized when scanning Chainguard for vulnerabilities. Everything else is the same as Alpine Linux.
"},{"location":"guide/coverage/os/chainguard/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/chainguard/#license","title":"License","text":"Same as Alpine Linux.
"},{"location":"guide/coverage/os/coreos/","title":"CoreOS","text":"This page describes the deprecated CoreOS Container Linux (EOL) and its successor, Fedora CoreOS.
Trivy supports the following scanners for OS packages on these systems.
Scanner Supported SBOM \u2713 Vulnerability - License - Please see here for supported versions.
"},{"location":"guide/coverage/os/coreos/#sbom","title":"SBOM","text":"Trivy detects packages that are listed in the RPM database.
"},{"location":"guide/coverage/os/debian/","title":"Debian","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities \u2713 Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/debian/#sbom","title":"SBOM","text":"Trivy detects packages that have been installed through package managers such as apt and dpkg. While there are some exceptions, like Go binaries and JAR files, it's important to note that binaries that have been custom-built using make or tools installed via curl are generally not detected.
"},{"location":"guide/coverage/os/debian/#vulnerability","title":"Vulnerability","text":"Debian offers its own security advisories, and these are utilized when scanning Debian for vulnerabilities.
"},{"location":"guide/coverage/os/debian/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/debian/#fixed-version","title":"Fixed Version","text":"When looking at fixed versions, it's crucial to consider the patches supplied by Debian. For example, for CVE-2023-3269, the fixed version for Debian 12 (bookworm) is listed as 6.1.37-1 in the Security Tracker. This patch is provided in DSA-5448-1. Note that this is different from the upstream fixed version, which is 6.5. Typically, only the upstream information gets listed on NVD, so it's important not to get confused.
"},{"location":"guide/coverage/os/debian/#severity","title":"Severity","text":"Trivy calculates the severity of an issue based on the 'Urgency' metric found in the Security Tracker. If 'Urgency' isn't provided by Debian, the severity from the NVD is taken into account.
Using CVE-2019-15052 as an example, while it is rated as \"Critical\" in NVD, Debian has marked its \"Urgency\" as \"Low\". As a result, Trivy will display it as \"Low\".
"},{"location":"guide/coverage/os/debian/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for Debian.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation Will Not Fix Fix Deferred \u2713 End of Life \u2713"},{"location":"guide/coverage/os/debian/#license","title":"License","text":"To identify the license of a package, Trivy checks the copyright file located at /usr/share/doc/*/copyright.
However, this method has its limitations as the file isn't machine-readable, leading to situations where the license isn't detected. In such scenarios, the --license-full flag can be passed. It compares the contents of known licenses with the copyright file to discern the license in question. Please be aware that using this flag can increase memory usage, so it's disabled by default for efficiency.
"},{"location":"guide/coverage/os/echo/","title":"Echo","text":"Trivy supports these scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities \u2713 Dependency graph \u2713 End of life awareness -"},{"location":"guide/coverage/os/echo/#sbom","title":"SBOM","text":"Same as Debian.
"},{"location":"guide/coverage/os/echo/#vulnerability","title":"Vulnerability","text":"Echo offers its own security advisories, and these are utilized when scanning Echo for vulnerabilities.
"},{"location":"guide/coverage/os/echo/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/echo/#license","title":"License","text":"Same as Debian.
"},{"location":"guide/coverage/os/google-distroless/","title":"Google Distroless Images","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities - Dependency graph \u2713 End of life awareness -"},{"location":"guide/coverage/os/google-distroless/#sbom","title":"SBOM","text":"Trivy detects packages pre-installed in distroless images.
"},{"location":"guide/coverage/os/google-distroless/#vulnerability","title":"Vulnerability","text":"Google Distroless is based on Debian; see there for details.
"},{"location":"guide/coverage/os/google-distroless/#license","title":"License","text":"Google Distroless is based on Debian; see there for details.
"},{"location":"guide/coverage/os/minimos/","title":"MinimOS","text":"Trivy supports these scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 The table below outlines the features offered by Trivy.
Feature Supported Detect unfixed vulnerabilities - Dependency graph \u2713 End of life awareness -"},{"location":"guide/coverage/os/minimos/#sbom","title":"SBOM","text":"Same as Alpine Linux.
"},{"location":"guide/coverage/os/minimos/#vulnerability","title":"Vulnerability","text":"MinimOS offers its own security advisories, and these are utilized when scanning MinimOS for vulnerabilities. Everything else is the same as Alpine Linux.
"},{"location":"guide/coverage/os/minimos/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/minimos/#license","title":"License","text":"Same as Alpine Linux.
"},{"location":"guide/coverage/os/oracle/","title":"Oracle Linux","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities - Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/oracle/#sbom","title":"SBOM","text":"Trivy detects packages that have been installed through package managers such as dnf and yum.
"},{"location":"guide/coverage/os/oracle/#vulnerability","title":"Vulnerability","text":"Oracle Linux offers its own security advisories, and these are utilized when scanning Oracle Linux for vulnerabilities.
"},{"location":"guide/coverage/os/oracle/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/oracle/#fixed-version","title":"Fixed Version","text":"Trivy takes fixed versions from Oracle security advisories.
"},{"location":"guide/coverage/os/oracle/#flavors","title":"Flavors","text":"Trivy detects the flavor for version of the found package and finds vulnerabilities only for that flavor.
Flavor Format Example normal version without fips and ksplice 3.6.16-4.el8 fips *_fips 10:3.6.16-4.0.1.el8_fips ksplice *.ksplice*.* 2:2.34-60.0.3.ksplice1.el9_2.7, 151.0.1.ksplice2.el8 For example Trivy finds CVE-2021-33560 only for the normal and fips flavors. For the ksplice flavor, CVE-2021-33560 will be skipped.
"},{"location":"guide/coverage/os/oracle/#severity","title":"Severity","text":"Trivy determines vulnerability severity based on the severity metric provided in Oracle security advisories. For example, the security patch for CVE-2023-0464 is provided as ELSA-2023-2645. Its severity is rated as \"MODERATE\". Thus, even though it's evaluated as \"HIGH\" in the NVD, Trivy displays it with a severity of \"MEDIUM\".
The table below is the mapping of Oracle's threat to Trivy's severity levels.
Oracle Trivy Low Low Moderate Medium Important High Critical Critical"},{"location":"guide/coverage/os/oracle/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for Oracle Linux.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation Will Not Fix Fix Deferred End of Life"},{"location":"guide/coverage/os/oracle/#license","title":"License","text":"Trivy identifies licenses by examining the metadata of RPM packages.
"},{"location":"guide/coverage/os/photon/","title":"Photon OS","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities - Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/photon/#sbom","title":"SBOM","text":"Trivy detects packages that have been installed through package managers such as tdnf and yum.
"},{"location":"guide/coverage/os/photon/#vulnerability","title":"Vulnerability","text":"Photon OS offers its own security advisories, and these are utilized when scanning Photon OS for vulnerabilities.
"},{"location":"guide/coverage/os/photon/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/photon/#fixed-version","title":"Fixed Version","text":"Trivy takes fixed versions from Photon CVE metadata.
"},{"location":"guide/coverage/os/photon/#severity","title":"Severity","text":"Trivy determines the severity of vulnerabilities based on the CVSSv3 score provided by Photon OS. See here for the conversion table from CVSS score to severity.
"},{"location":"guide/coverage/os/photon/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for Photon OS.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation Will Not Fix Fix Deferred End of Life"},{"location":"guide/coverage/os/photon/#license","title":"License","text":"Trivy identifies licenses by examining the metadata of RPM packages.
"},{"location":"guide/coverage/os/rhel/","title":"Red Hat Enterprise Linux","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities \u2713 Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/rhel/#sbom","title":"SBOM","text":"Trivy detects packages that have been installed through package managers such as dnf and yum.
"},{"location":"guide/coverage/os/rhel/#vulnerability","title":"Vulnerability","text":"Red Hat offers its own security advisories, and these are utilized when scanning Red Hat Enterprise Linux (RHEL) for vulnerabilities.
"},{"location":"guide/coverage/os/rhel/#content-manifests","title":"Content manifests","text":"Red Hat\u2019s security advisories use CPEs to identify product sets. For example, even packages installed in the same container image can have different CPEs. For this reason, Red Hat\u2019s container images include stored content manifests, which we convert to CPEs, and perform vulnerability scanning.
Since this system ties each content manifest to its packages on a per-layer basis, if layers get merged (for instance, by using docker run or docker export) we can no longer determine the correct CPE, which may lead to false detection.
"},{"location":"guide/coverage/os/rhel/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/rhel/#fixed-version","title":"Fixed Version","text":"When looking at fixed versions, it's crucial to consider the patches supplied by Red Hat. For example, for CVE-2023-0464, the fixed version for RHEL 9 is listed as 3.0.7-16.el9_2 in their advisory. This patch is provided in RHSA-2023:3722. Note that this is different from the upstream fixed version, which is 3.0.9, 3.1.1, and so on. Typically, only the upstream information gets listed on NVD, so it's important not to get confused.
"},{"location":"guide/coverage/os/rhel/#severity","title":"Severity","text":"Trivy calculates the severity of a vulnerability based on the 'Impact' metric provided by Red Hat. If the impact is not provided or defined yet by Red Hat, the severity from the NVD is taken into account.
Using CVE-2023-0464 as an example, while it is rated as \"HIGH\" in NVD, Red Hat has marked its 'Impact' as \"Low\". As a result, Trivy will display it as \"Low\".
The table below is the mapping of Red Hat's impact to Trivy's severity levels.
Red Hat Trivy Low Low Moderate Medium Important High Critical Critical"},{"location":"guide/coverage/os/rhel/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for RHEL.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation \u2713 Will Not Fix \u2713 Fix Deferred \u2713 End of Life \u2713 When a vulnerability status is listed as \"End of Life\", it means a vulnerability with the impact level assigned to this CVE is no longer covered by its current support lifecycle phase. The product has been identified to contain the impacted component, but analysis to determine whether it is affected or not by this vulnerability was not performed. Red Hat advises that the product should be assumed to be affected. Therefore, Trivy detects vulnerabilities with this status as \"End of Life\".
On the other hand, for those marked \"Under Investigation,\" the impact is unclear as they are still being examined, so Trivy does not detect them. Once the investigation is completed, the status should be updated.
Abstract
Vulnerabilities with a status of \"End of Life\", where the presence or absence of impact is unclear, are detected by Trivy. However, those with a status of \"Under Investigation\" are not detected.
"},{"location":"guide/coverage/os/rhel/#license","title":"License","text":"Trivy identifies licenses by examining the metadata of RPM packages.
"},{"location":"guide/coverage/os/rocky/","title":"Rocky Linux","text":"Trivy supports the following scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities - Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/rocky/#sbom","title":"SBOM","text":"Trivy detects packages that have been installed through package managers such as dnf and yum.
"},{"location":"guide/coverage/os/rocky/#vulnerability","title":"Vulnerability","text":"Rocky Linux offers its own security advisories, and these are utilized when scanning Rocky Linux for vulnerabilities.
"},{"location":"guide/coverage/os/rocky/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/rocky/#fixed-version","title":"Fixed Version","text":"Trivy takes fixed versions from Rocky Linux Errata, not NVD or somewhere else. See here for more details.
Architectures
There are cases when the vulnerability affects packages of not all architectures. For example, vulnerable packages for CVE-2023-0361 are only aarch64 packages.
Trivy only detects vulnerabilities for packages of your architecture.
"},{"location":"guide/coverage/os/rocky/#severity","title":"Severity","text":"Trivy calculates the severity of an issue based on the severity provided in Rocky Linux Errata.
The table below is the mapping of Rocky Linux's severity to Trivy's severity levels.
Rocky Linux Trivy Low Low Moderate Medium Important High Critical Critical"},{"location":"guide/coverage/os/rocky/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for Rocky Linux.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation Will Not Fix Fix Deferred End of Life"},{"location":"guide/coverage/os/rocky/#license","title":"License","text":"Trivy identifies licenses by examining the metadata of RPM packages.
"},{"location":"guide/coverage/os/suse/","title":"SUSE","text":"Trivy supports the following distributions:
- openSUSE Leap
- openSUSE Tumbleweed
- SUSE Linux Enterprise (SLE)
- SUSE Linux Enterprise Micro
Please see here for supported versions.
Trivy supports these scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities - Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/suse/#sbom","title":"SBOM","text":"Trivy detects packages that have been installed through package managers such as dnf and yum.
"},{"location":"guide/coverage/os/suse/#vulnerability","title":"Vulnerability","text":"SUSE offers its own security advisories, and these are utilized when scanning openSUSE/SLE for vulnerabilities.
"},{"location":"guide/coverage/os/suse/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/suse/#license","title":"License","text":"Trivy identifies licenses by examining the metadata of RPM packages.
"},{"location":"guide/coverage/os/ubuntu/","title":"Ubuntu","text":"Trivy supports these scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 Please see here for supported versions.
The following table provides an outline of the features Trivy offers.
Feature Supported Detect unfixed vulnerabilities \u2713 Dependency graph \u2713 End of life awareness \u2713"},{"location":"guide/coverage/os/ubuntu/#sbom","title":"SBOM","text":"Same as Debian.
"},{"location":"guide/coverage/os/ubuntu/#vulnerability","title":"Vulnerability","text":"Ubuntu offers its own security advisories, and these are utilized when scanning Ubuntu for vulnerabilities.
"},{"location":"guide/coverage/os/ubuntu/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/ubuntu/#fixed-version","title":"Fixed Version","text":"When looking at fixed versions, it's crucial to consider the patches supplied by Ubuntu. As an illustration, for CVE-2023-3269, the fixed version for Ubuntu 23.04 (lunar) is listed as 6.2.0-26.26 in the Security Tracker. It's essential to recognize that this differs from the upstream fixed version, which stands at 6.5. Typically, only the upstream information gets listed on NVD, so it's important not to get confused.
"},{"location":"guide/coverage/os/ubuntu/#severity","title":"Severity","text":"Trivy calculates the severity of an issue based on the 'Priority' metric found in the Security Tracker. If 'Priority' isn't provided by Ubuntu, the severity from the NVD is taken into account.
Using CVE-2019-15052 as an example, while it is rated as \"Critical\" in NVD, Ubuntu has marked its \"Priority\" as \"Medium\". As a result, Trivy will display it as \"Medium\".
"},{"location":"guide/coverage/os/ubuntu/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for Ubuntu.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation Will Not Fix Fix Deferred End of Life"},{"location":"guide/coverage/os/ubuntu/#license","title":"License","text":"Same as Debian.
"},{"location":"guide/coverage/os/wolfi/","title":"Wolfi Linux","text":"Trivy supports these scanners for OS packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 The table below outlines the features offered by Trivy.
Feature Supported Detect unfixed vulnerabilities - Dependency graph \u2713 End of life awareness -"},{"location":"guide/coverage/os/wolfi/#sbom","title":"SBOM","text":"Same as Alpine Linux.
"},{"location":"guide/coverage/os/wolfi/#vulnerability","title":"Vulnerability","text":"Wolfi Linux offers its own security advisories, and these are utilized when scanning Wolfi for vulnerabilities. Everything else is the same as Alpine Linux.
"},{"location":"guide/coverage/os/wolfi/#data-source","title":"Data Source","text":"See here.
"},{"location":"guide/coverage/os/wolfi/#license","title":"License","text":"Same as Alpine Linux.
"},{"location":"guide/coverage/others/","title":"Others","text":"In this section we have placed images, package managers and files that we can't assign to existing sections.
Trivy supports them for
- SBOM
- Vulnerabilities
- Licenses
"},{"location":"guide/coverage/others/#supported-elements","title":"Supported elements","text":"Element File Image1 Rootfs2 Filesystem3 Repository4 Bitnami packages /opt/bitnami/<component>/.spdx-<component>.spdx \u2705 \u2705 - - Conda <conda-root>/envs/<env>/conda-meta/<package>.json \u2705 \u2705 - - environment.yml - - \u2705 \u2705 Root.io images - \u2705 \u2705 - - Seal Security - \u2705 \u2705 - - RPM Archives *.rpm \u27055 \u27055 \u27055 \u27055 -
\u2705 means \"enabled\" and - means \"disabled\" in the image scanning\u00a0\u21a9
-
\u2705 means \"enabled\" and - means \"disabled\" in the rootfs scanning\u00a0\u21a9
-
\u2705 means \"enabled\" and - means \"disabled\" in the filesystem scanning\u00a0\u21a9
-
\u2705 means \"enabled\" and - means \"disabled\" in the git repository scanning\u00a0\u21a9
-
Only if the TRIVY_EXPERIMENTAL_RPM_ARCHIVE env is set.\u00a0\u21a9\u21a9\u21a9\u21a9
"},{"location":"guide/coverage/others/bitnami/","title":"Bitnami Images","text":"EXPERIMENTAL
Scanning results may be inaccurate.
While it is not an OS, this page describes the details of the container images provided by Bitnami. Bitnami images are based on Debian. Please see the Debian page for OS packages.
Trivy supports the following scanners for Bitnami packages.
Scanner Supported SBOM \u2713 Vulnerability \u2713 License \u2713 The table below outlines the features offered by Trivy.
Feature Supported Unfixed vulnerabilities - Dependency graph -"},{"location":"guide/coverage/others/bitnami/#sbom","title":"SBOM","text":"Trivy analyzes the SBOM information contained within the container images provided by Bitnami. The SBOM files are located at /opt/bitnami/<component>/.spdx-<component>.spdx.
"},{"location":"guide/coverage/others/bitnami/#vulnerability","title":"Vulnerability","text":"Since Bitnami has its own vulnerability database, it uses these for vulnerability detection of applications and packages distributed by Bitnami.
Note
Trivy does not support vulnerability detection of independently compiled binaries, so even if you scan container images like nginx:1.15.2, vulnerabilities in Nginx cannot be detected. This is because main applications like Nginx are not installed by the package manager. However, in the case of Bitnami images, since these SBOMs are stored within the image, scanning bitnami/nginx:1.15.2 allows for the detection of vulnerabilities in Nginx.
"},{"location":"guide/coverage/others/bitnami/#fixed-version","title":"Fixed Version","text":"Trivy refers to the Bitnami database. Please note that these may differ from the upstream fixed versions.
"},{"location":"guide/coverage/others/bitnami/#severity","title":"Severity","text":"Similar to Fixed versions, it follows Bitnami's vulnerability database.
"},{"location":"guide/coverage/others/bitnami/#status","title":"Status","text":"Trivy supports the following vulnerability statuses for Bitnami packages.
Status Supported Fixed \u2713 Affected \u2713 Under Investigation Will Not Fix Fix Deferred End of Life"},{"location":"guide/coverage/others/bitnami/#license","title":"License","text":"If licenses are included in the SBOM distributed by Bitnami, they will be used for scanning.
"},{"location":"guide/coverage/others/conda/","title":"Conda","text":"Trivy supports the following scanners for Conda packages.
Scanner Supported SBOM \u2713 Vulnerability - License \u2713 Package manager File Transitive dependencies Dev dependencies Dependency graph Position Detection Priority Conda environment.yml - Include - \u2713 -"},{"location":"guide/coverage/others/conda/#packagejson","title":"<package>.json","text":""},{"location":"guide/coverage/others/conda/#sbom","title":"SBOM","text":"Trivy parses <conda-root>/envs/<env>/conda-meta/<package>.json files to find the dependencies installed in your env.
"},{"location":"guide/coverage/others/conda/#license","title":"License","text":"The <package>.json files contain package license information. Trivy includes licenses for the packages it finds without having to parse additional files.
"},{"location":"guide/coverage/others/conda/#environmentyml","title":"environment.yml1","text":""},{"location":"guide/coverage/others/conda/#sbom_1","title":"SBOM","text":"Trivy supports parsing environment.yml1 files to find dependency list.
environment.yml1 files supports version range. We can't be sure about versions for these dependencies. Therefore, you need to use conda env export command to get dependency list in Conda default format before scanning environment.yml1 file.
Note
For dependencies in a non-Conda format, Trivy doesn't include a version of them.
"},{"location":"guide/coverage/others/conda/#license_1","title":"License","text":"Trivy parses conda-meta/<package>.json files at the prefix path.
To correctly define licenses, make sure your environment.yml1 contains prefix field and prefix directory contains package.json files.
Note
To get correct environment.yml1 file and fill prefix directory - use conda env export command.
-
Trivy supports both yaml and yml extensions.\u00a0\u21a9\u21a9\u21a9\u21a9\u21a9\u21a9
"},{"location":"guide/coverage/others/rootio/","title":"Root.io","text":"EXPERIMENTAL
Scanning results may be inaccurate.
While it is not an OS, this page describes the details of Root.io patch distribution service. Root.io provides security patches for Debian, Ubuntu, and Alpine-based container images. Root.io patches are detected when Trivy finds packages with specific version suffixes:
- Debian/Ubuntu: packages with
.root.io in version string - Alpine: packages with
-r\\d007\\d pattern in version string (e.g., -r10071, -r20072)
When Root.io patches are detected, Trivy automatically switches to Root.io scanning mode for vulnerability detection. Even when the original OS distributor (Debian, Ubuntu, Alpine) has not provided a patch for a vulnerability, Trivy will display Root.io patches if they are available.
Note
For vulnerabilities, Trivy uses the severity level from the original OS vendor (if the vendor has specified a severity).
For detailed information about supported scanners, features, and functionality, please refer to the documentation for the underlying OS:
- Debian
- Ubuntu
- Alpine
"},{"location":"guide/coverage/others/rpm/","title":"RPM Archives","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy supports the following scanners for RPM archives.
Scanner Supported SBOM \u2713 Vulnerability \u27131 License \u2713 The table below outlines the features offered by Trivy.
"},{"location":"guide/coverage/others/rpm/#sbom","title":"SBOM","text":"Trivy analyzes RPM archives matching *.rpm. This feature is currently disabled by default but can be enabled with an environment variable, TRIVY_EXPERIMENTAL_RPM_ARCHIVE.
TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true trivy fs ./rpms --format cyclonedx --output rpms.cdx.json\n
Note
Currently, it works with --format cyclonedx, --format spdx or --format spdx-json.
"},{"location":"guide/coverage/others/rpm/#vulnerability","title":"Vulnerability","text":"Since RPM files don't have OS information, you need to generate SBOM, fill in the OS information manually and then scan the SBOM for vulnerabilities.
For example:
$ TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true trivy fs ./rpms -f cyclonedx -o rpms.cdx.json\n$ jq '(.components[] | select(.type == \"operating-system\")) |= (.name = \"redhat\" | .version = \"7.9\")' rpms.cdx.json > rpms-res.cdx.json\n$ trivy sbom ./rpms-res.cdx.json\n
"},{"location":"guide/coverage/others/rpm/#license","title":"License","text":"If licenses are included in the RPM archive, Trivy extracts it.
-
Need to generate SBOM first and add OS information to that SBOM\u00a0\u21a9
"},{"location":"guide/coverage/others/seal/","title":"Seal Security","text":"EXPERIMENTAL
Scanning results may be inaccurate.
While it is not an OS, this page describes the details of the Seal Security vulnerability feed. Seal provides security advisories and patched versions for multiple Linux distributions, including Debian, Ubuntu, Alpine, Red Hat Enterprise Linux, CentOS, Oracle Linux, and Azure Linux (CBL\u2011Mariner).
Seal advisories are used when Trivy finds packages that indicate Seal-provided components:
- Packages whose name or source name starts with
seal- (for example, seal-wget, seal-zlib).
When such Seal packages are detected, Trivy automatically enables Seal scanning for those packages while continuing to use the base OS scanner for the rest.
Note
For vulnerabilities, Trivy prefers severity from the base OS vendor when available.
For details on supported scanners, features, and behavior for each base OS, refer to their respective pages:
- Debian
- Ubuntu
- Alpine
- Red Hat Enterprise Linux
- CentOS
- Oracle Linux
- Azure Linux (CBL\u2011Mariner)
"},{"location":"guide/plugin/","title":"Plugins","text":"Trivy provides a plugin feature to allow others to extend the Trivy CLI without the need to change the Trivy code base. This plugin system was inspired by the plugin system used in kubectl, Helm, and Conftest.
"},{"location":"guide/plugin/#overview","title":"Overview","text":"Trivy plugins are add-on tools that integrate seamlessly with Trivy. They provide a way to extend the core feature set of Trivy, but without requiring every new feature to be written in Go and added to the core tool.
- They can be added and removed from a Trivy installation without impacting the core Trivy tool.
- They can be written in any programming language.
- They integrate with Trivy, and will show up in Trivy help and subcommands.
Warning
Trivy plugins available in public are not audited for security. You should install and run third-party plugins at your own risk, since they are arbitrary programs running on your machine.
"},{"location":"guide/plugin/#quickstart","title":"Quickstart","text":"Trivy helps you discover and install plugins on your machine.
You can install and use a wide variety of Trivy plugins to enhance your experience.
Let\u2019s get started:
-
Download the plugin list:
$ trivy plugin update\n
-
Discover Trivy plugins available on the plugin index:
$ trivy plugin search\nNAME DESCRIPTION MAINTAINER OUTPUT\naqua A plugin for integration with Aqua Security SaaS platform aquasecurity\nkubectl A plugin scanning the images of a kubernetes resource aquasecurity\nreferrer A plugin for OCI referrers aquasecurity \u2713\n[...]\n
-
Choose a plugin from the list and install it:
$ trivy plugin install referrer\n
-
Use the installed plugin:
$ trivy referrer --help\n
-
Keep your plugins up-to-date:
$ trivy plugin upgrade\n
-
Uninstall a plugin you no longer use:
trivy plugin uninstall referrer\n
This is practically all you need to know to start using Trivy plugins.
"},{"location":"guide/plugin/developer-guide/","title":"Developer Guide","text":""},{"location":"guide/plugin/developer-guide/#developing-trivy-plugins","title":"Developing Trivy plugins","text":"This section will guide you through the process of developing Trivy plugins. To help you get started quickly, we have published a plugin template repository. You can use this template as a starting point for your plugin development.
"},{"location":"guide/plugin/developer-guide/#introduction","title":"Introduction","text":"If you are looking to start developing plugins for Trivy, read the user guide first.
The development process involves the following steps:
- Create a repository for your plugin, named
trivy-plugin-<name>. - Create an executable binary that can be invoked as
trivy <name>. - Place the executable binary in a repository.
- Create a
plugin.yaml file that describes the plugin. - (Submit your plugin to the Trivy plugin index.)
After you develop a plugin with a good name following the best practices and publish it, you can submit your plugin to the Trivy plugin index.
"},{"location":"guide/plugin/developer-guide/#naming","title":"Naming","text":"This section describes guidelines for naming your plugins.
"},{"location":"guide/plugin/developer-guide/#use-trivy-plugin-prefix","title":"Use trivy-plugin- prefix","text":"The name of the plugin repository should be prefixed with trivy-plugin-.
"},{"location":"guide/plugin/developer-guide/#use-lowercase-and-hyphens","title":"Use lowercase and hyphens","text":"Plugin names must be all lowercase and separate words with hyphens. Don\u2019t use camelCase, PascalCase, or snake_case; use kebab-case.
- NO:
trivy OpenSvc - YES:
trivy open-svc
"},{"location":"guide/plugin/developer-guide/#be-specific","title":"Be specific","text":"Plugin names should not be verbs or nouns that are generic, already overloaded, or likely to be used for broader purposes by another plugin.
- NO: trivy sast (Too broad)
- YES: trivy govulncheck
"},{"location":"guide/plugin/developer-guide/#be-unique","title":"Be unique","text":"Find a unique name for your plugin that differentiates it from other plugins that perform a similar function.
- NO:
trivy images (Unclear how it is different from the builtin \u201cimage\" command) - YES:
trivy registry-images (Unique name).
"},{"location":"guide/plugin/developer-guide/#prefix-vendor-identifiers","title":"Prefix Vendor Identifiers","text":"Use vendor-specific strings as prefix, separated with a dash. This makes it easier to search/group plugins that are about a specific vendor.
- NO: `trivy security-hub-aws (Makes it harder to search or locate in a plugin list)
- YES: `trivy aws-security-hub (Will show up together with other aws-* plugins)
"},{"location":"guide/plugin/developer-guide/#choosing-a-language","title":"Choosing a language","text":"Since Trivy plugins are standalone executables, you can write them in any programming language.
If you are planning to write a plugin with Go, check out the Report struct, which is the output of Trivy scan.
"},{"location":"guide/plugin/developer-guide/#writing-your-plugin","title":"Writing your plugin","text":"Each plugin has a top-level directory, and then a plugin.yaml file.
your-plugin/\n |\n |- plugin.yaml\n |- your-plugin.sh\n
In the example above, the plugin is contained inside a directory named your-plugin. It has two files: plugin.yaml (required) and an executable script, your-plugin.sh (optional).
"},{"location":"guide/plugin/developer-guide/#writing-a-plugin-manifest","title":"Writing a plugin manifest","text":"The plugin manifest is a simple YAML file named plugin.yaml. Here is an example YAML of trivy-plugin-kubectl plugin that adds support for Kubernetes scanning.
name: \"kubectl\"\nversion: \"0.1.0\"\nrepository: github.com/aquasecurity/trivy-plugin-kubectl\nmaintainer: aquasecurity\noutput: false\nsummary: Scan kubectl resources\ndescription: |-\n A Trivy plugin that scans the images of a kubernetes resource.\n Usage: trivy kubectl TYPE[.VERSION][.GROUP] NAME\nplatforms:\n - selector: # optional\n os: darwin\n arch: amd64\n uri: ./trivy-kubectl # where the execution file is (local file, http, git, etc.)\n bin: ./trivy-kubectl # path to the execution file\n - selector: # optional\n os: linux\n arch: amd64\n uri: https://github.com/aquasecurity/trivy-plugin-kubectl/releases/download/v0.1.0/trivy-kubectl.tar.gz\n bin: ./trivy-kubectl\n
We encourage you to copy and adapt plugin manifests of existing plugins.
- count
- referrer
The plugin.yaml field should contain the following information:
- name: The name of the plugin. This also determines how the plugin will be made available in the Trivy CLI. For example, if the plugin is named kubectl, you can call the plugin with
trivy kubectl. (required) - version: The version of the plugin. Semantic Versioning should be used. (required)
- repository: The repository name where the plugin is hosted. (required)
- maintainer: The name of the maintainer of the plugin. (required)
- output: Whether the plugin supports the output mode. (optional)
- usage: Deprecated: use summary instead. (optional)
- summary: A short usage description. (required)
- description: A long description of the plugin. This is where you could provide a helpful documentation of your plugin. (required)
- platforms: (required)
- selector: The OS/Architecture specific variations of a execution file. (optional)
- os: OS information based on GOOS (linux, darwin, etc.) (optional)
- arch: The architecture information based on GOARCH (amd64, arm64, etc.) (optional)
- uri: Where the executable file is. Relative path from the root directory of the plugin or remote URL such as HTTP and S3. (required)
- bin: Which file to call when the plugin is executed. Relative path from the root directory of the plugin. (required)
The following rules will apply in deciding which platform to select:
- If both
os and arch under selector match the current platform, search will stop and the platform will be used. - If
selector is not present, the platform will be used. - If
os matches and there is no more specific arch match, the platform will be used. - If no
platform match is found, Trivy will exit with an error.
After determining platform, Trivy will download the execution file from uri and store it in the plugin cache. When the plugin is called via Trivy CLI, bin command will be executed.
"},{"location":"guide/plugin/developer-guide/#tagging-plugin-repositories","title":"Tagging plugin repositories","text":"If you are hosting your plugin in a Git repository, it is strongly recommended to tag your releases with a version number. By tagging your releases, Trivy can install specific versions of your plugin.
$ trivy plugin install referrer@v0.3.0\n
When tagging versions, you must follow the Semantic Versioning and prefix the tag with v, like v1.2.3.
"},{"location":"guide/plugin/developer-guide/#plugin-argumentsflags","title":"Plugin arguments/flags","text":"The plugin is responsible for handling flags and arguments. Any arguments are passed to the plugin from the trivy command.
"},{"location":"guide/plugin/developer-guide/#testing-plugin-installation-locally","title":"Testing plugin installation locally","text":"A plugin should be archived *.tar.gz. After you have archived your plugin into a .tar.gz file, you can verify that your plugin installs correctly with Trivy.
$ tar -czvf myplugin.tar.gz plugin.yaml script.py\nplugin.yaml\nscript.py\n\n$ trivy plugin install myplugin.tar.gz\n2023-03-03T19:04:42.026+0600 INFO Installing the plugin from myplugin.tar.gz...\n2023-03-03T19:04:42.026+0600 INFO Loading the plugin metadata...\n\n$ trivy myplugin\nHello from Trivy demo plugin!\n
"},{"location":"guide/plugin/developer-guide/#publishing-plugins","title":"Publishing plugins","text":"The plugin.yaml file is the core of your plugin, so as long as it is published somewhere, your plugin can be installed. If you choose to publish your plugin on GitHub, you can make it installable by placing the plugin.yaml file in the root directory of your repository. Users can then install your plugin with the command, trivy plugin install github.com/org/repo.
While the uri specified in the plugin.yaml file doesn't necessarily need to point to the same repository, it's a good practice to host the executable file within the same repository when using GitHub. You can utilize GitHub Releases to distribute the executable file. For an example of how to structure your plugin repository, refer to the plugin template repository.
"},{"location":"guide/plugin/developer-guide/#distributing-plugins-via-the-trivy-plugin-index","title":"Distributing plugins via the Trivy plugin index","text":"Trivy can install plugins directly by specifying a repository, like trivy plugin install github.com/aquasecurity/trivy-plugin-referrer, so you don't necessarily need to register your plugin in the Trivy plugin index. However, we would recommend distributing your plugin via the Trivy plugin index since it makes it easier for other users to find (trivy plugin search) and install your plugin (e.g. trivy plugin install kubectl).
"},{"location":"guide/plugin/developer-guide/#pre-submit-checklist","title":"Pre-submit checklist","text":" - Review the plugin naming guide.
- Ensure the
plugin.yaml file has all the required fields. - Tag a git release with a semantic version (e.g. v1.0.0).
- Test your plugin installation locally.
"},{"location":"guide/plugin/developer-guide/#submitting-plugins","title":"Submitting plugins","text":"Submitting your plugin to the plugin index is a straightforward process. All you need to do is create a YAML file for your plugin and place it in the plugins/ directory of the index repository.
Once you've done that, create a pull request (PR) and have it reviewed by the maintainers. Once your PR is merged, the index will be updated, and your plugin will be available for installation. The plugin index page will also be automatically updated to list your newly added plugin.
The content of the YAML file is very simple. You only need to specify the name of your plugin and the repository where it is distributed.
name: referrer\nrepository: github.com/aquasecurity/trivy-plugin-referrer\n
After your PR is merged, the CI system will automatically retrieve the plugin.yaml file from your repository and update the index.yaml file. If any required fields are missing from your plugin.yaml, the CI will fail, so make sure your plugin.yaml has all the required fields before creating a PR. Once the index.yaml has been updated, running trivy plugin update will download the updated index to your local machine.
"},{"location":"guide/plugin/user-guide/","title":"User Guide","text":""},{"location":"guide/plugin/user-guide/#discovering-plugins","title":"Discovering Plugins","text":"You can find a list of Trivy plugins distributed via trivy-plugin-index here. However, you can find plugins using the command line as well.
First, refresh your local copy of the plugin index:
$ trivy plugin update\n
To list all plugins available, run:
$ trivy plugin search\nNAME DESCRIPTION MAINTAINER OUTPUT\naqua A plugin for integration with Aqua Security SaaS platform aquasecurity\nkubectl A plugin scanning the images of a kubernetes resource aquasecurity\nreferrer A plugin for OCI referrers aquasecurity \u2713\n
You can specify search keywords as arguments:
$ trivy plugin search referrer\n\nNAME DESCRIPTION MAINTAINER OUTPUT\nreferrer A plugin for OCI referrers aquasecurity \u2713\n
It lists plugins with the keyword in the name or description.
"},{"location":"guide/plugin/user-guide/#installing-plugins","title":"Installing Plugins","text":"Plugins can be installed with the trivy plugin install command:
$ trivy plugin install referrer\n
This command will download the plugin and install it in the plugin cache.
Trivy adheres to the XDG specification, so the location depends on whether XDG_DATA_HOME is set. Trivy will now search XDG_DATA_HOME for the location of the Trivy plugins cache. The preference order is as follows:
- XDG_DATA_HOME if set and .trivy/plugins exists within the XDG_DATA_HOME dir
- ~/.trivy/plugins
Furthermore, it is possible to download plugins that are not registered in the index by specifying the URL directly or by specifying the file path.
$ trivy plugin install github.com/aquasecurity/trivy-plugin-kubectl\n
$ trivy plugin install https://github.com/aquasecurity/trivy-plugin-kubectl/archive/refs/heads/main.zip\n
$ trivy plugin install ./myplugin.tar.gz\n
If the plugin's Git repository is properly tagged, you can specify the version to install like this:
$ trivy plugin install referrer@v0.3.0\n
Note
The leading v in the version is required. Also, the version must follow the Semantic Versioning.
Under the hood Trivy leverages go-getter to download plugins. This means the following protocols are supported for downloading plugins:
- OCI Registries
- Local Files
- Git
- HTTP/HTTPS
- Mercurial
- Amazon S3
- Google Cloud Storage
"},{"location":"guide/plugin/user-guide/#listing-installed-plugins","title":"Listing Installed Plugins","text":"To list all plugins installed, run:
$ trivy plugin list\n
"},{"location":"guide/plugin/user-guide/#using-plugins","title":"Using Plugins","text":"Once the plugin is installed, Trivy will load all available plugins in the cache on the start of the next Trivy execution. A plugin will be made in the Trivy CLI based on the plugin name. To display all plugins, you can list them by trivy --help
$ trivy --help\nNAME:\n trivy - A simple and comprehensive vulnerability scanner for containers\n\nUSAGE:\n trivy [global options] command [command options] target\n\nVERSION:\n dev\n\nScanning Commands\n config Scan config files for misconfigurations\n filesystem Scan local filesystem\n image Scan a container image\n\n...\n\nPlugin Commands\n kubectl scan kubectl resources\n referrer Put referrers to OCI registry\n
As shown above, kubectl subcommand exists in the Plugin Commands section. To call the kubectl plugin and scan existing Kubernetes deployments, you can execute the following command:
$ trivy kubectl deployment <deployment-id> -- --ignore-unfixed --severity CRITICAL\n
Internally the kubectl plugin calls the kubectl binary to fetch information about that deployment and passes the using images to Trivy. You can see the detail here.
If you want to omit even the subcommand, you can use TRIVY_RUN_AS_PLUGIN environment variable.
$ TRIVY_RUN_AS_PLUGIN=kubectl trivy job your-job -- --format json\n
"},{"location":"guide/plugin/user-guide/#installing-and-running-plugins-on-the-fly","title":"Installing and Running Plugins on the fly","text":"trivy plugin run installs a plugin and runs it on the fly. If the plugin is already present in the cache, the installation is skipped.
trivy plugin run kubectl pod your-pod -- --exit-code 1\n
"},{"location":"guide/plugin/user-guide/#upgrading-plugins","title":"Upgrading Plugins","text":"To upgrade all plugins that you have installed to their latest versions, run:
$ trivy plugin upgrade\n
To upgrade only certain plugins, you can explicitly specify their names:
$ trivy plugin upgrade <PLUGIN1> <PLUGIN2>\n
"},{"location":"guide/plugin/user-guide/#uninstalling-plugins","title":"Uninstalling Plugins","text":"Specify a plugin name with trivy plugin uninstall command.
$ trivy plugin uninstall kubectl\n
Here's the revised English documentation based on your requested changes:
"},{"location":"guide/plugin/user-guide/#output-mode-support","title":"Output Mode Support","text":"While plugins are typically intended to be used as subcommands of Trivy, plugins supporting the output mode can be invoked as part of Trivy's built-in commands.
EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy supports plugins that are compatible with the output mode, which process Trivy's output, such as by transforming the output format or sending it elsewhere. You can determine whether a plugin supports the output mode by checking the OUTPUT column in the output of trivy plugin search or trivy plugin list.
$ trivy plugin search\nNAME DESCRIPTION MAINTAINER OUTPUT\naqua A plugin for integration with Aqua Security SaaS platform aquasecurity\nkubectl A plugin scanning the images of a kubernetes resource aquasecurity\nreferrer A plugin for OCI referrers aquasecurity \u2713\n
In this case, the referrer plugin supports the output mode.
For instance, in the case of image scanning, a plugin supporting the output mode can be called as follows:
$ trivy image --format json --output plugin=<plugin_name> [--output-plugin-arg <plugin_flags>] <image_name>\n
Since scan results are passed to the plugin via standard input, plugins must be capable of handling standard input.
Warning
To avoid Trivy hanging, you need to read all data from Stdin before the plugin exits successfully or stops with an error.
While the example passes JSON to the plugin, other formats like SBOM can also be passed (e.g., --format cyclonedx).
If a plugin requires flags or other arguments, they can be passed using --output-plugin-arg. This is directly forwarded as arguments to the plugin. For example, --output plugin=myplugin --output-plugin-arg \"--foo --bar=baz\" translates to myplugin --foo --bar=baz in execution.
An example of a plugin supporting the output mode is available here. It can be used as below:
# Install the plugin first\n$ trivy plugin install count\n\n# Call the plugin supporting the output mode in image scanning\n$ trivy image --format json --output plugin=count --output-plugin-arg \"--published-after 2023-10-01\" debian:12\n
"},{"location":"guide/plugin/user-guide/#example","title":"Example","text":" - kubectl
- count
"},{"location":"guide/references/abbreviations/","title":"Abbreviation List","text":"This list compiles words that frequently appear in CLI flags or configuration files and are commonly abbreviated in industry and OSS communities. Trivy may use the abbreviation in place of the full spelling for flag names. It is also acceptable to add even shorter aliases if needed.
Words not included in this list should be spelled out in full when used in flags.
This list is intentionally limited to the most common and widely recognized abbreviations. Excessive use of abbreviations in CLI flags can hinder initial user understanding and create a steeper learning curve.
Note
This list serves as a guideline rather than a strict requirement. Its purpose is to maintain consistency across the project when naming flags and configuration options. While we strive to follow these abbreviations, there may be exceptions where context or clarity demands a different approach.
"},{"location":"guide/references/abbreviations/#scope","title":"Scope","text":"This list focuses on abbreviations of single words commonly used in technical contexts. It does not include:
- Acronyms formed from the initial letters of multiple words (e.g., OS for Operating System, HTTP for Hypertext Transfer Protocol)
- Domain-specific terminology that already has standardized short forms
- Brand names or product-specific abbreviations
The abbreviations listed here are primarily intended for CLI flags, configuration keys, and similar technical interfaces where brevity is valued while maintaining clarity.
"},{"location":"guide/references/abbreviations/#example","title":"Example","text":"For a flag containing multiple words, only abbreviate words that appear in this list. For instance, in --database-repository, \"database\" is in the list so it should be abbreviated to \"db\", but \"repository\" is not in the list so it must be spelled out completely. The correct flag name would be --db-repository. It's acceptable to add a shorter alias like --db-repo if desired.
"},{"location":"guide/references/abbreviations/#list","title":"List","text":"Full Name Default Abbreviation Examples application app --app-name, --app-mode authentication auth --auth-method, --auth-token authorization authz --authz-rule, --authz-policy command cmd --cmd-option, --cmd-args configuration config --config, --config-dir database db --db-repository, --db-user, --db-pass development dev --dev-dependencies, --dev-mode directory dir --dir-path, --output-dir environment env --env-file, --env-vars information info --info-level, --show-info initialization init --init-script, --init-config library lib --lib-path, --lib-dir maximum max --max-image-size, --max-depth minimum min --min-value, --min-severity misconfiguration misconfig --misconfig-scanners package pkg --pkg-types production prod --prod-env, --prod-deploy specification spec --spec-file, --spec-version temporary tmp --tmp-dir, --tmp-file utility util --util-script, --util-name vulnerability vuln --vuln-scan, --vuln-report"},{"location":"guide/references/terminology/","title":"Terminology","text":"This page explains the terminology system used in Trivy, helping users understand the specific terms and concepts unique to the Trivy ecosystem.
Inclusion Criteria
-
Core Components of Trivy
- Primary features such as Scanner, Target
- Essential components such as Scan Assets (trivy-db, trivy-java-db)
- Components that users directly interact with
-
Trivy-specific Terms
- Terms unique to Trivy (e.g., VEX Hub)
- Terms that have special meaning in Trivy's context (e.g., Plugin, Module)
Exclusion Criteria
-
General Terms
- Common security/technical terms (e.g., CVE, CVSS, Container, Registry)
- Standard industry terminology
-
Implementation Details
- Internal workings of components
- Usage instructions (these belong in feature documentation)
"},{"location":"guide/references/terminology/#core-concepts","title":"Core Concepts","text":""},{"location":"guide/references/terminology/#target","title":"Target","text":"Types of artifacts that Trivy can scan, like container images and filesystem.
"},{"location":"guide/references/terminology/#scanner","title":"Scanner","text":"Trivy's built-in security scanning engines. Trivy has four main scanners:
- Vulnerability Scanner
- Misconfiguration Scanner
- Secret Scanner
- License Scanner
Note
SBOM is not a scanner but an output format option.
"},{"location":"guide/references/terminology/#scan-assets","title":"Scan Assets","text":"External data that Trivy downloads (if needed for scanner) and uses during scanning:
- Vulnerability Database (Trivy DB, trivy-db): Database containing vulnerability information
- Java Index Database (Trivy Java DB, trivy-java-db): Database for Java artifact identification
- Checks Bundle (trivy-checks): Archive containing misconfiguration detection rules
- VEX Repository: Repository containing VEX documents
"},{"location":"guide/references/terminology/#vulnerability-scanning","title":"Vulnerability Scanning","text":""},{"location":"guide/references/terminology/#vulnerability-database-trivy-db-trivy-db","title":"Vulnerability Database (Trivy DB, trivy-db)","text":"The core vulnerability database required for vulnerability detection. Contains comprehensive vulnerability information for multiple ecosystems. Distributed via OCI registry.
Managed at https://github.com/aquasecurity/trivy-db.
The vulnerability database is built from a GitHub repository that collects and stores vulnerability information from various data sources. This repository serves as the foundation for building the Trivy DB.
Managed at:
- https://github.com/aquasecurity/vuln-list
- https://github.com/aquasecurity/vuln-list-nvd
- https://github.com/aquasecurity/vuln-list-redhat
- https://github.com/aquasecurity/vuln-list-debian
- etc.
"},{"location":"guide/references/terminology/#java-index-database-trivy-java-db-trivy-java-db","title":"Java Index Database (Trivy Java DB, trivy-java-db)","text":"Specialized database used for identifying Java libraries and their components during JAR/WAR/PAR/EAR scanning. Distributed via OCI registry.
Managed at https://github.com/aquasecurity/trivy-java-db.
"},{"location":"guide/references/terminology/#misconfiguration-scanning","title":"Misconfiguration Scanning","text":"When the context does not clearly indicate these terms are related to misconfiguration scanning, they may be prefixed with \"Misconfiguration\" for clarity. For example, \"Check\" may be referred to as \"Misconfiguration Check\", and \"Checks Bundle\" as \"Misconfiguration Checks Bundle\".
"},{"location":"guide/references/terminology/#check","title":"Check","text":"A Rego file that defines rules for detecting misconfigurations in various types of IaC files.
"},{"location":"guide/references/terminology/#built-in-checks","title":"Built-in Checks","text":"Default set of checks distributed through the trivy-checks repository, providing standard security and configuration best practices.
"},{"location":"guide/references/terminology/#checks-bundle","title":"Checks Bundle","text":"A tar.gz archive containing the built-in checks, distributed via OCI registry.
"},{"location":"guide/references/terminology/#secret-scanning","title":"Secret Scanning","text":""},{"location":"guide/references/terminology/#rule","title":"Rule","text":"Pattern matching rules used to detect hardcoded secrets and sensitive information. Each rule consists of:
- Metadata (ID, Category, Title, etc.)
- Regular expressions for matching sensitive patterns
- Additional context for detection accuracy
"},{"location":"guide/references/terminology/#kubernetes-integration","title":"Kubernetes Integration","text":""},{"location":"guide/references/terminology/#kbom-kubernetes-bill-of-materials","title":"KBOM (Kubernetes Bill of Materials)","text":"A specialized SBOM format for Kubernetes clusters that includes detailed information about the cluster's components.
"},{"location":"guide/references/terminology/#vex-vulnerability-exploitability-exchange","title":"VEX (Vulnerability Exploitability eXchange)","text":""},{"location":"guide/references/terminology/#vex-repository","title":"VEX Repository","text":"A repository system that stores VEX documents following the VEX Repository Specification. VEX repositories help users manage and share information about vulnerability applicability and exploitability.
For detailed information about VEX repositories, see the document.
"},{"location":"guide/references/terminology/#vex-hub","title":"VEX Hub","text":"The default VEX repository managed by Aqua Security at https://github.com/aquasecurity/vexhub. It primarily aggregates VEX documents published by package maintainers in their source repositories. VEX Hub serves as a central point for collecting and distributing vulnerability applicability information for OSS projects.
"},{"location":"guide/references/terminology/#cache-system","title":"Cache System","text":""},{"location":"guide/references/terminology/#cache-types","title":"Cache Types","text":"The cache directory contains several distinct types of data:
- Vulnerability Database
- Java Index Database
- Misconfiguration Checks
- VEX Repositories
- Scan Cache
"},{"location":"guide/references/terminology/#asset-cache","title":"Asset Cache","text":"Downloaded assets like vulnerability databases and Java index databases.
"},{"location":"guide/references/terminology/#scan-cache","title":"Scan Cache","text":"A caching mechanism that stores analysis results from previous scans to speed up subsequent scans. For container image scanning, the scan cache stores analysis results including package names and versions per layer.
For detailed information about caching, see the document.
"},{"location":"guide/references/terminology/#plugin-system","title":"Plugin System","text":""},{"location":"guide/references/terminology/#plugin","title":"Plugin","text":"An add-on tool that integrates with Trivy to extend its core functionality. Plugins can be written in any programming language and integrate seamlessly with Trivy CLI, appearing in Trivy help and subcommands. They can be installed and removed independently without affecting the core Trivy installation.
For detailed information about plugins, see the document.
"},{"location":"guide/references/terminology/#plugin-index-trivy-plugin-index","title":"Plugin Index (trivy-plugin-index)","text":"A centralized registry that lists available Trivy plugins, managed at https://github.com/aquasecurity/trivy-plugin-index. The index maintains a curated list of official and community plugins, providing metadata such as plugin names, descriptions, and maintainers. It enables plugin discovery through the trivy plugin search command and facilitates automatic plugin installation and updates.
For detailed information about the plugin index, see the document.
"},{"location":"guide/references/terminology/#module-system","title":"Module System","text":""},{"location":"guide/references/terminology/#module","title":"Module","text":"A WebAssembly-based extension mechanism that allows custom scanning logic without modifying the Trivy binary. Modules can modify scan results by analyzing files or post-processing results.
For detailed information about modules, see the document.
"},{"location":"guide/references/troubleshooting/","title":"Troubleshooting","text":""},{"location":"guide/references/troubleshooting/#scan","title":"Scan","text":""},{"location":"guide/references/troubleshooting/#timeout","title":"Timeout","text":"Error
$ trivy image ...\n...\nanalyze error: timeout: context deadline exceeded\n
Your scan may time out. Java takes a particularly long time to scan. Try increasing the value of the --timeout option such as --timeout 15m.
"},{"location":"guide/references/troubleshooting/#unable-to-initialize-an-image-scanner","title":"Unable to initialize an image scanner","text":"Error
$ trivy image ...\n...\n2024-01-19T08:15:33.288Z FATAL image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: 4 errors occurred:\n* docker error: unable to inspect the image (ContainerImageName): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?\n* containerd error: containerd socket not found: /run/containerd/containerd.sock\n* podman error: unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory\n* remote error: GET https://index.docker.io/v2/ContainerImageName: MANIFEST_UNKNOWN: manifest unknown; unknown tag=0.1\n
It means Trivy is unable to find the container image in the following places:
- Docker Engine
- containerd
- Podman
- A remote registry
Please see error messages for details of each error.
Common mistakes include the following, depending on where you are pulling images from:
"},{"location":"guide/references/troubleshooting/#common","title":"Common","text":" - Typos in the image name
- Common mistake :)
- Forgetting to specify the registry
- By default, it is considered to be Docker Hub (
index.docker.io ).
"},{"location":"guide/references/troubleshooting/#docker-engine","title":"Docker Engine","text":" - Incorrect Docker host
- If the Docker daemon's socket path is not
/var/run/docker.sock, you need to specify the --docker-host flag or the DOCKER_HOST environment variable. The same applies when using TCP; you must specify the correct host address.
"},{"location":"guide/references/troubleshooting/#containerd","title":"containerd","text":" - Incorrect containerd address
- If you are using a non-default path, you need to specify the
CONTAINERD_ADDRESS environment variable. Please refer to this documentation.
- Incorrect namespace
- If you are using a non-default namespace, you need to specify the
CONTAINERD_NAMESPACE environment variable. Please refer to this documentation.
"},{"location":"guide/references/troubleshooting/#podman","title":"Podman","text":" - Podman socket configuration
- You need to enable the Podman socket. Please refer to this documentation.
"},{"location":"guide/references/troubleshooting/#container-registry","title":"Container Registry","text":" - Unauthenticated
- If you are using a private container registry, you need to authenticate. Please refer to this documentation.
- Using a proxy
- If you are using a proxy within your network, you need to correctly set the
HTTP_PROXY, HTTPS_PROXY, etc., environment variables.
- Use of a self-signed certificate in the registry
- Because certificate verification will fail, you need to either trust that certificate or use the
--insecure flag (not recommended in production).
"},{"location":"guide/references/troubleshooting/#certification","title":"Certification","text":"Error
Error: x509: certificate signed by unknown authority
TRIVY_INSECURE can be used to allow insecure connections to a container registry when using SSL.
$ TRIVY_INSECURE=true trivy image [YOUR_IMAGE]\n
If you need to trust a custom CA certificate, you can provide a PEM-encoded bundle.
Unix (except macOS)All systems You can specify the location of your certificate using the SSL_CERT_FILE or SSL_CERT_DIR environment variables.
$ SSL_CERT_FILE=/path/to/ca.pem trivy image [YOUR_IMAGE]\n
$ SSL_CERT_DIR=/path/to/certs trivy image [YOUR_IMAGE]\n
Use the --cacert flag to point Trivy to a PEM-encoded CA certificate file, regardless of the operating system.
$ trivy image --cacert /path/to/ca.pem [YOUR_IMAGE]\n
"},{"location":"guide/references/troubleshooting/#github-rate-limiting","title":"GitHub Rate limiting","text":"Trivy uses GitHub API for VEX repositories.
Error
$ trivy image --vex repo ...\n...\nAPI rate limit exceeded for xxx.xxx.xxx.xxx.\n
Specify GITHUB_TOKEN for authentication
$ GITHUB_TOKEN=XXXXXXXXXX trivy image --vex repo [YOUR_IMAGE]\n
Note
GITHUB_TOKEN doesn't help with the rate limit for the vulnerability database and other assets. See https://github.com/aquasecurity/trivy/discussions/8009
"},{"location":"guide/references/troubleshooting/#unable-to-open-jar-files","title":"Unable to open JAR files","text":"Error
$ trivy image ...\n...\nfailed to analyze file: failed to analyze usr/lib/jvm/java-1.8-openjdk/lib/tools.jar: unable to open usr/lib/jvm/java-1.8-openjdk/lib/tools.jar: failed to open: unable to read the file: stream error: stream ID 9; PROTOCOL_ERROR; received from peer\n
Currently, we're investigating this issue. As a temporary mitigation, you may be able to avoid this issue by downloading the Java DB in advance.
$ trivy image --download-java-db-only\n2023-02-01T16:57:04.322+0900 INFO Downloading the Java DB...\n$ trivy image [YOUR_JAVA_IMAGE]\n
"},{"location":"guide/references/troubleshooting/#cache-lock-errors","title":"Cache lock errors","text":"Error
cache may be in use by another process\n
Trivy's vulnerability database is opened in read-only mode, so it does not cause lock issues. Lock errors occur only when using filesystem cache for scan cache storage.
Filesystem cache uses BoltDB internally, which creates file locks to prevent data corruption. As stated in the BoltDB documentation:
Please note that Bolt obtains a file lock on the data file so multiple processes cannot open the same database at the same time. Opening an already open Bolt database will cause it to hang until the other process closes it.
Reference: BoltDB README
If you're using memory cache (default for some commands like fs, rootfs, config, and sbom) or external cache (Redis), you will not encounter lock errors. Lock issues only occur when using filesystem cache with multiple concurrent processes. See Cache Backend for more details.
These errors occur when:
- Multiple Trivy processes try to use the same filesystem cache directory simultaneously
- A previous Trivy process did not shut down cleanly
- Trivy server is running with filesystem cache and holding a lock on the cache
"},{"location":"guide/references/troubleshooting/#solutions","title":"Solutions","text":"Solution 1: Use memory cache or Redis cache (Recommended)
Memory cache is the default for some commands (e.g., fs, rootfs, config, sbom). For other commands like image scanning, you can use --cache-backend memory to enable concurrent execution:
$ trivy image --cache-backend memory debian:11 &\n$ trivy image --cache-backend memory debian:12 &\n
Note that memory cache does not persist scan results, so subsequent scans will take longer as layers need to be scanned again each time.
For server mode or persistent cache with concurrent access, use Redis cache:
$ trivy server --cache-backend redis://localhost:6379\n
Solution 2: Terminate conflicting processes
If you need to use filesystem cache, check for running Trivy processes and terminate them:
$ ps aux | grep trivy\n$ kill [process_id]\n
Solution 3: Use different cache directories
If you must run multiple Trivy processes with filesystem cache, specify different cache directories for each process:
$ trivy image --cache-dir /tmp/trivy-cache-1 debian:11 &\n$ trivy image --cache-dir /tmp/trivy-cache-2 debian:12 &\n
Note that each cache directory will download its own copy of the vulnerability database and other scan assets, which will increase network traffic and storage usage.
"},{"location":"guide/references/troubleshooting/#multiple-trivy-servers","title":"Multiple Trivy servers","text":"Error
$ trivy image --server http://xxx.com:xxxx test-image\n...\n- twirp error internal: failed scan, test-image: failed to apply layers: layer cache missing: sha256:*****\n
To run multiple Trivy servers, you need to use Redis as the cache backend so that those servers can share the cache. Follow this instruction to do so.
"},{"location":"guide/references/troubleshooting/#problems-with-tmp-on-remote-git-repository-scans","title":"Problems with /tmp on remote Git repository scans","text":"Error
FATAL repository scan error: scan error: unable to initialize a scanner: unable to initialize a filesystem scanner: git clone error: write /tmp/fanal-remote...
Trivy clones remote Git repositories under the /tmp directory before scanning them. If /tmp doesn't work for you, you can change it by setting the TMPDIR environment variable.
Try:
$ TMPDIR=/my/custom/path trivy repo ...\n
"},{"location":"guide/references/troubleshooting/#running-out-of-space-during-image-scans","title":"Running out of space during image scans","text":"Error
image scan failed:\nfailed to copy the image:\nwrite /tmp/fanal-3323732142: no space left on device\n
Trivy uses a temporary directory during image scans. The directory path would be determined as follows:
- On Unix systems: Use
$TMPDIR if non-empty, else /tmp. - On Windows: Uses GetTempPath, returning the first non-empty value from
%TMP%, %TEMP%, %USERPROFILE%, or the Windows directory.
See this documentation for more details.
If the image is large or the temporary directory has insufficient space, the scan will fail. You can configure the directory path to redirect Trivy to a directory with adequate storage. On Unix systems, you can set the $TMPDIR environment variable.
$ TMPDIR=/my/custom/path trivy image ...\n
When scanning images from a container registry, Trivy processes each layer by streaming, loading only the necessary files for the scan into memory and discarding unnecessary files. If a layer contains large files that are necessary for the scan (such as JAR files or binary files), Trivy saves them to a temporary directory (e.g. $TMPDIR) on local storage to avoid increased memory consumption. Although these files are deleted after the scan is complete, they can temporarily increase disk consumption and potentially exhaust storage. In such cases, there are currently three workarounds:
-
Use a temporary directory with sufficient capacity
This is the same as explained above.
-
Specify a small value for --parallel
By default, multiple layers are processed in parallel. If each layer contains large files, disk space may be consumed rapidly. By specifying a small value such as --parallel 1, parallelism is reduced, which can mitigate the issue.
-
Specify --skip-files or --skip-dirs
If the container image contains large files that do not need to be scanned, you can skip their processing by specifying --skip-files or --skip-dirs. For more details, please refer to this documentation.
"},{"location":"guide/references/troubleshooting/#db","title":"DB","text":""},{"location":"guide/references/troubleshooting/#old-db-schema","title":"Old DB schema","text":"Error
--skip-update cannot be specified with the old DB schema.
Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow the instruction of air-gapped environment.
"},{"location":"guide/references/troubleshooting/#error-downloading-vulnerability-db","title":"Error downloading vulnerability DB","text":"Error
FATAL failed to download vulnerability DB
If Trivy is running behind corporate firewall, refer to the necessary connectivity requirements as described here.
"},{"location":"guide/references/troubleshooting/#denied","title":"Denied","text":"Error
GET https://ghcr.io/token?scope=repository%3Aaquasecurity%2Ftrivy-db%3Apull&service=ghcr.io: DENIED: denied
Your local GHCR (GitHub Container Registry) token might be expired. Please remove the token and try downloading the DB again.
docker logout ghcr.io\n
or
unset GITHUB_TOKEN\n
"},{"location":"guide/references/troubleshooting/#homebrew","title":"Homebrew","text":""},{"location":"guide/references/troubleshooting/#scope-error","title":"Scope error","text":"Error
Error: Your macOS keychain GitHub credentials do not have sufficient scope!
$ brew tap aquasecurity/trivy\nError: Your macOS keychain GitHub credentials do not have sufficient scope!\nScopes they need: none\nScopes they have:\nCreate a personal access token:\nhttps://github.com/settings/tokens/new?scopes=gist,public_repo&description=Homebrew\necho 'export HOMEBREW_GITHUB_API_TOKEN=your_token_here' >> ~/.zshrc\n
Try:
$ printf \"protocol=https\\nhost=github.com\\n\" | git credential-osxkeychain erase\n
"},{"location":"guide/references/troubleshooting/#already-installed","title":"Already installed","text":"Error
Error: aquasecurity/trivy/trivy 64 already installed
$ brew upgrade\n...\nError: aquasecurity/trivy/trivy 64 already installed\n
Try:
$ brew unlink trivy && brew uninstall trivy\n($ rm -rf /usr/local/Cellar/trivy/64)\n$ brew install aquasecurity/trivy/trivy\n
"},{"location":"guide/references/troubleshooting/#debugging","title":"Debugging","text":""},{"location":"guide/references/troubleshooting/#http-requestresponse-tracing","title":"HTTP Request/Response Tracing","text":"For debugging network issues, connection problems, or authentication failures, you can enable HTTP request/response tracing using the --trace-http flag.
Security Warning
While Trivy attempts to redact known sensitive information such as authentication headers and common secrets, the --trace-http flag may still expose sensitive data in HTTP requests and responses.
Never use this flag in production environments or CI/CD pipelines. This flag is automatically disabled in CI environments for security.
# Enable HTTP tracing for debugging registry issues\n$ trivy image --trace-http registry.example.com/my-image:latest\n\n# HTTP tracing with other debugging options\n$ trivy image --trace-http --debug --insecure my-image:tag\n
"},{"location":"guide/references/troubleshooting/#others","title":"Others","text":""},{"location":"guide/references/troubleshooting/#unknown-error","title":"Unknown error","text":"Try again after running trivy clean --all:
$ trivy clean --all\n
"},{"location":"guide/references/configuration/config-file/","title":"Config file","text":"Trivy can be customized by tweaking a trivy.yaml file. The config path can be overridden by the --config flag.
An example is here.
These samples contain default values for flags.
"},{"location":"guide/references/configuration/config-file/#global-options","title":"Global options","text":"# Same as '--cacert'\ncacert: \"\"\n\ncache:\n # Same as '--cache-dir'\n dir: \"/path/to/cache\"\n\n# Same as '--debug'\ndebug: false\n\n# Same as '--insecure'\ninsecure: false\n\n# Same as '--quiet'\nquiet: false\n\n# Same as '--timeout'\ntimeout: 5m0s\n
"},{"location":"guide/references/configuration/config-file/#cache-options","title":"Cache options","text":"cache:\n # Same as '--cache-backend'\n backend: \"fs\"\n\n redis:\n # Same as '--redis-ca'\n ca: \"\"\n\n # Same as '--redis-cert'\n cert: \"\"\n\n # Same as '--redis-key'\n key: \"\"\n\n # Same as '--redis-tls'\n tls: false\n\n # Same as '--cache-ttl'\n ttl: 0s\n
"},{"location":"guide/references/configuration/config-file/#clean-options","title":"Clean options","text":"clean:\n # Same as '--all'\n all: false\n\n # Same as '--checks-bundle'\n checks-bundle: false\n\n # Same as '--java-db'\n java-db: false\n\n # Same as '--scan-cache'\n scan-cache: false\n\n # Same as '--vex-repo'\n vex-repo: false\n\n # Same as '--vuln-db'\n vuln-db: false\n
"},{"location":"guide/references/configuration/config-file/#clientserver-options","title":"Client/Server options","text":"server:\n # Same as '--server'\n addr: \"\"\n\n # Same as '--custom-headers'\n custom-headers: []\n\n # Same as '--listen'\n listen: \"localhost:4954\"\n\n # Same as '--token'\n token: \"\"\n\n # Same as '--token-header'\n token-header: \"Trivy-Token\"\n
"},{"location":"guide/references/configuration/config-file/#db-options","title":"DB options","text":"db:\n # Same as '--download-java-db-only'\n download-java-only: false\n\n # Same as '--download-db-only'\n download-only: false\n\n # Same as '--java-db-repository'\n java-repository:\n - mirror.gcr.io/aquasec/trivy-java-db:1\n - ghcr.io/aquasecurity/trivy-java-db:1\n\n # Same as '--skip-java-db-update'\n java-skip-update: false\n\n # Same as '--no-progress'\n no-progress: false\n\n # Same as '--db-repository'\n repository:\n - mirror.gcr.io/aquasec/trivy-db:2\n - ghcr.io/aquasecurity/trivy-db:2\n\n # Same as '--skip-db-update'\n skip-update: false\n
"},{"location":"guide/references/configuration/config-file/#image-options","title":"Image options","text":"image:\n docker:\n # Same as '--docker-host'\n host: \"\"\n\n # Same as '--image-config-scanners'\n image-config-scanners: []\n\n # Same as '--input'\n input: \"\"\n\n # Same as '--max-image-size'\n max-size: \"\"\n\n # Same as '--platform'\n platform: \"\"\n\n podman:\n # Same as '--podman-host'\n host: \"\"\n\n # Same as '--removed-pkgs'\n removed-pkgs: false\n\n # Same as '--image-src'\n source:\n - docker\n - containerd\n - podman\n - remote\n
"},{"location":"guide/references/configuration/config-file/#kubernetes-options","title":"Kubernetes options","text":"kubernetes:\n # Same as '--burst'\n burst: 10\n\n # Same as '--disable-node-collector'\n disableNodeCollector: false\n\n exclude:\n # Same as '--exclude-nodes'\n nodes: []\n\n # Same as '--exclude-owned'\n owned: false\n\n # Same as '--exclude-kinds'\n excludeKinds: []\n\n # Same as '--exclude-namespaces'\n excludeNamespaces: []\n\n # Same as '--include-kinds'\n includeKinds: []\n\n # Same as '--include-namespaces'\n includeNamespaces: []\n\n # Same as '--k8s-version'\n k8s-version: \"\"\n\n # Same as '--kubeconfig'\n kubeconfig: \"\"\n\n node-collector:\n # Same as '--node-collector-imageref'\n imageref: \"ghcr.io/aquasecurity/node-collector:0.3.1\"\n\n # Same as '--node-collector-namespace'\n namespace: \"trivy-temp\"\n\n # Same as '--qps'\n qps: 5\n\n # Same as '--skip-images'\n skipImages: false\n\n # Same as '--tolerations'\n tolerations: []\n
"},{"location":"guide/references/configuration/config-file/#license-options","title":"License options","text":"license:\n # Same as '--license-confidence-level'\n confidenceLevel: 0.9\n\n forbidden:\n - AGPL-1.0\n - AGPL-3.0\n - CC-BY-NC-1.0\n - CC-BY-NC-2.0\n - CC-BY-NC-2.5\n - CC-BY-NC-3.0\n - CC-BY-NC-4.0\n - CC-BY-NC-ND-1.0\n - CC-BY-NC-ND-2.0\n - CC-BY-NC-ND-2.5\n - CC-BY-NC-ND-3.0\n - CC-BY-NC-ND-4.0\n - CC-BY-NC-SA-1.0\n - CC-BY-NC-SA-2.0\n - CC-BY-NC-SA-2.5\n - CC-BY-NC-SA-3.0\n - CC-BY-NC-SA-4.0\n - Commons-Clause\n - Facebook-2-Clause\n - Facebook-3-Clause\n - Facebook-Examples\n - WTFPL\n\n # Same as '--license-full'\n full: false\n\n # Same as '--ignored-licenses'\n ignored: []\n\n notice:\n - AFL-1.1\n - AFL-1.2\n - AFL-2.0\n - AFL-2.1\n - AFL-3.0\n - Apache-1.0\n - Apache-1.1\n - Apache-2.0\n - Artistic-1.0-cl8\n - Artistic-1.0-Perl\n - Artistic-1.0\n - Artistic-2.0\n - BSL-1.0\n - BSD-2-Clause-FreeBSD\n - BSD-2-Clause-NetBSD\n - BSD-2-Clause\n - BSD-3-Clause-Attribution\n - BSD-3-Clause-Clear\n - BSD-3-Clause-LBNL\n - BSD-3-Clause\n - BSD-4-Clause\n - BSD-4-Clause-UC\n - BSD-Protection\n - CC-BY-1.0\n - CC-BY-2.0\n - CC-BY-2.5\n - CC-BY-3.0\n - CC-BY-4.0\n - FTL\n - ISC\n - ImageMagick\n - Libpng\n - Lil-1.0\n - Linux-OpenIB\n - LPL-1.02\n - LPL-1.0\n - MS-PL\n - MIT\n - NCSA\n - OpenSSL\n - PHP-3.01\n - PHP-3.0\n - PIL\n - Python-2.0\n - Python-2.0-complete\n - PostgreSQL\n - SGI-B-1.0\n - SGI-B-1.1\n - SGI-B-2.0\n - Unicode-DFS-2015\n - Unicode-DFS-2016\n - Unicode-TOU\n - UPL-1.0\n - W3C-19980720\n - W3C-20150513\n - W3C\n - X11\n - Xnet\n - Zend-2.0\n - zlib-acknowledgement\n - Zlib\n - ZPL-1.1\n - ZPL-2.0\n - ZPL-2.1\n\n permissive: []\n\n reciprocal:\n - APSL-1.0\n - APSL-1.1\n - APSL-1.2\n - APSL-2.0\n - CDDL-1.0\n - CDDL-1.1\n - CPL-1.0\n - EPL-1.0\n - EPL-2.0\n - FreeImage\n - IPL-1.0\n - MPL-1.0\n - MPL-1.1\n - MPL-2.0\n - Ruby\n\n restricted:\n - BCL\n - CC-BY-ND-1.0\n - CC-BY-ND-2.0\n - CC-BY-ND-2.5\n - CC-BY-ND-3.0\n - CC-BY-ND-4.0\n - CC-BY-SA-1.0\n - CC-BY-SA-2.0\n - CC-BY-SA-2.5\n - CC-BY-SA-3.0\n - CC-BY-SA-4.0\n - GPL-1.0\n - GPL-2.0\n - GPL-2.0-with-autoconf-exception\n - GPL-2.0-with-bison-exception\n - GPL-2.0-with-classpath-exception\n - GPL-2.0-with-font-exception\n - GPL-2.0-with-GCC-exception\n - GPL-3.0\n - GPL-3.0-with-autoconf-exception\n - GPL-3.0-with-GCC-exception\n - LGPL-2.0\n - LGPL-2.1\n - LGPL-3.0\n - NPL-1.0\n - NPL-1.1\n - OSL-1.0\n - OSL-1.1\n - OSL-2.0\n - OSL-2.1\n - OSL-3.0\n - QPL-1.0\n - Sleepycat\n\n unencumbered:\n - CC0-1.0\n - Unlicense\n - 0BSD\n
"},{"location":"guide/references/configuration/config-file/#misconfiguration-options","title":"Misconfiguration options","text":"misconfiguration:\n # Same as '--checks-bundle-repository'\n checks-bundle-repository: \"mirror.gcr.io/aquasec/trivy-checks:1\"\n\n cloudformation:\n # Same as '--cf-params'\n params: []\n\n # Same as '--config-file-schemas'\n config-file-schemas: []\n\n helm:\n # Same as '--helm-api-versions'\n api-versions: []\n\n # Same as '--helm-kube-version'\n kube-version: \"\"\n\n # Same as '--helm-set'\n set: []\n\n # Same as '--helm-set-file'\n set-file: []\n\n # Same as '--helm-set-string'\n set-string: []\n\n # Same as '--helm-values'\n values: []\n\n # Same as '--include-non-failures'\n include-non-failures: false\n\n # Same as '--raw-config-scanners'\n raw-config-scanners: []\n\n # Same as '--render-cause'\n render-cause: []\n\n # Same as '--misconfig-scanners'\n scanners:\n - azure-arm\n - cloudformation\n - dockerfile\n - helm\n - kubernetes\n - terraform\n - terraformplan-json\n - terraformplan-snapshot\n\n terraform:\n # Same as '--tf-exclude-downloaded-modules'\n exclude-downloaded-modules: false\n\n # Same as '--tf-vars'\n vars: []\n
"},{"location":"guide/references/configuration/config-file/#module-options","title":"Module options","text":"module:\n # Same as '--module-dir'\n dir: \"$HOME/.trivy/modules\"\n\n # Same as '--enable-modules'\n enable-modules: []\n
"},{"location":"guide/references/configuration/config-file/#package-options","title":"Package options","text":"pkg:\n # Same as '--include-dev-deps'\n include-dev-deps: false\n\n # Same as '--pkg-relationships'\n relationships:\n - unknown\n - root\n - workspace\n - direct\n - indirect\n\n # Same as '--pkg-types'\n types:\n - os\n - library\n
"},{"location":"guide/references/configuration/config-file/#registry-options","title":"Registry options","text":"registry:\n mirrors:\n\n # Same as '--password'\n password: []\n\n # Same as '--password-stdin'\n password-stdin: false\n\n # Same as '--registry-token'\n token: \"\"\n\n # Same as '--username'\n username: []\n
"},{"location":"guide/references/configuration/config-file/#rego-options","title":"Rego options","text":"rego:\n # Same as '--config-check'\n check: []\n\n # Same as '--config-data'\n data: []\n\n # Same as '--rego-error-limit'\n error-limit: 10\n\n # Same as '--include-deprecated-checks'\n include-deprecated-checks: false\n\n # Same as '--check-namespaces'\n namespaces: []\n\n # Same as '--skip-check-update'\n skip-check-update: false\n\n # Same as '--trace-rego'\n trace: false\n
"},{"location":"guide/references/configuration/config-file/#report-options","title":"Report options","text":"# Same as '--dependency-tree'\ndependency-tree: false\n\n# Same as '--exit-code'\nexit-code: 0\n\n# Same as '--exit-on-eol'\nexit-on-eol: 0\n\n# Same as '--format'\nformat: \"table\"\n\n# Same as '--ignore-policy'\nignore-policy: \"\"\n\n# Same as '--ignorefile'\nignorefile: \".trivyignore\"\n\n# Same as '--list-all-pkgs'\nlist-all-pkgs: true\n\n# Same as '--output'\noutput: \"\"\n\n# Same as '--output-plugin-arg'\noutput-plugin-arg: \"\"\n\n# Same as '--report'\nreport: \"all\"\n\nscan:\n # Same as '--compliance'\n compliance: \"\"\n\n # Same as '--show-suppressed'\n show-suppressed: false\n\n# Same as '--severity'\nseverity:\n - UNKNOWN\n - LOW\n - MEDIUM\n - HIGH\n - CRITICAL\n\n# Same as '--table-mode'\ntable-mode:\n - summary\n - detailed\n\n# Same as '--template'\ntemplate: \"\"\n
"},{"location":"guide/references/configuration/config-file/#repository-options","title":"Repository options","text":"repository:\n # Same as '--branch'\n branch: \"\"\n\n # Same as '--commit'\n commit: \"\"\n\n # Same as '--tag'\n tag: \"\"\n
"},{"location":"guide/references/configuration/config-file/#scan-options","title":"Scan options","text":"scan:\n # Same as '--detection-priority'\n detection-priority: \"precise\"\n\n # Same as '--disable-telemetry'\n disable-telemetry: false\n\n # Same as '--distro'\n distro: \"\"\n\n # Same as '--file-patterns'\n file-patterns: []\n\n # Same as '--offline-scan'\n offline: false\n\n # Same as '--parallel'\n parallel: 5\n\n # Same as '--rekor-url'\n rekor-url: \"https://rekor.sigstore.dev\"\n\n # Same as '--sbom-sources'\n sbom-sources: []\n\n # Same as '--scanners'\n scanners:\n - vuln\n - secret\n\n # Same as '--skip-dirs'\n skip-dirs: []\n\n # Same as '--skip-files'\n skip-files: []\n\n # Same as '--skip-version-check'\n skip-version-check: false\n
"},{"location":"guide/references/configuration/config-file/#secret-options","title":"Secret options","text":"secret:\n # Same as '--secret-config'\n config: \"trivy-secret.yaml\"\n
"},{"location":"guide/references/configuration/config-file/#vulnerability-options","title":"Vulnerability options","text":"vulnerability:\n # Same as '--ignore-status'\n ignore-status: []\n\n # Same as '--ignore-unfixed'\n ignore-unfixed: false\n\n # Same as '--vuln-severity-source'\n severity-source:\n - auto\n\n # Same as '--skip-vex-repo-update'\n skip-vex-repo-update: false\n\n # Same as '--vex'\n vex: []\n
"},{"location":"guide/references/configuration/cli/trivy/","title":"Overview","text":""},{"location":"guide/references/configuration/cli/trivy/#trivy","title":"trivy","text":"Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy/#synopsis","title":"Synopsis","text":"Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
trivy [global flags] command [flags] target\n
"},{"location":"guide/references/configuration/cli/trivy/#examples","title":"Examples","text":" # Scan a container image\n $ trivy image python:3.4-alpine\n\n # Scan a container image from a tar archive\n $ trivy image --input ruby-3.1.tar\n\n # Scan local filesystem\n $ trivy fs .\n\n # Run in server mode\n $ trivy server\n
"},{"location":"guide/references/configuration/cli/trivy/#options","title":"Options","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n -f, --format string version format (json)\n --generate-default-config write the default config to trivy-default.yaml\n -h, --help help for trivy\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy/#see-also","title":"SEE ALSO","text":" - trivy clean - Remove cached files
- trivy config - Scan config files for misconfigurations
- trivy convert - Convert Trivy JSON report into a different format
- trivy filesystem - Scan local filesystem
- trivy image - Scan a container image
- trivy kubernetes - [EXPERIMENTAL] Scan kubernetes cluster
- trivy module - Manage modules
- trivy plugin - Manage plugins
- trivy registry - Manage registry authentication
- trivy repository - Scan a repository
- trivy rootfs - Scan rootfs
- trivy sbom - Scan SBOM for vulnerabilities and licenses
- trivy server - Server mode
- trivy version - Print the version
- trivy vex - [EXPERIMENTAL] VEX utilities
- trivy vm - [EXPERIMENTAL] Scan a virtual machine image
"},{"location":"guide/references/configuration/cli/trivy_clean/","title":"Clean","text":""},{"location":"guide/references/configuration/cli/trivy_clean/#trivy-clean","title":"trivy clean","text":"Remove cached files
trivy clean [flags]\n
"},{"location":"guide/references/configuration/cli/trivy_clean/#examples","title":"Examples","text":" # Remove all caches\n $ trivy clean --all\n\n # Remove scan cache\n $ trivy clean --scan-cache\n\n # Remove vulnerability database\n $ trivy clean --vuln-db\n
"},{"location":"guide/references/configuration/cli/trivy_clean/#options","title":"Options","text":" -a, --all remove all caches\n --checks-bundle remove checks bundle\n -h, --help help for clean\n --java-db remove Java database\n --scan-cache remove scan cache (container and VM image analysis results)\n --vex-repo remove VEX repositories\n --vuln-db remove vulnerability database\n
"},{"location":"guide/references/configuration/cli/trivy_clean/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_clean/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_config/","title":"Config","text":""},{"location":"guide/references/configuration/cli/trivy_config/#trivy-config","title":"trivy config","text":"Scan config files for misconfigurations
trivy config [flags] DIR\n
"},{"location":"guide/references/configuration/cli/trivy_config/#options","title":"Options","text":" --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default \"memory\")\n --cache-ttl duration cache TTL when using redis as cache backend\n --cf-params strings specify paths to override the CloudFormation parameters files\n --check-namespaces strings Rego namespaces\n --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default \"mirror.gcr.io/aquasec/trivy-checks:1\")\n --compliance string compliance report to generate\n --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files\n --config-data strings specify paths from which data for the Rego checks will be recursively loaded\n --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking\n --disable-telemetry disable sending anonymous usage data to Aqua\n --enable-modules strings [EXPERIMENTAL] module names to enable\n --exit-code int specify exit code when any security issues are found\n --file-patterns strings specify config file patterns\n -f, --format string format\n Allowed values:\n - table\n - json\n - template\n - sarif\n - cyclonedx\n - spdx\n - spdx-json\n - github\n - cosign-vuln\n (default \"table\")\n --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)\n --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.\n --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)\n --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-values strings specify paths to override the Helm values.yaml files\n -h, --help help for config\n --ignore-policy string specify the Rego file path to evaluate each vulnerability\n --ignorefile string specify .trivyignore file (default \".trivyignore\")\n --include-deprecated-checks include deprecated checks\n --include-non-failures include successes, available with '--scanners misconfig'\n --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)\n --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])\n --module-dir string specify directory to the wasm modules that will be loaded (default \"$HOME/.trivy/modules\")\n -o, --output string output file name\n --output-plugin-arg string [EXPERIMENTAL] output plugin arguments\n --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.\n --password-stdin password from stdin. Comma-separated passwords are not supported.\n --raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)\n --redis-ca string redis ca file location, if using redis as cache backend\n --redis-cert string redis certificate file location, if using redis as cache backend\n --redis-key string redis key file location, if using redis as cache backend\n --redis-tls enable redis TLS with public certificates, if using redis as cache backend\n --registry-token string registry token\n --rego-error-limit int maximum number of compile errors allowed during Rego policy evaluation (default 10)\n --render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)\n --report string specify a compliance report format for the output (allowed values: all,summary) (default \"all\")\n -s, --severity strings severities of security issues to be displayed\n Allowed values:\n - UNKNOWN\n - LOW\n - MEDIUM\n - HIGH\n - CRITICAL\n (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])\n --skip-check-update skip fetching rego check updates\n --skip-dirs strings specify the directories or glob patterns to skip\n --skip-files strings specify the files or glob patterns to skip\n --skip-version-check suppress notices about version updates and Trivy announcements\n --table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])\n -t, --template string output template\n --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules\n --tf-vars strings specify paths to override the Terraform tfvars files\n --trace-rego enable more verbose trace output for custom queries\n --username strings username. Comma-separated usernames allowed.\n
"},{"location":"guide/references/configuration/cli/trivy_config/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_config/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_convert/","title":"Convert","text":""},{"location":"guide/references/configuration/cli/trivy_convert/#trivy-convert","title":"trivy convert","text":"Convert Trivy JSON report into a different format
trivy convert [flags] RESULT_JSON\n
"},{"location":"guide/references/configuration/cli/trivy_convert/#examples","title":"Examples","text":" # report conversion\n $ trivy image --format json --output result.json debian:11\n $ trivy convert --format cyclonedx --output result.cdx result.json\n
"},{"location":"guide/references/configuration/cli/trivy_convert/#options","title":"Options","text":" --compliance string compliance report to generate\n --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages\n --exit-code int specify exit code when any security issues are found\n --exit-on-eol int exit with the specified code when the OS reaches end of service/life\n -f, --format string format\n Allowed values:\n - table\n - json\n - template\n - sarif\n - cyclonedx\n - spdx\n - spdx-json\n - github\n - cosign-vuln\n (default \"table\")\n -h, --help help for convert\n --ignore-policy string specify the Rego file path to evaluate each vulnerability\n --ignorefile string specify .trivyignore file (default \".trivyignore\")\n --list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)\n -o, --output string output file name\n --output-plugin-arg string [EXPERIMENTAL] output plugin arguments\n --report string specify a report format for the output (allowed values: all,summary) (default \"all\")\n --scanners strings List of scanners included when generating the json report. Used only for rendering the summary table. (allowed values: vuln,misconfig,secret,license)\n -s, --severity strings severities of security issues to be displayed\n Allowed values:\n - UNKNOWN\n - LOW\n - MEDIUM\n - HIGH\n - CRITICAL\n (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])\n --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities\n --table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])\n -t, --template string output template\n
"},{"location":"guide/references/configuration/cli/trivy_convert/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_convert/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_filesystem/","title":"Filesystem","text":""},{"location":"guide/references/configuration/cli/trivy_filesystem/#trivy-filesystem","title":"trivy filesystem","text":"Scan local filesystem
trivy filesystem [flags] PATH\n
"},{"location":"guide/references/configuration/cli/trivy_filesystem/#examples","title":"Examples","text":" # Scan a local project including language-specific files\n $ trivy fs /path/to/your_project\n\n # Scan a single file\n $ trivy fs ./trivy-ci-test/Pipfile.lock\n
"},{"location":"guide/references/configuration/cli/trivy_filesystem/#options","title":"Options","text":" --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default \"memory\")\n --cache-ttl duration cache TTL when using redis as cache backend\n --cf-params strings specify paths to override the CloudFormation parameters files\n --check-namespaces strings Rego namespaces\n --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default \"mirror.gcr.io/aquasec/trivy-checks:1\")\n --compliance string compliance report to generate\n --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files\n --config-data strings specify paths from which data for the Rego checks will be recursively loaded\n --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking\n --custom-headers strings custom headers in client mode\n --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])\n --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages\n --detection-priority string specify the detection priority:\n - \"precise\": Prioritizes precise by minimizing false positives.\n - \"comprehensive\": Aims to detect more security findings at the cost of potential false positives.\n (allowed values: precise,comprehensive) (default \"precise\")\n --disable-telemetry disable sending anonymous usage data to Aqua\n --distro string [EXPERIMENTAL] specify a distribution, <family>/<version>\n --download-db-only download/update vulnerability database but don't run a scan\n --download-java-db-only download/update Java index database but don't run a scan\n --enable-modules strings [EXPERIMENTAL] module names to enable\n --exit-code int specify exit code when any security issues are found\n --file-patterns strings specify config file patterns\n -f, --format string format\n Allowed values:\n - table\n - json\n - template\n - sarif\n - cyclonedx\n - spdx\n - spdx-json\n - github\n - cosign-vuln\n (default \"table\")\n --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)\n --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.\n --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)\n --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-values strings specify paths to override the Helm values.yaml files\n -h, --help help for filesystem\n --ignore-policy string specify the Rego file path to evaluate each vulnerability\n --ignore-status strings comma-separated list of vulnerability status to ignore\n Allowed values:\n - unknown\n - not_affected\n - affected\n - fixed\n - under_investigation\n - will_not_fix\n - fix_deferred\n - end_of_life\n --ignore-unfixed display only fixed vulnerabilities\n --ignored-licenses strings specify a list of license to ignore\n --ignorefile string specify .trivyignore file (default \".trivyignore\")\n --include-deprecated-checks include deprecated checks\n --include-dev-deps include development dependencies in the report (supported: npm, yarn, gradle)\n --include-non-failures include successes, available with '--scanners misconfig'\n --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])\n --license-confidence-level float specify license classifier's confidence level (default 0.9)\n --license-full eagerly look for licenses in source code headers and license files\n --list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)\n --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])\n --module-dir string specify directory to the wasm modules that will be loaded (default \"$HOME/.trivy/modules\")\n --no-progress suppress progress bar\n --offline-scan do not issue API requests to identify dependencies\n -o, --output string output file name\n --output-plugin-arg string [EXPERIMENTAL] output plugin arguments\n --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)\n --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.\n --password-stdin password from stdin. Comma-separated passwords are not supported.\n --pkg-relationships strings list of package relationships\n Allowed values:\n - unknown\n - root\n - workspace\n - direct\n - indirect\n (default [unknown,root,workspace,direct,indirect])\n --pkg-types strings list of package types (allowed values: os,library) (default [os,library])\n --raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)\n --redis-ca string redis ca file location, if using redis as cache backend\n --redis-cert string redis certificate file location, if using redis as cache backend\n --redis-key string redis key file location, if using redis as cache backend\n --redis-tls enable redis TLS with public certificates, if using redis as cache backend\n --registry-token string registry token\n --rego-error-limit int maximum number of compile errors allowed during Rego policy evaluation (default 10)\n --rekor-url string [EXPERIMENTAL] address of rekor STL server (default \"https://rekor.sigstore.dev\")\n --render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)\n --report string specify a compliance report format for the output (allowed values: all,summary) (default \"all\")\n --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)\n --scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])\n --secret-config string specify a path to config file for secret scanning (default \"trivy-secret.yaml\")\n --server string server address in client mode\n -s, --severity strings severities of security issues to be displayed\n Allowed values:\n - UNKNOWN\n - LOW\n - MEDIUM\n - HIGH\n - CRITICAL\n (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])\n --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities\n --skip-check-update skip fetching rego check updates\n --skip-db-update skip updating vulnerability database\n --skip-dirs strings specify the directories or glob patterns to skip\n --skip-files strings specify the files or glob patterns to skip\n --skip-java-db-update skip updating Java index database\n --skip-version-check suppress notices about version updates and Trivy announcements\n --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update\n --table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])\n -t, --template string output template\n --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules\n --tf-vars strings specify paths to override the Terraform tfvars files\n --token string for authentication in client/server mode\n --token-header string specify a header name for token in client/server mode (default \"Trivy-Token\")\n --trace-rego enable more verbose trace output for custom queries\n --username strings username. Comma-separated usernames allowed.\n --vex strings [EXPERIMENTAL] VEX sources (\"repo\", \"oci\" or file path)\n --vuln-severity-source strings order of data sources for selecting vulnerability severity level\n Allowed values:\n - nvd\n - redhat\n - redhat-oval\n - debian\n - ubuntu\n - alpine\n - amazon\n - oracle-oval\n - suse-cvrf\n - photon\n - arch-linux\n - alma\n - rocky\n - cbl-mariner\n - azure\n - ruby-advisory-db\n - php-security-advisories\n - nodejs-security-wg\n - ghsa\n - glad\n - aqua\n - osv\n - k8s\n - wolfi\n - chainguard\n - bitnami\n - govulndb\n - echo\n - minimos\n - rootio\n - auto\n (default [auto])\n
"},{"location":"guide/references/configuration/cli/trivy_filesystem/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_filesystem/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_image/","title":"Image","text":""},{"location":"guide/references/configuration/cli/trivy_image/#trivy-image","title":"trivy image","text":"Scan a container image
trivy image [flags] IMAGE_NAME\n
"},{"location":"guide/references/configuration/cli/trivy_image/#examples","title":"Examples","text":" # Scan a container image\n $ trivy image python:3.4-alpine\n\n # Scan a container image from a tar archive\n $ trivy image --input ruby-3.1.tar\n\n # Filter by severities\n $ trivy image --severity HIGH,CRITICAL alpine:3.15\n\n # Ignore unfixed/unpatched vulnerabilities\n $ trivy image --ignore-unfixed alpine:3.15\n\n # Scan a container image in client mode\n $ trivy image --server http://127.0.0.1:4954 alpine:latest\n\n # Generate json result\n $ trivy image --format json --output result.json alpine:3.15\n\n # Generate a report in the CycloneDX format\n $ trivy image --format cyclonedx --output result.cdx alpine:3.15\n
"},{"location":"guide/references/configuration/cli/trivy_image/#options","title":"Options","text":" --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default \"fs\")\n --cache-ttl duration cache TTL when using redis as cache backend\n --check-namespaces strings Rego namespaces\n --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default \"mirror.gcr.io/aquasec/trivy-checks:1\")\n --compliance string compliance report to generate (built-in compliance's: docker-cis-1.6.0)\n --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files\n --config-data strings specify paths from which data for the Rego checks will be recursively loaded\n --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking\n --custom-headers strings custom headers in client mode\n --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])\n --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages\n --detection-priority string specify the detection priority:\n - \"precise\": Prioritizes precise by minimizing false positives.\n - \"comprehensive\": Aims to detect more security findings at the cost of potential false positives.\n (allowed values: precise,comprehensive) (default \"precise\")\n --disable-telemetry disable sending anonymous usage data to Aqua\n --distro string [EXPERIMENTAL] specify a distribution, <family>/<version>\n --docker-host string unix domain socket path to use for docker scanning\n --download-db-only download/update vulnerability database but don't run a scan\n --download-java-db-only download/update Java index database but don't run a scan\n --enable-modules strings [EXPERIMENTAL] module names to enable\n --exit-code int specify exit code when any security issues are found\n --exit-on-eol int exit with the specified code when the OS reaches end of service/life\n --file-patterns strings specify config file patterns\n -f, --format string format\n Allowed values:\n - table\n - json\n - template\n - sarif\n - cyclonedx\n - spdx\n - spdx-json\n - github\n - cosign-vuln\n (default \"table\")\n --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)\n --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.\n --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)\n --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-values strings specify paths to override the Helm values.yaml files\n -h, --help help for image\n --ignore-policy string specify the Rego file path to evaluate each vulnerability\n --ignore-status strings comma-separated list of vulnerability status to ignore\n Allowed values:\n - unknown\n - not_affected\n - affected\n - fixed\n - under_investigation\n - will_not_fix\n - fix_deferred\n - end_of_life\n --ignore-unfixed display only fixed vulnerabilities\n --ignored-licenses strings specify a list of license to ignore\n --ignorefile string specify .trivyignore file (default \".trivyignore\")\n --image-config-scanners strings comma-separated list of what security issues to detect on container image configurations (allowed values: misconfig,secret)\n --image-src strings image source(s) to use, in priority order (allowed values: docker,containerd,podman,remote) (default [docker,containerd,podman,remote])\n --include-deprecated-checks include deprecated checks\n --include-non-failures include successes, available with '--scanners misconfig'\n --input string input file path instead of image name\n --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])\n --license-confidence-level float specify license classifier's confidence level (default 0.9)\n --license-full eagerly look for licenses in source code headers and license files\n --list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)\n --max-image-size string [EXPERIMENTAL] maximum image size to process, specified in a human-readable format (e.g., '44kB', '17MB'); an error will be returned if the image exceeds this size\n --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])\n --module-dir string specify directory to the wasm modules that will be loaded (default \"$HOME/.trivy/modules\")\n --no-progress suppress progress bar\n --offline-scan do not issue API requests to identify dependencies\n -o, --output string output file name\n --output-plugin-arg string [EXPERIMENTAL] output plugin arguments\n --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)\n --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.\n --password-stdin password from stdin. Comma-separated passwords are not supported.\n --pkg-relationships strings list of package relationships\n Allowed values:\n - unknown\n - root\n - workspace\n - direct\n - indirect\n (default [unknown,root,workspace,direct,indirect])\n --pkg-types strings list of package types (allowed values: os,library) (default [os,library])\n --platform string set platform in the form os/arch if image is multi-platform capable\n --podman-host string unix podman socket path to use for podman scanning\n --raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)\n --redis-ca string redis ca file location, if using redis as cache backend\n --redis-cert string redis certificate file location, if using redis as cache backend\n --redis-key string redis key file location, if using redis as cache backend\n --redis-tls enable redis TLS with public certificates, if using redis as cache backend\n --registry-token string registry token\n --rego-error-limit int maximum number of compile errors allowed during Rego policy evaluation (default 10)\n --rekor-url string [EXPERIMENTAL] address of rekor STL server (default \"https://rekor.sigstore.dev\")\n --removed-pkgs detect vulnerabilities of removed packages (only for Alpine)\n --render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)\n --report string specify a format for the compliance report. (allowed values: all,summary) (default \"summary\")\n --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)\n --scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])\n --secret-config string specify a path to config file for secret scanning (default \"trivy-secret.yaml\")\n --server string server address in client mode\n -s, --severity strings severities of security issues to be displayed\n Allowed values:\n - UNKNOWN\n - LOW\n - MEDIUM\n - HIGH\n - CRITICAL\n (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])\n --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities\n --skip-check-update skip fetching rego check updates\n --skip-db-update skip updating vulnerability database\n --skip-dirs strings specify the directories or glob patterns to skip\n --skip-files strings specify the files or glob patterns to skip\n --skip-java-db-update skip updating Java index database\n --skip-version-check suppress notices about version updates and Trivy announcements\n --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update\n --table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])\n -t, --template string output template\n --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules\n --token string for authentication in client/server mode\n --token-header string specify a header name for token in client/server mode (default \"Trivy-Token\")\n --trace-rego enable more verbose trace output for custom queries\n --username strings username. Comma-separated usernames allowed.\n --vex strings [EXPERIMENTAL] VEX sources (\"repo\", \"oci\" or file path)\n --vuln-severity-source strings order of data sources for selecting vulnerability severity level\n Allowed values:\n - nvd\n - redhat\n - redhat-oval\n - debian\n - ubuntu\n - alpine\n - amazon\n - oracle-oval\n - suse-cvrf\n - photon\n - arch-linux\n - alma\n - rocky\n - cbl-mariner\n - azure\n - ruby-advisory-db\n - php-security-advisories\n - nodejs-security-wg\n - ghsa\n - glad\n - aqua\n - osv\n - k8s\n - wolfi\n - chainguard\n - bitnami\n - govulndb\n - echo\n - minimos\n - rootio\n - auto\n (default [auto])\n
"},{"location":"guide/references/configuration/cli/trivy_image/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_image/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_kubernetes/","title":"Kubernetes","text":""},{"location":"guide/references/configuration/cli/trivy_kubernetes/#trivy-kubernetes","title":"trivy kubernetes","text":"[EXPERIMENTAL] Scan kubernetes cluster
"},{"location":"guide/references/configuration/cli/trivy_kubernetes/#synopsis","title":"Synopsis","text":"Default context in kube configuration will be used unless specified
trivy kubernetes [flags] [CONTEXT]\n
"},{"location":"guide/references/configuration/cli/trivy_kubernetes/#examples","title":"Examples","text":" # cluster scanning\n $ trivy k8s --report summary\n\n # cluster scanning with specific namespace:\n $ trivy k8s --include-namespaces kube-system --report summary \n\n # cluster with specific context:\n $ trivy k8s kind-kind --report summary \n
"},{"location":"guide/references/configuration/cli/trivy_kubernetes/#options","title":"Options","text":" --burst int specify the maximum burst for throttle (default 10)\n --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default \"fs\")\n --cache-ttl duration cache TTL when using redis as cache backend\n --check-namespaces strings Rego namespaces\n --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default \"mirror.gcr.io/aquasec/trivy-checks:1\")\n --compliance string compliance report to generate\n Built-in compliance's:\n - k8s-nsa-1.0\n - k8s-cis-1.23\n - eks-cis-1.4\n - rke2-cis-1.24\n - k8s-pss-baseline-0.1\n - k8s-pss-restricted-0.1\n --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files\n --config-data strings specify paths from which data for the Rego checks will be recursively loaded\n --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking\n --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])\n --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages\n --detection-priority string specify the detection priority:\n - \"precise\": Prioritizes precise by minimizing false positives.\n - \"comprehensive\": Aims to detect more security findings at the cost of potential false positives.\n (allowed values: precise,comprehensive) (default \"precise\")\n --disable-node-collector When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.\n --disable-telemetry disable sending anonymous usage data to Aqua\n --distro string [EXPERIMENTAL] specify a distribution, <family>/<version>\n --download-db-only download/update vulnerability database but don't run a scan\n --download-java-db-only download/update Java index database but don't run a scan\n --exclude-kinds strings indicate the kinds exclude from scanning (example: node)\n --exclude-namespaces strings indicate the namespaces excluded from scanning (example: kube-system)\n --exclude-nodes strings indicate the node labels that the node-collector job should exclude from scanning (example: kubernetes.io/arch:arm64,team:dev)\n --exclude-owned exclude resources that have an owner reference\n --exit-code int specify exit code when any security issues are found\n --file-patterns strings specify config file patterns\n -f, --format string format (allowed values: table,json,cyclonedx) (default \"table\")\n --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)\n --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.\n --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)\n --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-values strings specify paths to override the Helm values.yaml files\n -h, --help help for kubernetes\n --ignore-policy string specify the Rego file path to evaluate each vulnerability\n --ignore-status strings comma-separated list of vulnerability status to ignore\n Allowed values:\n - unknown\n - not_affected\n - affected\n - fixed\n - under_investigation\n - will_not_fix\n - fix_deferred\n - end_of_life\n --ignore-unfixed display only fixed vulnerabilities\n --ignorefile string specify .trivyignore file (default \".trivyignore\")\n --image-src strings image source(s) to use, in priority order (allowed values: docker,containerd,podman,remote) (default [docker,containerd,podman,remote])\n --include-deprecated-checks include deprecated checks\n --include-kinds strings indicate the kinds included in scanning (example: node)\n --include-namespaces strings indicate the namespaces included in scanning (example: kube-system)\n --include-non-failures include successes, available with '--scanners misconfig'\n --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])\n --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)\n --kubeconfig string specify the kubeconfig file path to use\n --list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)\n --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])\n --no-progress suppress progress bar\n --node-collector-imageref string indicate the image reference for the node-collector scan job (default \"ghcr.io/aquasecurity/node-collector:0.3.1\")\n --node-collector-namespace string specify the namespace in which the node-collector job should be deployed (default \"trivy-temp\")\n --offline-scan do not issue API requests to identify dependencies\n -o, --output string output file name\n --output-plugin-arg string [EXPERIMENTAL] output plugin arguments\n --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)\n --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.\n --password-stdin password from stdin. Comma-separated passwords are not supported.\n --pkg-relationships strings list of package relationships\n Allowed values:\n - unknown\n - root\n - workspace\n - direct\n - indirect\n (default [unknown,root,workspace,direct,indirect])\n --pkg-types strings list of package types (allowed values: os,library) (default [os,library])\n --qps float specify the maximum QPS to the master from this client (default 5)\n --raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)\n --redis-ca string redis ca file location, if using redis as cache backend\n --redis-cert string redis certificate file location, if using redis as cache backend\n --redis-key string redis key file location, if using redis as cache backend\n --redis-tls enable redis TLS with public certificates, if using redis as cache backend\n --registry-token string registry token\n --rego-error-limit int maximum number of compile errors allowed during Rego policy evaluation (default 10)\n --rekor-url string [EXPERIMENTAL] address of rekor STL server (default \"https://rekor.sigstore.dev\")\n --render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)\n --report string specify a report format for the output (allowed values: all,summary) (default \"all\")\n --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)\n --scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])\n --secret-config string specify a path to config file for secret scanning (default \"trivy-secret.yaml\")\n -s, --severity strings severities of security issues to be displayed\n Allowed values:\n - UNKNOWN\n - LOW\n - MEDIUM\n - HIGH\n - CRITICAL\n (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])\n --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities\n --skip-check-update skip fetching rego check updates\n --skip-db-update skip updating vulnerability database\n --skip-dirs strings specify the directories or glob patterns to skip\n --skip-files strings specify the files or glob patterns to skip\n --skip-images skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources\n --skip-java-db-update skip updating Java index database\n --skip-version-check suppress notices about version updates and Trivy announcements\n --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update\n -t, --template string output template\n --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules\n --tolerations strings specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)\n --trace-rego enable more verbose trace output for custom queries\n --username strings username. Comma-separated usernames allowed.\n --vex strings [EXPERIMENTAL] VEX sources (\"repo\", \"oci\" or file path)\n --vuln-severity-source strings order of data sources for selecting vulnerability severity level\n Allowed values:\n - nvd\n - redhat\n - redhat-oval\n - debian\n - ubuntu\n - alpine\n - amazon\n - oracle-oval\n - suse-cvrf\n - photon\n - arch-linux\n - alma\n - rocky\n - cbl-mariner\n - azure\n - ruby-advisory-db\n - php-security-advisories\n - nodejs-security-wg\n - ghsa\n - glad\n - aqua\n - osv\n - k8s\n - wolfi\n - chainguard\n - bitnami\n - govulndb\n - echo\n - minimos\n - rootio\n - auto\n (default [auto])\n
"},{"location":"guide/references/configuration/cli/trivy_kubernetes/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_kubernetes/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_module/","title":"Module","text":""},{"location":"guide/references/configuration/cli/trivy_module/#trivy-module","title":"trivy module","text":"Manage modules
"},{"location":"guide/references/configuration/cli/trivy_module/#options","title":"Options","text":" --enable-modules strings [EXPERIMENTAL] module names to enable\n -h, --help help for module\n --module-dir string specify directory to the wasm modules that will be loaded (default \"$HOME/.trivy/modules\")\n
"},{"location":"guide/references/configuration/cli/trivy_module/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_module/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
- trivy module install - Install a module
- trivy module uninstall - Uninstall a module
"},{"location":"guide/references/configuration/cli/trivy_module_install/","title":"Module Install","text":""},{"location":"guide/references/configuration/cli/trivy_module_install/#trivy-module-install","title":"trivy module install","text":"Install a module
trivy module install [flags] REPOSITORY\n
"},{"location":"guide/references/configuration/cli/trivy_module_install/#options","title":"Options","text":" -h, --help help for install\n
"},{"location":"guide/references/configuration/cli/trivy_module_install/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --enable-modules strings [EXPERIMENTAL] module names to enable\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n --module-dir string specify directory to the wasm modules that will be loaded (default \"$HOME/.trivy/modules\")\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_module_install/#see-also","title":"SEE ALSO","text":" - trivy module - Manage modules
"},{"location":"guide/references/configuration/cli/trivy_module_uninstall/","title":"Module Uninstall","text":""},{"location":"guide/references/configuration/cli/trivy_module_uninstall/#trivy-module-uninstall","title":"trivy module uninstall","text":"Uninstall a module
trivy module uninstall [flags] REPOSITORY\n
"},{"location":"guide/references/configuration/cli/trivy_module_uninstall/#options","title":"Options","text":" -h, --help help for uninstall\n
"},{"location":"guide/references/configuration/cli/trivy_module_uninstall/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --enable-modules strings [EXPERIMENTAL] module names to enable\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n --module-dir string specify directory to the wasm modules that will be loaded (default \"$HOME/.trivy/modules\")\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_module_uninstall/#see-also","title":"SEE ALSO","text":" - trivy module - Manage modules
"},{"location":"guide/references/configuration/cli/trivy_plugin/","title":"Plugin","text":""},{"location":"guide/references/configuration/cli/trivy_plugin/#trivy-plugin","title":"trivy plugin","text":"Manage plugins
"},{"location":"guide/references/configuration/cli/trivy_plugin/#options","title":"Options","text":" -h, --help help for plugin\n
"},{"location":"guide/references/configuration/cli/trivy_plugin/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_plugin/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
- trivy plugin info - Show information about the specified plugin
- trivy plugin install - Install a plugin
- trivy plugin list - List installed plugin
- trivy plugin run - Run a plugin on the fly
- trivy plugin search - List Trivy plugins available on the plugin index and search among them
- trivy plugin uninstall - Uninstall a plugin
- trivy plugin update - Update the local copy of the plugin index
- trivy plugin upgrade - Upgrade installed plugins to newer versions
"},{"location":"guide/references/configuration/cli/trivy_plugin_info/","title":"Plugin Info","text":""},{"location":"guide/references/configuration/cli/trivy_plugin_info/#trivy-plugin-info","title":"trivy plugin info","text":"Show information about the specified plugin
trivy plugin info PLUGIN_NAME\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_info/#options","title":"Options","text":" -h, --help help for info\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_info/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_info/#see-also","title":"SEE ALSO","text":" - trivy plugin - Manage plugins
"},{"location":"guide/references/configuration/cli/trivy_plugin_install/","title":"Plugin Install","text":""},{"location":"guide/references/configuration/cli/trivy_plugin_install/#trivy-plugin-install","title":"trivy plugin install","text":"Install a plugin
trivy plugin install NAME | URL | FILE_PATH\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_install/#examples","title":"Examples","text":" # Install a plugin from the plugin index\n $ trivy plugin install referrer\n\n # Specify the version of the plugin to install\n $ trivy plugin install referrer@v0.3.0\n\n # Install a plugin from a URL\n $ trivy plugin install github.com/aquasecurity/trivy-plugin-referrer\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_install/#options","title":"Options","text":" -h, --help help for install\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_install/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_install/#see-also","title":"SEE ALSO","text":" - trivy plugin - Manage plugins
"},{"location":"guide/references/configuration/cli/trivy_plugin_list/","title":"Plugin List","text":""},{"location":"guide/references/configuration/cli/trivy_plugin_list/#trivy-plugin-list","title":"trivy plugin list","text":"List installed plugin
trivy plugin list\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_list/#options","title":"Options","text":" -h, --help help for list\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_list/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_list/#see-also","title":"SEE ALSO","text":" - trivy plugin - Manage plugins
"},{"location":"guide/references/configuration/cli/trivy_plugin_run/","title":"Plugin Run","text":""},{"location":"guide/references/configuration/cli/trivy_plugin_run/#trivy-plugin-run","title":"trivy plugin run","text":"Run a plugin on the fly
trivy plugin run NAME | URL | FILE_PATH\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_run/#options","title":"Options","text":" -h, --help help for run\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_run/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_run/#see-also","title":"SEE ALSO","text":" - trivy plugin - Manage plugins
"},{"location":"guide/references/configuration/cli/trivy_plugin_search/","title":"Plugin Search","text":""},{"location":"guide/references/configuration/cli/trivy_plugin_search/#trivy-plugin-search","title":"trivy plugin search","text":"List Trivy plugins available on the plugin index and search among them
trivy plugin search [KEYWORD]\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_search/#options","title":"Options","text":" -h, --help help for search\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_search/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_search/#see-also","title":"SEE ALSO","text":" - trivy plugin - Manage plugins
"},{"location":"guide/references/configuration/cli/trivy_plugin_uninstall/","title":"Plugin Uninstall","text":""},{"location":"guide/references/configuration/cli/trivy_plugin_uninstall/#trivy-plugin-uninstall","title":"trivy plugin uninstall","text":"Uninstall a plugin
trivy plugin uninstall PLUGIN_NAME\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_uninstall/#options","title":"Options","text":" -h, --help help for uninstall\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_uninstall/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_uninstall/#see-also","title":"SEE ALSO","text":" - trivy plugin - Manage plugins
"},{"location":"guide/references/configuration/cli/trivy_plugin_update/","title":"Plugin Update","text":""},{"location":"guide/references/configuration/cli/trivy_plugin_update/#trivy-plugin-update","title":"trivy plugin update","text":"Update the local copy of the plugin index
trivy plugin update\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_update/#options","title":"Options","text":" -h, --help help for update\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_update/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_update/#see-also","title":"SEE ALSO","text":" - trivy plugin - Manage plugins
"},{"location":"guide/references/configuration/cli/trivy_plugin_upgrade/","title":"Plugin Upgrade","text":""},{"location":"guide/references/configuration/cli/trivy_plugin_upgrade/#trivy-plugin-upgrade","title":"trivy plugin upgrade","text":"Upgrade installed plugins to newer versions
trivy plugin upgrade [PLUGIN_NAMES]\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_upgrade/#options","title":"Options","text":" -h, --help help for upgrade\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_upgrade/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_plugin_upgrade/#see-also","title":"SEE ALSO","text":" - trivy plugin - Manage plugins
"},{"location":"guide/references/configuration/cli/trivy_registry/","title":"Registry","text":""},{"location":"guide/references/configuration/cli/trivy_registry/#trivy-registry","title":"trivy registry","text":"Manage registry authentication
"},{"location":"guide/references/configuration/cli/trivy_registry/#options","title":"Options","text":" -h, --help help for registry\n
"},{"location":"guide/references/configuration/cli/trivy_registry/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_registry/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
- trivy registry login - Log in to a registry
- trivy registry logout - Log out of a registry
"},{"location":"guide/references/configuration/cli/trivy_registry_login/","title":"Registry Login","text":""},{"location":"guide/references/configuration/cli/trivy_registry_login/#trivy-registry-login","title":"trivy registry login","text":"Log in to a registry
trivy registry login SERVER [flags]\n
"},{"location":"guide/references/configuration/cli/trivy_registry_login/#examples","title":"Examples","text":" # Log in to reg.example.com\n cat ~/my_password.txt | trivy registry login --username foo --password-stdin reg.example.com\n
"},{"location":"guide/references/configuration/cli/trivy_registry_login/#options","title":"Options","text":" -h, --help help for login\n --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.\n --password-stdin password from stdin. Comma-separated passwords are not supported.\n --username strings username. Comma-separated usernames allowed.\n
"},{"location":"guide/references/configuration/cli/trivy_registry_login/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_registry_login/#see-also","title":"SEE ALSO","text":" - trivy registry - Manage registry authentication
"},{"location":"guide/references/configuration/cli/trivy_registry_logout/","title":"Registry Logout","text":""},{"location":"guide/references/configuration/cli/trivy_registry_logout/#trivy-registry-logout","title":"trivy registry logout","text":"Log out of a registry
trivy registry logout SERVER [flags]\n
"},{"location":"guide/references/configuration/cli/trivy_registry_logout/#examples","title":"Examples","text":" # Log out of reg.example.com\n trivy registry logout reg.example.com\n
"},{"location":"guide/references/configuration/cli/trivy_registry_logout/#options","title":"Options","text":" -h, --help help for logout\n
"},{"location":"guide/references/configuration/cli/trivy_registry_logout/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_registry_logout/#see-also","title":"SEE ALSO","text":" - trivy registry - Manage registry authentication
"},{"location":"guide/references/configuration/cli/trivy_repository/","title":"Repository","text":""},{"location":"guide/references/configuration/cli/trivy_repository/#trivy-repository","title":"trivy repository","text":"Scan a repository
trivy repository [flags] (REPO_PATH | REPO_URL)\n
"},{"location":"guide/references/configuration/cli/trivy_repository/#examples","title":"Examples","text":" # Scan your remote git repository\n $ trivy repo https://github.com/knqyf263/trivy-ci-test\n # Scan your local git repository\n $ trivy repo /path/to/your/repository\n
"},{"location":"guide/references/configuration/cli/trivy_repository/#options","title":"Options","text":" --branch string pass the branch name to be scanned\n --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default \"fs\")\n --cache-ttl duration cache TTL when using redis as cache backend\n --cf-params strings specify paths to override the CloudFormation parameters files\n --check-namespaces strings Rego namespaces\n --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default \"mirror.gcr.io/aquasec/trivy-checks:1\")\n --commit string pass the commit hash to be scanned\n --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files\n --config-data strings specify paths from which data for the Rego checks will be recursively loaded\n --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking\n --custom-headers strings custom headers in client mode\n --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])\n --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages\n --detection-priority string specify the detection priority:\n - \"precise\": Prioritizes precise by minimizing false positives.\n - \"comprehensive\": Aims to detect more security findings at the cost of potential false positives.\n (allowed values: precise,comprehensive) (default \"precise\")\n --disable-telemetry disable sending anonymous usage data to Aqua\n --download-db-only download/update vulnerability database but don't run a scan\n --download-java-db-only download/update Java index database but don't run a scan\n --enable-modules strings [EXPERIMENTAL] module names to enable\n --exit-code int specify exit code when any security issues are found\n --file-patterns strings specify config file patterns\n -f, --format string format\n Allowed values:\n - table\n - json\n - template\n - sarif\n - cyclonedx\n - spdx\n - spdx-json\n - github\n - cosign-vuln\n (default \"table\")\n --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)\n --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.\n --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)\n --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-values strings specify paths to override the Helm values.yaml files\n -h, --help help for repository\n --ignore-policy string specify the Rego file path to evaluate each vulnerability\n --ignore-status strings comma-separated list of vulnerability status to ignore\n Allowed values:\n - unknown\n - not_affected\n - affected\n - fixed\n - under_investigation\n - will_not_fix\n - fix_deferred\n - end_of_life\n --ignore-unfixed display only fixed vulnerabilities\n --ignored-licenses strings specify a list of license to ignore\n --ignorefile string specify .trivyignore file (default \".trivyignore\")\n --include-deprecated-checks include deprecated checks\n --include-dev-deps include development dependencies in the report (supported: npm, yarn, gradle)\n --include-non-failures include successes, available with '--scanners misconfig'\n --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])\n --license-confidence-level float specify license classifier's confidence level (default 0.9)\n --license-full eagerly look for licenses in source code headers and license files\n --list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)\n --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])\n --module-dir string specify directory to the wasm modules that will be loaded (default \"$HOME/.trivy/modules\")\n --no-progress suppress progress bar\n --offline-scan do not issue API requests to identify dependencies\n -o, --output string output file name\n --output-plugin-arg string [EXPERIMENTAL] output plugin arguments\n --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)\n --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.\n --password-stdin password from stdin. Comma-separated passwords are not supported.\n --pkg-relationships strings list of package relationships\n Allowed values:\n - unknown\n - root\n - workspace\n - direct\n - indirect\n (default [unknown,root,workspace,direct,indirect])\n --pkg-types strings list of package types (allowed values: os,library) (default [os,library])\n --raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)\n --redis-ca string redis ca file location, if using redis as cache backend\n --redis-cert string redis certificate file location, if using redis as cache backend\n --redis-key string redis key file location, if using redis as cache backend\n --redis-tls enable redis TLS with public certificates, if using redis as cache backend\n --registry-token string registry token\n --rego-error-limit int maximum number of compile errors allowed during Rego policy evaluation (default 10)\n --rekor-url string [EXPERIMENTAL] address of rekor STL server (default \"https://rekor.sigstore.dev\")\n --render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)\n --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)\n --scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])\n --secret-config string specify a path to config file for secret scanning (default \"trivy-secret.yaml\")\n --server string server address in client mode\n -s, --severity strings severities of security issues to be displayed\n Allowed values:\n - UNKNOWN\n - LOW\n - MEDIUM\n - HIGH\n - CRITICAL\n (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])\n --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities\n --skip-check-update skip fetching rego check updates\n --skip-db-update skip updating vulnerability database\n --skip-dirs strings specify the directories or glob patterns to skip\n --skip-files strings specify the files or glob patterns to skip\n --skip-java-db-update skip updating Java index database\n --skip-version-check suppress notices about version updates and Trivy announcements\n --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update\n --table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])\n --tag string pass the tag name to be scanned\n -t, --template string output template\n --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules\n --tf-vars strings specify paths to override the Terraform tfvars files\n --token string for authentication in client/server mode\n --token-header string specify a header name for token in client/server mode (default \"Trivy-Token\")\n --trace-rego enable more verbose trace output for custom queries\n --username strings username. Comma-separated usernames allowed.\n --vex strings [EXPERIMENTAL] VEX sources (\"repo\", \"oci\" or file path)\n --vuln-severity-source strings order of data sources for selecting vulnerability severity level\n Allowed values:\n - nvd\n - redhat\n - redhat-oval\n - debian\n - ubuntu\n - alpine\n - amazon\n - oracle-oval\n - suse-cvrf\n - photon\n - arch-linux\n - alma\n - rocky\n - cbl-mariner\n - azure\n - ruby-advisory-db\n - php-security-advisories\n - nodejs-security-wg\n - ghsa\n - glad\n - aqua\n - osv\n - k8s\n - wolfi\n - chainguard\n - bitnami\n - govulndb\n - echo\n - minimos\n - rootio\n - auto\n (default [auto])\n
"},{"location":"guide/references/configuration/cli/trivy_repository/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_repository/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_rootfs/","title":"Rootfs","text":""},{"location":"guide/references/configuration/cli/trivy_rootfs/#trivy-rootfs","title":"trivy rootfs","text":"Scan rootfs
trivy rootfs [flags] ROOTDIR\n
"},{"location":"guide/references/configuration/cli/trivy_rootfs/#examples","title":"Examples","text":" # Scan unpacked filesystem\n $ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -\n $ trivy rootfs /tmp/rootfs\n\n # Scan from inside a container\n $ docker run --rm -it alpine:3.11\n / # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin\n / # trivy rootfs /\n
"},{"location":"guide/references/configuration/cli/trivy_rootfs/#options","title":"Options","text":" --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default \"memory\")\n --cache-ttl duration cache TTL when using redis as cache backend\n --cf-params strings specify paths to override the CloudFormation parameters files\n --check-namespaces strings Rego namespaces\n --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default \"mirror.gcr.io/aquasec/trivy-checks:1\")\n --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files\n --config-data strings specify paths from which data for the Rego checks will be recursively loaded\n --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking\n --custom-headers strings custom headers in client mode\n --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])\n --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages\n --detection-priority string specify the detection priority:\n - \"precise\": Prioritizes precise by minimizing false positives.\n - \"comprehensive\": Aims to detect more security findings at the cost of potential false positives.\n (allowed values: precise,comprehensive) (default \"precise\")\n --disable-telemetry disable sending anonymous usage data to Aqua\n --distro string [EXPERIMENTAL] specify a distribution, <family>/<version>\n --download-db-only download/update vulnerability database but don't run a scan\n --download-java-db-only download/update Java index database but don't run a scan\n --enable-modules strings [EXPERIMENTAL] module names to enable\n --exit-code int specify exit code when any security issues are found\n --exit-on-eol int exit with the specified code when the OS reaches end of service/life\n --file-patterns strings specify config file patterns\n -f, --format string format\n Allowed values:\n - table\n - json\n - template\n - sarif\n - cyclonedx\n - spdx\n - spdx-json\n - github\n - cosign-vuln\n (default \"table\")\n --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)\n --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.\n --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)\n --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-values strings specify paths to override the Helm values.yaml files\n -h, --help help for rootfs\n --ignore-policy string specify the Rego file path to evaluate each vulnerability\n --ignore-status strings comma-separated list of vulnerability status to ignore\n Allowed values:\n - unknown\n - not_affected\n - affected\n - fixed\n - under_investigation\n - will_not_fix\n - fix_deferred\n - end_of_life\n --ignore-unfixed display only fixed vulnerabilities\n --ignored-licenses strings specify a list of license to ignore\n --ignorefile string specify .trivyignore file (default \".trivyignore\")\n --include-deprecated-checks include deprecated checks\n --include-non-failures include successes, available with '--scanners misconfig'\n --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])\n --license-confidence-level float specify license classifier's confidence level (default 0.9)\n --license-full eagerly look for licenses in source code headers and license files\n --list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)\n --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])\n --module-dir string specify directory to the wasm modules that will be loaded (default \"$HOME/.trivy/modules\")\n --no-progress suppress progress bar\n --offline-scan do not issue API requests to identify dependencies\n -o, --output string output file name\n --output-plugin-arg string [EXPERIMENTAL] output plugin arguments\n --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)\n --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.\n --password-stdin password from stdin. Comma-separated passwords are not supported.\n --pkg-relationships strings list of package relationships\n Allowed values:\n - unknown\n - root\n - workspace\n - direct\n - indirect\n (default [unknown,root,workspace,direct,indirect])\n --pkg-types strings list of package types (allowed values: os,library) (default [os,library])\n --raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)\n --redis-ca string redis ca file location, if using redis as cache backend\n --redis-cert string redis certificate file location, if using redis as cache backend\n --redis-key string redis key file location, if using redis as cache backend\n --redis-tls enable redis TLS with public certificates, if using redis as cache backend\n --registry-token string registry token\n --rego-error-limit int maximum number of compile errors allowed during Rego policy evaluation (default 10)\n --rekor-url string [EXPERIMENTAL] address of rekor STL server (default \"https://rekor.sigstore.dev\")\n --render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)\n --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)\n --scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])\n --secret-config string specify a path to config file for secret scanning (default \"trivy-secret.yaml\")\n --server string server address in client mode\n -s, --severity strings severities of security issues to be displayed\n Allowed values:\n - UNKNOWN\n - LOW\n - MEDIUM\n - HIGH\n - CRITICAL\n (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])\n --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities\n --skip-check-update skip fetching rego check updates\n --skip-db-update skip updating vulnerability database\n --skip-dirs strings specify the directories or glob patterns to skip\n --skip-files strings specify the files or glob patterns to skip\n --skip-java-db-update skip updating Java index database\n --skip-version-check suppress notices about version updates and Trivy announcements\n --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update\n --table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])\n -t, --template string output template\n --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules\n --tf-vars strings specify paths to override the Terraform tfvars files\n --token string for authentication in client/server mode\n --token-header string specify a header name for token in client/server mode (default \"Trivy-Token\")\n --trace-rego enable more verbose trace output for custom queries\n --username strings username. Comma-separated usernames allowed.\n --vex strings [EXPERIMENTAL] VEX sources (\"repo\", \"oci\" or file path)\n --vuln-severity-source strings order of data sources for selecting vulnerability severity level\n Allowed values:\n - nvd\n - redhat\n - redhat-oval\n - debian\n - ubuntu\n - alpine\n - amazon\n - oracle-oval\n - suse-cvrf\n - photon\n - arch-linux\n - alma\n - rocky\n - cbl-mariner\n - azure\n - ruby-advisory-db\n - php-security-advisories\n - nodejs-security-wg\n - ghsa\n - glad\n - aqua\n - osv\n - k8s\n - wolfi\n - chainguard\n - bitnami\n - govulndb\n - echo\n - minimos\n - rootio\n - auto\n (default [auto])\n
"},{"location":"guide/references/configuration/cli/trivy_rootfs/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_rootfs/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_sbom/","title":"SBOM","text":""},{"location":"guide/references/configuration/cli/trivy_sbom/#trivy-sbom","title":"trivy sbom","text":"Scan SBOM for vulnerabilities and licenses
trivy sbom [flags] SBOM_PATH\n
"},{"location":"guide/references/configuration/cli/trivy_sbom/#examples","title":"Examples","text":" # Scan CycloneDX and show the result in tables\n $ trivy sbom /path/to/report.cdx\n\n # Scan CycloneDX-type attestation and show the result in tables\n $ trivy sbom /path/to/report.cdx.intoto.jsonl\n
"},{"location":"guide/references/configuration/cli/trivy_sbom/#options","title":"Options","text":" --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default \"memory\")\n --cache-ttl duration cache TTL when using redis as cache backend\n --compliance string compliance report to generate\n --custom-headers strings custom headers in client mode\n --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])\n --detection-priority string specify the detection priority:\n - \"precise\": Prioritizes precise by minimizing false positives.\n - \"comprehensive\": Aims to detect more security findings at the cost of potential false positives.\n (allowed values: precise,comprehensive) (default \"precise\")\n --disable-telemetry disable sending anonymous usage data to Aqua\n --distro string [EXPERIMENTAL] specify a distribution, <family>/<version>\n --download-db-only download/update vulnerability database but don't run a scan\n --download-java-db-only download/update Java index database but don't run a scan\n --exit-code int specify exit code when any security issues are found\n --exit-on-eol int exit with the specified code when the OS reaches end of service/life\n --file-patterns strings specify config file patterns\n -f, --format string format\n Allowed values:\n - table\n - json\n - template\n - sarif\n - cyclonedx\n - spdx\n - spdx-json\n - github\n - cosign-vuln\n (default \"table\")\n -h, --help help for sbom\n --ignore-policy string specify the Rego file path to evaluate each vulnerability\n --ignore-status strings comma-separated list of vulnerability status to ignore\n Allowed values:\n - unknown\n - not_affected\n - affected\n - fixed\n - under_investigation\n - will_not_fix\n - fix_deferred\n - end_of_life\n --ignore-unfixed display only fixed vulnerabilities\n --ignored-licenses strings specify a list of license to ignore\n --ignorefile string specify .trivyignore file (default \".trivyignore\")\n --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])\n --list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)\n --no-progress suppress progress bar\n --offline-scan do not issue API requests to identify dependencies\n -o, --output string output file name\n --output-plugin-arg string [EXPERIMENTAL] output plugin arguments\n --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.\n --password-stdin password from stdin. Comma-separated passwords are not supported.\n --pkg-relationships strings list of package relationships\n Allowed values:\n - unknown\n - root\n - workspace\n - direct\n - indirect\n (default [unknown,root,workspace,direct,indirect])\n --pkg-types strings list of package types (allowed values: os,library) (default [os,library])\n --redis-ca string redis ca file location, if using redis as cache backend\n --redis-cert string redis certificate file location, if using redis as cache backend\n --redis-key string redis key file location, if using redis as cache backend\n --redis-tls enable redis TLS with public certificates, if using redis as cache backend\n --registry-token string registry token\n --rekor-url string [EXPERIMENTAL] address of rekor STL server (default \"https://rekor.sigstore.dev\")\n --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)\n --scanners strings comma-separated list of what security issues to detect (allowed values: vuln,license) (default [vuln])\n --server string server address in client mode\n -s, --severity strings severities of security issues to be displayed\n Allowed values:\n - UNKNOWN\n - LOW\n - MEDIUM\n - HIGH\n - CRITICAL\n (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])\n --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities\n --skip-db-update skip updating vulnerability database\n --skip-java-db-update skip updating Java index database\n --skip-version-check suppress notices about version updates and Trivy announcements\n --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update\n --table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])\n -t, --template string output template\n --token string for authentication in client/server mode\n --token-header string specify a header name for token in client/server mode (default \"Trivy-Token\")\n --username strings username. Comma-separated usernames allowed.\n --vex strings [EXPERIMENTAL] VEX sources (\"repo\", \"oci\" or file path)\n --vuln-severity-source strings order of data sources for selecting vulnerability severity level\n Allowed values:\n - nvd\n - redhat\n - redhat-oval\n - debian\n - ubuntu\n - alpine\n - amazon\n - oracle-oval\n - suse-cvrf\n - photon\n - arch-linux\n - alma\n - rocky\n - cbl-mariner\n - azure\n - ruby-advisory-db\n - php-security-advisories\n - nodejs-security-wg\n - ghsa\n - glad\n - aqua\n - osv\n - k8s\n - wolfi\n - chainguard\n - bitnami\n - govulndb\n - echo\n - minimos\n - rootio\n - auto\n (default [auto])\n
"},{"location":"guide/references/configuration/cli/trivy_sbom/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_sbom/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_server/","title":"Server","text":""},{"location":"guide/references/configuration/cli/trivy_server/#trivy-server","title":"trivy server","text":"Server mode
trivy server [flags]\n
"},{"location":"guide/references/configuration/cli/trivy_server/#examples","title":"Examples","text":" # Run a server\n $ trivy server\n\n # Listen on 0.0.0.0:10000\n $ trivy server --listen 0.0.0.0:10000\n
"},{"location":"guide/references/configuration/cli/trivy_server/#options","title":"Options","text":" --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default \"fs\")\n --cache-ttl duration cache TTL when using redis as cache backend\n --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])\n --download-db-only download/update vulnerability database but don't run a scan\n --enable-modules strings [EXPERIMENTAL] module names to enable\n -h, --help help for server\n --listen string listen address in server mode (default \"localhost:4954\")\n --module-dir string specify directory to the wasm modules that will be loaded (default \"$HOME/.trivy/modules\")\n --no-progress suppress progress bar\n --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.\n --password-stdin password from stdin. Comma-separated passwords are not supported.\n --redis-ca string redis ca file location, if using redis as cache backend\n --redis-cert string redis certificate file location, if using redis as cache backend\n --redis-key string redis key file location, if using redis as cache backend\n --redis-tls enable redis TLS with public certificates, if using redis as cache backend\n --registry-token string registry token\n --skip-db-update skip updating vulnerability database\n --token string for authentication in client/server mode\n --token-header string specify a header name for token in client/server mode (default \"Trivy-Token\")\n --username strings username. Comma-separated usernames allowed.\n
"},{"location":"guide/references/configuration/cli/trivy_server/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_server/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_version/","title":"Version","text":""},{"location":"guide/references/configuration/cli/trivy_version/#trivy-version","title":"trivy version","text":"Print the version
trivy version [flags]\n
"},{"location":"guide/references/configuration/cli/trivy_version/#options","title":"Options","text":" -f, --format string version format (json)\n -h, --help help for version\n
"},{"location":"guide/references/configuration/cli/trivy_version/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_version/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/configuration/cli/trivy_vex/","title":"VEX","text":""},{"location":"guide/references/configuration/cli/trivy_vex/#trivy-vex","title":"trivy vex","text":"[EXPERIMENTAL] VEX utilities
"},{"location":"guide/references/configuration/cli/trivy_vex/#options","title":"Options","text":" -h, --help help for vex\n
"},{"location":"guide/references/configuration/cli/trivy_vex/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_vex/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
- trivy vex repo - Manage VEX repositories
"},{"location":"guide/references/configuration/cli/trivy_vex_repo/","title":"VEX Repo","text":""},{"location":"guide/references/configuration/cli/trivy_vex_repo/#trivy-vex-repo","title":"trivy vex repo","text":"Manage VEX repositories
"},{"location":"guide/references/configuration/cli/trivy_vex_repo/#examples","title":"Examples","text":" # Initialize the configuration file\n $ trivy vex repo init\n\n # List VEX repositories\n $ trivy vex repo list\n\n # Download the VEX repositories\n $ trivy vex repo download\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo/#options","title":"Options","text":" -h, --help help for repo\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo/#see-also","title":"SEE ALSO","text":" - trivy vex - [EXPERIMENTAL] VEX utilities
- trivy vex repo download - Download the VEX repositories
- trivy vex repo init - Initialize a configuration file
- trivy vex repo list - List VEX repositories
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_download/","title":"VEX Download","text":""},{"location":"guide/references/configuration/cli/trivy_vex_repo_download/#trivy-vex-repo-download","title":"trivy vex repo download","text":"Download the VEX repositories
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_download/#synopsis","title":"Synopsis","text":"Downloads enabled VEX repositories. If specific repository names are provided as arguments, only those repositories will be downloaded. Otherwise, all enabled repositories are downloaded.
trivy vex repo download [REPO_NAMES] [flags]\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_download/#options","title":"Options","text":" -h, --help help for download\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_download/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_download/#see-also","title":"SEE ALSO","text":" - trivy vex repo - Manage VEX repositories
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_init/","title":"VEX Init","text":""},{"location":"guide/references/configuration/cli/trivy_vex_repo_init/#trivy-vex-repo-init","title":"trivy vex repo init","text":"Initialize a configuration file
trivy vex repo init [flags]\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_init/#options","title":"Options","text":" -h, --help help for init\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_init/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_init/#see-also","title":"SEE ALSO","text":" - trivy vex repo - Manage VEX repositories
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_list/","title":"VEX List","text":""},{"location":"guide/references/configuration/cli/trivy_vex_repo_list/#trivy-vex-repo-list","title":"trivy vex repo list","text":"List VEX repositories
trivy vex repo list [flags]\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_list/#options","title":"Options","text":" -h, --help help for list\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_list/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_vex_repo_list/#see-also","title":"SEE ALSO","text":" - trivy vex repo - Manage VEX repositories
"},{"location":"guide/references/configuration/cli/trivy_vm/","title":"VM","text":""},{"location":"guide/references/configuration/cli/trivy_vm/#trivy-vm","title":"trivy vm","text":"[EXPERIMENTAL] Scan a virtual machine image
trivy vm [flags] VM_IMAGE\n
"},{"location":"guide/references/configuration/cli/trivy_vm/#examples","title":"Examples","text":" # Scan your AWS AMI\n $ trivy vm --scanners vuln ami:${your_ami_id}\n\n # Scan your AWS EBS snapshot\n $ trivy vm ebs:${your_ebs_snapshot_id}\n
"},{"location":"guide/references/configuration/cli/trivy_vm/#options","title":"Options","text":" --aws-region string AWS region to scan\n --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default \"fs\")\n --cache-ttl duration cache TTL when using redis as cache backend\n --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default \"mirror.gcr.io/aquasec/trivy-checks:1\")\n --compliance string compliance report to generate\n --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking\n --custom-headers strings custom headers in client mode\n --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])\n --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages\n --detection-priority string specify the detection priority:\n - \"precise\": Prioritizes precise by minimizing false positives.\n - \"comprehensive\": Aims to detect more security findings at the cost of potential false positives.\n (allowed values: precise,comprehensive) (default \"precise\")\n --disable-telemetry disable sending anonymous usage data to Aqua\n --distro string [EXPERIMENTAL] specify a distribution, <family>/<version>\n --download-db-only download/update vulnerability database but don't run a scan\n --download-java-db-only download/update Java index database but don't run a scan\n --enable-modules strings [EXPERIMENTAL] module names to enable\n --exit-code int specify exit code when any security issues are found\n --exit-on-eol int exit with the specified code when the OS reaches end of service/life\n --file-patterns strings specify config file patterns\n -f, --format string format\n Allowed values:\n - table\n - json\n - template\n - sarif\n - cyclonedx\n - spdx\n - spdx-json\n - github\n - cosign-vuln\n (default \"table\")\n --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)\n --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.\n --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)\n --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)\n --helm-values strings specify paths to override the Helm values.yaml files\n -h, --help help for vm\n --ignore-policy string specify the Rego file path to evaluate each vulnerability\n --ignore-status strings comma-separated list of vulnerability status to ignore\n Allowed values:\n - unknown\n - not_affected\n - affected\n - fixed\n - under_investigation\n - will_not_fix\n - fix_deferred\n - end_of_life\n --ignore-unfixed display only fixed vulnerabilities\n --ignorefile string specify .trivyignore file (default \".trivyignore\")\n --include-non-failures include successes, available with '--scanners misconfig'\n --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])\n --list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)\n --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])\n --module-dir string specify directory to the wasm modules that will be loaded (default \"$HOME/.trivy/modules\")\n --no-progress suppress progress bar\n --offline-scan do not issue API requests to identify dependencies\n -o, --output string output file name\n --output-plugin-arg string [EXPERIMENTAL] output plugin arguments\n --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)\n --pkg-relationships strings list of package relationships\n Allowed values:\n - unknown\n - root\n - workspace\n - direct\n - indirect\n (default [unknown,root,workspace,direct,indirect])\n --pkg-types strings list of package types (allowed values: os,library) (default [os,library])\n --raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)\n --redis-ca string redis ca file location, if using redis as cache backend\n --redis-cert string redis certificate file location, if using redis as cache backend\n --redis-key string redis key file location, if using redis as cache backend\n --redis-tls enable redis TLS with public certificates, if using redis as cache backend\n --rekor-url string [EXPERIMENTAL] address of rekor STL server (default \"https://rekor.sigstore.dev\")\n --render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)\n --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)\n --scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])\n --secret-config string specify a path to config file for secret scanning (default \"trivy-secret.yaml\")\n --server string server address in client mode\n -s, --severity strings severities of security issues to be displayed\n Allowed values:\n - UNKNOWN\n - LOW\n - MEDIUM\n - HIGH\n - CRITICAL\n (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])\n --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities\n --skip-db-update skip updating vulnerability database\n --skip-dirs strings specify the directories or glob patterns to skip\n --skip-files strings specify the files or glob patterns to skip\n --skip-java-db-update skip updating Java index database\n --skip-version-check suppress notices about version updates and Trivy announcements\n --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update\n --table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])\n -t, --template string output template\n --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules\n --token string for authentication in client/server mode\n --token-header string specify a header name for token in client/server mode (default \"Trivy-Token\")\n --vex strings [EXPERIMENTAL] VEX sources (\"repo\", \"oci\" or file path)\n --vuln-severity-source strings order of data sources for selecting vulnerability severity level\n Allowed values:\n - nvd\n - redhat\n - redhat-oval\n - debian\n - ubuntu\n - alpine\n - amazon\n - oracle-oval\n - suse-cvrf\n - photon\n - arch-linux\n - alma\n - rocky\n - cbl-mariner\n - azure\n - ruby-advisory-db\n - php-security-advisories\n - nodejs-security-wg\n - ghsa\n - glad\n - aqua\n - osv\n - k8s\n - wolfi\n - chainguard\n - bitnami\n - govulndb\n - echo\n - minimos\n - rootio\n - auto\n (default [auto])\n
"},{"location":"guide/references/configuration/cli/trivy_vm/#options-inherited-from-parent-commands","title":"Options inherited from parent commands","text":" --cacert string Path to PEM-encoded CA certificate file\n --cache-dir string cache directory (default \"/path/to/cache\")\n -c, --config string config path (default \"trivy.yaml\")\n -d, --debug debug mode\n --generate-default-config write the default config to trivy-default.yaml\n --insecure allow insecure server connections\n -q, --quiet suppress progress bar and log output\n --timeout duration timeout (default 5m0s)\n -v, --version show version\n
"},{"location":"guide/references/configuration/cli/trivy_vm/#see-also","title":"SEE ALSO","text":" - trivy - Unified security scanner
"},{"location":"guide/references/modes/client-server/","title":"Client/Server","text":"Trivy has client/server mode. Trivy server has vulnerability database and Trivy client doesn't have to download vulnerability database. It is useful if you want to scan images or files at multiple locations and do not want to download the database at every location.
Client/Server Mode Image Rootfs Filesystem Repository Config K8s Supported \u2705 \u2705 \u2705 \u2705 - - Some scanners run on the client side, even in client/server mode.
Scanner Run on Client or Server Vulnerability Server Misconfiguration Client1 Secret Client2 License Server Note
Scanning of misconfigurations and secrets is performed on the client side (as in standalone mode). Otherwise, the client would need to send files to the server that may contain sensitive information.
"},{"location":"guide/references/modes/client-server/#server","title":"Server","text":"At first, you need to launch Trivy server. It downloads vulnerability database automatically and continue to fetch the latest DB in the background.
$ trivy server --listen localhost:8080\n2019-12-12T15:17:06.551+0200 INFO Need to update DB\n2019-12-12T15:17:56.706+0200 INFO Reopening DB...\n2019-12-12T15:17:56.707+0200 INFO Listening localhost:8080...\n
If you want to accept a connection from outside, you have to specify 0.0.0.0 or your ip address, not localhost.
$ trivy server --listen 0.0.0.0:8080\n
"},{"location":"guide/references/modes/client-server/#remote-image-scan","title":"Remote image scan","text":"Then, specify the server address for image command.
$ trivy image --server http://localhost:8080 alpine:3.10\n
Note: It's important to specify the protocol (http or https). Result alpine:3.10 (alpine 3.10.2)\n===========================\nTotal: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 0)\n\n+---------+------------------+----------+-------------------+---------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |\n+---------+------------------+----------+-------------------+---------------+\n| openssl | CVE-2019-1549 | MEDIUM | 1.1.1c-r0 | 1.1.1d-r0 |\n+ +------------------+ + + +\n| | CVE-2019-1563 | | | |\n+ +------------------+----------+ + +\n| | CVE-2019-1547 | LOW | | |\n+---------+------------------+----------+-------------------+---------------+\n
"},{"location":"guide/references/modes/client-server/#remote-scan-of-local-filesystem","title":"Remote scan of local filesystem","text":"Also, there is a way to scan local file system:
$ trivy fs --server http://localhost:8080 --severity CRITICAL ./integration/testdata/fixtures/fs/pom/\n
Note: It's important to specify the protocol (http or https). Result pom.xml (pom)\n=============\nTotal: 24 (CRITICAL: 24)\n\n+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+\n| com.fasterxml.jackson.core:jackson-databind | CVE-2017-17485 | CRITICAL | 2.9.1 | 2.8.11, 2.9.4 | jackson-databind: Unsafe |\n| | | | | | deserialization due to |\n| | | | | | incomplete black list (incomplete |\n| | | | | | fix for CVE-2017-15095)... |\n| | | | | | -->avd.aquasec.com/nvd/cve-2017-17485 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2018-11307 | | | 2.7.9.4, 2.8.11.2, 2.9.6 | jackson-databind: Potential |\n| | | | | | information exfiltration with |\n| | | | | | default typing, serialization |\n| | | | | | gadget from MyBatis |\n| | | | | | -->avd.aquasec.com/nvd/cve-2018-11307 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2018-14718 | | | 2.6.7.2, 2.9.7 | jackson-databind: arbitrary code |\n| | | | | | execution in slf4j-ext class |\n| | | | | | -->avd.aquasec.com/nvd/cve-2018-14718 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2018-14719 | | | | jackson-databind: arbitrary |\n| | | | | | code execution in blaze-ds-opt |\n| | | | | | and blaze-ds-core classes |\n| | | | | | -->avd.aquasec.com/nvd/cve-2018-14719 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2018-14720 | | | | jackson-databind: exfiltration/XXE |\n| | | | | | in some JDK classes |\n| | | | | | -->avd.aquasec.com/nvd/cve-2018-14720 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2018-14721 | | | | jackson-databind: server-side request |\n| | | | | | forgery (SSRF) in axis2-jaxws class |\n| | | | | | -->avd.aquasec.com/nvd/cve-2018-14721 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2018-19360 | | | 2.6.7.3, 2.7.9.5, 2.8.11.3, | jackson-databind: improper |\n| | | | | 2.9.8 | polymorphic deserialization |\n| | | | | | in axis2-transport-jms class |\n| | | | | | -->avd.aquasec.com/nvd/cve-2018-19360 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2018-19361 | | | | jackson-databind: improper |\n| | | | | | polymorphic deserialization |\n| | | | | | in openjpa class |\n| | | | | | -->avd.aquasec.com/nvd/cve-2018-19361 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2018-19362 | | | | jackson-databind: improper |\n| | | | | | polymorphic deserialization |\n| | | | | | in jboss-common-core class |\n| | | | | | -->avd.aquasec.com/nvd/cve-2018-19362 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2018-7489 | | | 2.7.9.3, 2.8.11.1, 2.9.5 | jackson-databind: incomplete fix |\n| | | | | | for CVE-2017-7525 permits unsafe |\n| | | | | | serialization via c3p0 libraries |\n| | | | | | -->avd.aquasec.com/nvd/cve-2018-7489 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2019-14379 | | | 2.7.9.6, 2.8.11.4, 2.9.9.2 | jackson-databind: default |\n| | | | | | typing mishandling leading |\n| | | | | | to remote code execution |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-14379 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2019-14540 | | | 2.9.10 | jackson-databind: |\n| | | | | | Serialization gadgets in |\n| | | | | | com.zaxxer.hikari.HikariConfig |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-14540 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2019-14892 | | | 2.6.7.3, 2.8.11.5, 2.9.10 | jackson-databind: Serialization |\n| | | | | | gadgets in classes of the |\n| | | | | | commons-configuration package |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-14892 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2019-14893 | | | 2.8.11.5, 2.9.10 | jackson-databind: |\n| | | | | | Serialization gadgets in |\n| | | | | | classes of the xalan package |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-14893 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2019-16335 | | | 2.9.10 | jackson-databind: |\n| | | | | | Serialization gadgets in |\n| | | | | | com.zaxxer.hikari.HikariDataSource |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-16335 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2019-16942 | | | 2.9.10.1 | jackson-databind: |\n| | | | | | Serialization gadgets in |\n| | | | | | org.apache.commons.dbcp.datasources.* |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-16942 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2019-16943 | | | | jackson-databind: |\n| | | | | | Serialization gadgets in |\n| | | | | | com.p6spy.engine.spy.P6DataSource |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-16943 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2019-17267 | | | 2.9.10 | jackson-databind: Serialization |\n| | | | | | gadgets in classes of |\n| | | | | | the ehcache package |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-17267 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2019-17531 | | | 2.9.10.1 | jackson-databind: |\n| | | | | | Serialization gadgets in |\n| | | | | | org.apache.log4j.receivers.db.* |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-17531 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2019-20330 | | | 2.8.11.5, 2.9.10.2 | jackson-databind: lacks |\n| | | | | | certain net.sf.ehcache blocking |\n| | | | | | -->avd.aquasec.com/nvd/cve-2019-20330 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2020-8840 | | | 2.7.9.7, 2.8.11.5, 2.9.10.3 | jackson-databind: Lacks certain |\n| | | | | | xbean-reflect/JNDI blocking |\n| | | | | | -->avd.aquasec.com/nvd/cve-2020-8840 |\n+ +------------------+ + +--------------------------------+---------------------------------------+\n| | CVE-2020-9546 | | | 2.7.9.7, 2.8.11.6, 2.9.10.4 | jackson-databind: Serialization |\n| | | | | | gadgets in shaded-hikari-config |\n| | | | | | -->avd.aquasec.com/nvd/cve-2020-9546 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2020-9547 | | | | jackson-databind: Serialization |\n| | | | | | gadgets in ibatis-sqlmap |\n| | | | | | -->avd.aquasec.com/nvd/cve-2020-9547 |\n+ +------------------+ + + +---------------------------------------+\n| | CVE-2020-9548 | | | | jackson-databind: Serialization |\n| | | | | | gadgets in anteros-core |\n| | | | | | -->avd.aquasec.com/nvd/cve-2020-9548 |\n+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+\n
"},{"location":"guide/references/modes/client-server/#remote-scan-of-root-filesystem","title":"Remote scan of root filesystem","text":"Also, there is a way to scan root file system:
$ trivy rootfs --server http://localhost:8080 --severity CRITICAL /tmp/rootfs\n
Note: It's important to specify the protocol (http or https). Result /tmp/rootfs (alpine 3.10.2)\n\nTotal: 1 (CRITICAL: 1)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 apk-tools \u2502 CVE-2021-36159 \u2502 CRITICAL \u2502 2.10.4-r2 \u2502 2.10.7-r0 \u2502 libfetch before 2021-07-26, as used in apk-tools, xbps, and \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 other products, mishandles... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-36159 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/references/modes/client-server/#remote-scan-of-git-repository","title":"Remote scan of git repository","text":"Also, there is a way to scan remote git repository:
$ trivy repo https://github.com/knqyf263/trivy-ci-test --server http://localhost:8080 \n
Note: It's important to specify the protocol (http or https). Result Cargo.lock (cargo)\n==================\nTotal: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 ammonia \u2502 CVE-2019-15542 \u2502 HIGH \u2502 1.9.0 \u2502 2.1.0 \u2502 Uncontrolled recursion in ammonia \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2019-15542 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2021-38193 \u2502 MEDIUM \u2502 \u2502 2.1.3, 3.1.0 \u2502 An issue was discovered in the ammonia crate before 3.1.0 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 for Rust.... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-38193 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 smallvec \u2502 CVE-2019-15551 \u2502 \u2502 0.6.9 \u2502 0.6.10 \u2502 An issue was discovered in the smallvec crate before 0.6.10 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 for Rust.... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2019-15551 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2018-25023 \u2502 HIGH \u2502 \u2502 0.6.13 \u2502 An issue was discovered in the smallvec crate before 0.6.13 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 for Rust.... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2018-25023 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 GHSA-66p5-j55p-32r9 \u2502 MEDIUM \u2502 \u2502 \u2502 smallvec creates uninitialized value of any type \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://github.com/advisories/GHSA-66p5-j55p-32r9 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n\nPipfile.lock (pipenv)\n=====================\nTotal: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 celery \u2502 CVE-2021-23727 \u2502 HIGH \u2502 4.3.0 \u2502 5.2.2 \u2502 celery: stored command injection vulnerability may allow \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 privileges escalation \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-23727 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 django \u2502 CVE-2019-6975 \u2502 \u2502 2.0.9 \u2502 1.11.19, 2.0.12, 2.1.7 \u2502 python-django: memory exhaustion in \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 django.utils.numberformat.format() \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2019-6975 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2019-3498 \u2502 MEDIUM \u2502 \u2502 1.11.18, 2.0.10, 2.1.5 \u2502 python-django: Content spoofing via URL path in default 404 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 page \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2019-3498 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2021-33203 \u2502 \u2502 \u2502 2.2.24, 3.1.12, 3.2.4 \u2502 django: Potential directory traversal via ``admindocs`` \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-33203 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 urllib3 \u2502 CVE-2019-11324 \u2502 \u2502 1.24.1 \u2502 1.24.2 \u2502 python-urllib3: Certification mishandle when error should be \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 thrown \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2019-11324 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2021-33503 \u2502 \u2502 \u2502 1.26.5 \u2502 python-urllib3: ReDoS in the parsing of authority part of \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 URL \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-33503 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2019-11236 \u2502 MEDIUM \u2502 \u2502 1.24.3 \u2502 python-urllib3: CRLF injection due to not encoding the \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 '\\r\\n' sequence leading to... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2019-11236 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2020-26137 \u2502 \u2502 \u2502 1.25.9 \u2502 python-urllib3: CRLF injection via HTTP request method \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2020-26137 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/references/modes/client-server/#authentication","title":"Authentication","text":"$ trivy server --listen localhost:8080 --token dummy\n
$ trivy image --server http://localhost:8080 --token dummy alpine:3.10\n
"},{"location":"guide/references/modes/client-server/#endpoints","title":"Endpoints","text":""},{"location":"guide/references/modes/client-server/#health","title":"Health","text":"Checks whether the Trivy server is running. Authentication is not required.
Example request:
curl -s 0.0.0.0:8080/healthz\nok\n
Returns the 200 OK status if the request was successful.
"},{"location":"guide/references/modes/client-server/#version","title":"Version","text":"Returns the version of the Trivy and all components (db, policy). Authentication is not required.
Example request:
curl -s 0.0.0.0:8080/version | jq\n{\n \"Version\": \"dev\",\n \"VulnerabilityDB\": {\n \"Version\": 2,\n \"NextUpdate\": \"2023-07-25T14:15:29.876639806Z\",\n \"UpdatedAt\": \"2023-07-25T08:15:29.876640206Z\",\n \"DownloadedAt\": \"2023-07-25T09:36:25.599004Z\"\n },\n \"JavaDB\": {\n \"Version\": 1,\n \"NextUpdate\": \"2023-07-28T01:03:52.169192565Z\",\n \"UpdatedAt\": \"2023-07-25T01:03:52.169192765Z\",\n \"DownloadedAt\": \"2023-07-25T09:37:48.906152Z\"\n },\n \"PolicyBundle\": {\n \"Digest\": \"sha256:829832357626da2677955e3b427191212978ba20012b6eaa03229ca28569ae43\",\n \"DownloadedAt\": \"2023-07-23T11:40:33.122462Z\"\n }\n}\n
Returns the 200 OK status if the request was successful.
"},{"location":"guide/references/modes/client-server/#architecture","title":"Architecture","text":" -
The checks bundle is also downloaded on the client side.\u00a0\u21a9
-
The scan result with masked secrets is sent to the server\u00a0\u21a9
"},{"location":"guide/references/modes/standalone/","title":"Standalone","text":"trivy image, trivy filesystem, and trivy repo works as standalone mode.
"},{"location":"guide/references/modes/standalone/#image","title":"Image","text":""},{"location":"guide/references/modes/standalone/#filesystem","title":"Filesystem","text":""},{"location":"guide/references/modes/standalone/#git-repository","title":"Git Repository","text":""},{"location":"guide/scanner/license/","title":"License Scanning","text":"Trivy scans any container image for license files and offers an opinionated view on the risk associated with the license.
Licenses are classified using the Google License Classification -
- Forbidden
- Restricted
- Reciprocal
- Notice
- Permissive
- Unencumbered
- Unknown
Tip
Licenses that Trivy fails to recognize are classified as UNKNOWN. As those licenses may be in violation, it is recommended to check those unknown licenses as well.
By default, Trivy scans licenses for packages installed by apk, apt-get, dnf, npm, pip, gem, etc. Check out the coverage document for details.
To enable extended license scanning, you can use --license-full. In addition to package licenses, Trivy scans source code files, Markdown documents, text files and LICENSE documents to identify license usage within the image or filesystem.
By default, Trivy only classifies licenses that are matched with a confidence level of 0.9 or more by the classifier. To configure the confidence level, you can use --license-confidence-level. This enables us to classify licenses that might be matched with a lower confidence level by the classifier.
Note
The full license scanning is expensive. It takes a while.
License scanning Image Rootfs Filesystem Repository SBOM Standard \u2705 \u2705 \u270512 \u270512 \u2705 Full (--license-full) \u2705 \u2705 \u2705 \u2705 - License checking classifies the identified licenses and maps the classification to severity.
Classification Severity Forbidden CRITICAL Restricted HIGH Reciprocal MEDIUM Notice LOW Permissive LOW Unencumbered LOW Unknown UNKNOWN"},{"location":"guide/scanner/license/#quick-start","title":"Quick start","text":"This section shows how to scan license in container image and filesystem.
"},{"location":"guide/scanner/license/#standard-scanning","title":"Standard scanning","text":"Specify an image name with --scanners license.
$ trivy image --scanners license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15\n2022-07-13T17:28:39.526+0300 INFO License scanning is enabled\n\nOS Packages (license)\n=====================\nTotal: 6 (UNKNOWN: 0, HIGH: 6, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Package \u2502 License \u2502 Classification \u2502 Severity \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 alpine-baselayout \u2502 GPL-2.0 \u2502 Restricted \u2502 HIGH \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502\n\u2502 apk-tools \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502\n\u2502 busybox \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502\n\u2502 musl-utils \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502\n\u2502 scanelf \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502\n\u2502 ssl_client \u2502 \u2502 \u2502 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/scanner/license/#full-scanning","title":"Full scanning","text":"Specify --license-full
$ trivy image --scanners license --severity UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana\n2022-07-13T17:48:40.905+0300 INFO Full license scanning is enabled\n\nOS Packages (license)\n=====================\nTotal: 20 (UNKNOWN: 9, HIGH: 11, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Package \u2502 License \u2502 Classification \u2502 Severity \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 alpine-baselayout \u2502 GPL-2.0 \u2502 Restricted \u2502 HIGH \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502\n\u2502 apk-tools \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502\n\u2502 bash \u2502 GPL-3.0 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 keyutils-libs \u2502 GPL-2.0 \u2502 Restricted \u2502 HIGH \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 LGPL-2.0-or-later \u2502 Non Standard \u2502 UNKNOWN \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502\n\u2502 libaio \u2502 LGPL-2.1-or-later \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 libcom_err \u2502 GPL-2.0 \u2502 Restricted \u2502 HIGH \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 LGPL-2.0-or-later \u2502 Non Standard \u2502 UNKNOWN \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 tzdata \u2502 Public-Domain \u2502 Non Standard \u2502 UNKNOWN \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n\nLoose File License(s) (license)\n===============================\nTotal: 6 (UNKNOWN: 4, HIGH: 0, CRITICAL: 2)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Classification \u2502 Severity \u2502 License \u2502 File Location \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 Forbidden \u2502 CRITICAL \u2502 AGPL-3.0 \u2502 /usr/share/grafana/LICENSE \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 Non Standard \u2502 UNKNOWN \u2502 BSD-0-Clause \u2502 /usr/share/grafana/public/build/5069.d6aae9dd11d49c741a80.j- \u2502\n\u2502 \u2502 \u2502 \u2502 s.LICENSE.txt \u2502\n\u2502 \u2502 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 \u2502 \u2502 /usr/share/grafana/public/build/6444.d6aae9dd11d49c741a80.j- \u2502\n\u2502 \u2502 \u2502 \u2502 s.LICENSE.txt \u2502\n\u2502 \u2502 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 \u2502 \u2502 /usr/share/grafana/public/build/7889.d6aae9dd11d49c741a80.j- \u2502\n\u2502 \u2502 \u2502 \u2502 s.LICENSE.txt \u2502\n\u2502 \u2502 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 \u2502 \u2502 /usr/share/grafana/public/build/canvasPanel.d6aae9dd11d49c7- \u2502\n\u2502 \u2502 \u2502 \u2502 41a80.js.LICENSE.txt \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/scanner/license/#configuration","title":"Configuration","text":"Trivy has a number of configuration flags for use with license scanning:
"},{"location":"guide/scanner/license/#ignored-licenses","title":"Ignored Licenses","text":"Trivy license scanning can ignore licenses that are identified to explicitly remove them from the results using the --ignored-licenses flag;
$ trivy image --scanners license --ignored-licenses MPL-2.0,MIT --severity HIGH grafana/grafana:latest\n2022-07-13T18:15:28.605Z INFO License scanning is enabled\n\nOS Packages (license)\n=====================\nTotal: 2 (HIGH: 2, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Package \u2502 License \u2502 Classification \u2502 Severity \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 alpine-baselayout \u2502 GPL-2.0 \u2502 Restricted \u2502 HIGH \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502\n\u2502 ssl_client \u2502 \u2502 \u2502 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/scanner/license/#configuring-classifier-confidence-level","title":"Configuring Classifier Confidence Level","text":"You can use the --license-confidence-level flag to adjust the confidence level between 0.0 to 1.0 (default 0.9). For example, when you run the scanner with the default confidence level on SPDX license list data, it is able to detect only 258 licenses.
$ trivy fs --scanners license --license-full <path/to/spdx/list/data>\n2023-04-18T10:05:13.601-0700 INFO Full license scanning is enabled\n\nLoose File License(s) (license)\n===============================\nTotal: 258 (UNKNOWN: 70, LOW: 90, MEDIUM: 18, HIGH: 58, CRITICAL: 22)\n
However, by configuring the confidence level to 0.8, the scanner is now able to detect 282 licenses.
$ trivy fs --scanners license --license-full --license-confidence-level 0.8 <path/to/spdx/list/data>\n2023-04-18T10:21:39.637-0700 INFO Full license scanning is enabled\n\nLoose File License(s) (license)\n===============================\nTotal: 282 (UNKNOWN: 81, LOW: 97, MEDIUM: 24, HIGH: 58, CRITICAL: 22)\n
"},{"location":"guide/scanner/license/#custom-classification","title":"Custom Classification","text":"You can generate the default config by the --generate-default-config flag and customize the license classification. For example, if you want to forbid only AGPL-3.0, you can leave it under forbidden and move other licenses to another classification.
$ trivy image --generate-default-config\n$ vim trivy.yaml\nlicense:\n forbidden:\n - AGPL-3.0\n\n restricted:\n - AGPL-1.0\n - CC-BY-NC-1.0\n - CC-BY-NC-2.0\n - CC-BY-NC-2.5\n - CC-BY-NC-3.0\n - CC-BY-NC-4.0\n - CC-BY-NC-ND-1.0\n - CC-BY-NC-ND-2.0\n - CC-BY-NC-ND-2.5\n - CC-BY-NC-ND-3.0\n - CC-BY-NC-ND-4.0\n - CC-BY-NC-SA-1.0\n - CC-BY-NC-SA-2.0\n - CC-BY-NC-SA-2.5\n - CC-BY-NC-SA-3.0\n - CC-BY-NC-SA-4.0\n - Commons-Clause\n - Facebook-2-Clause\n - Facebook-3-Clause\n - Facebook-Examples\n - WTFPL\n - BCL\n - CC-BY-ND-1.0\n - CC-BY-ND-2.0\n - CC-BY-ND-2.5\n - CC-BY-ND-3.0\n - CC-BY-ND-4.0\n - CC-BY-SA-1.0\n - CC-BY-SA-2.0\n - CC-BY-SA-2.5\n - CC-BY-SA-3.0\n - CC-BY-SA-4.0\n - GPL-1.0\n - GPL-2.0\n - GPL-2.0-with-autoconf-exception\n - GPL-2.0-with-bison-exception\n - GPL-2.0-with-classpath-exception\n - GPL-2.0-with-font-exception\n - GPL-2.0-with-GCC-exception\n - GPL-3.0\n - GPL-3.0-with-autoconf-exception\n - GPL-3.0-with-GCC-exception\n - LGPL-2.0\n - LGPL-2.1\n - LGPL-3.0\n - NPL-1.0\n - NPL-1.1\n - OSL-1.0\n - OSL-1.1\n - OSL-2.0\n - OSL-2.1\n - OSL-3.0\n - QPL-1.0\n - Sleepycat\n\n reciprocal:\n - APSL-1.0\n - APSL-1.1\n - APSL-1.2\n - APSL-2.0\n - CDDL-1.0\n - CDDL-1.1\n - CPL-1.0\n - EPL-1.0\n - EPL-2.0\n - FreeImage\n - IPL-1.0\n - MPL-1.0\n - MPL-1.1\n - MPL-2.0\n - Ruby\n\n notice:\n - AFL-1.1\n - AFL-1.2\n - AFL-2.0\n - AFL-2.1\n - AFL-3.0\n - Apache-1.0\n - Apache-1.1\n - Apache-2.0\n - Artistic-1.0-cl8\n - Artistic-1.0-Perl\n - Artistic-1.0\n - Artistic-2.0\n - BSL-1.0\n - BSD-2-Clause-FreeBSD\n - BSD-2-Clause-NetBSD\n - BSD-2-Clause\n - BSD-3-Clause-Attribution\n - BSD-3-Clause-Clear\n - BSD-3-Clause-LBNL\n - BSD-3-Clause\n - BSD-4-Clause\n - BSD-4-Clause-UC\n - BSD-Protection\n - CC-BY-1.0\n - CC-BY-2.0\n - CC-BY-2.5\n - CC-BY-3.0\n - CC-BY-4.0\n - FTL\n - ISC\n - ImageMagick\n - Libpng\n - Lil-1.0\n - Linux-OpenIB\n - LPL-1.02\n - LPL-1.0\n - MS-PL\n - MIT\n - NCSA\n - OpenSSL\n - PHP-3.01\n - PHP-3.0\n - PIL\n - Python-2.0\n - Python-2.0-complete\n - PostgreSQL\n - SGI-B-1.0\n - SGI-B-1.1\n - SGI-B-2.0\n - Unicode-DFS-2015\n - Unicode-DFS-2016\n - Unicode-TOU\n - UPL-1.0\n - W3C-19980720\n - W3C-20150513\n - W3C\n - X11\n - Xnet\n - Zend-2.0\n - zlib-acknowledgement\n - Zlib\n - ZPL-1.1\n - ZPL-2.0\n - ZPL-2.1\n\n unencumbered:\n - CC0-1.0\n - Unlicense\n - 0BSD\n\n permissive: []\n
"},{"location":"guide/scanner/license/#text-licenses","title":"Text licenses","text":"By default, Trivy categorizes a license as UNKNOWN if it cannot determine the license name from the license text.
To define a category for a text license, you need to add license with the text:// prefix to license classification. For example:
license:\n forbidden:\n - \"text://Text of Apache Software Foundation License\"\n
But a text license can be large. So for these cases, Trivy supports using regex in license classification. For example:
license:\n forbidden:\n - \"text://.* Apache Software .*\"\n
Note
regex is only used for text licenses and can't be used to configure license IDs.
"},{"location":"guide/scanner/license/#enabling-a-subset-of-package-types","title":"Enabling a Subset of Package Types","text":"It's possible to only enable certain package types if you prefer. You can do so by passing the --pkg-types option. This flag takes a comma-separated list of package types.
Available values:
- os
- Scan OS packages managed by the OS package manager (e.g.
dpkg, yum, apk).
- library
- Scan language-specific packages (e.g. packages installed by
pip, npm, or gem).
$ trivy image --pkg-types os ruby:2.4.0\n
-
See the list of supported language files here.\u00a0\u21a9\u21a9
-
Some lock files require additional files (e.g. files from the cache directory) to detect licenses. Check coverage for more information.\u00a0\u21a9\u21a9
"},{"location":"guide/scanner/secret/","title":"Secret Scanning","text":"Trivy scans any container image, filesystem, and git repository to detect exposed secrets like passwords, API keys, and tokens. Secret scanning is enabled by default.
Trivy will scan every plaintext file, according to builtin rules or configuration. Also, Trivy can detect secrets in compiled Python files (.pyc).
There are plenty of builtin rules:
- AWS access key
- GCP service account
- GitHub personal access token
- GitLab personal access token
- Slack access token
- etc.
You can see a full list of built-in rules and built-in allow rules.
Tip
If your secret is not detected properly, please make sure that your file including the secret is not in the allowed paths. You can disable allow rules via disable-allow-rules.
"},{"location":"guide/scanner/secret/#quick-start","title":"Quick start","text":"This section shows how to scan secrets in container image and filesystem. Other subcommands should be the same.
"},{"location":"guide/scanner/secret/#container-image","title":"Container image","text":"Specify an image name.
$ trivy image myimage:1.0.0\n2022-04-21T18:56:44.099+0300 INFO Detected OS: alpine\n2022-04-21T18:56:44.099+0300 INFO Detecting Alpine vulnerabilities...\n2022-04-21T18:56:44.101+0300 INFO Number of language-specific files: 0\n\nmyimage:1.0.0 (alpine 3.15.0)\n=============================\nTotal: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)\n\n+--------------+------------------+----------+-------------------+---------------+---------------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+--------------+------------------+----------+-------------------+---------------+---------------------------------------+\n| busybox | CVE-2022-28391 | CRITICAL | 1.34.1-r3 | 1.34.1-r5 | CVE-2022-28391 affecting |\n| | | | | | package busybox 1.35.0 |\n| | | | | | -->avd.aquasec.com/nvd/cve-2022-28391 |\n+--------------+------------------| |-------------------+---------------+---------------------------------------+\n| ssl_client | CVE-2022-28391 | | 1.34.1-r3 | 1.34.1-r5 | CVE-2022-28391 affecting |\n| | | | | | package busybox 1.35.0 |\n| | | | | | -->avd.aquasec.com/nvd/cve-2022-28391 |\n+--------------+------------------+----------+-------------------+---------------+---------------------------------------+\n\napp/secret.sh (secrets)\n=======================\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)\n\n+----------+-------------------+----------+---------+--------------------------------+\n| CATEGORY | DESCRIPTION | SEVERITY | LINE NO | MATCH |\n+----------+-------------------+----------+---------+--------------------------------+\n| AWS | AWS Access Key ID | CRITICAL | 10 | export AWS_ACCESS_KEY_ID=***** |\n+----------+-------------------+----------+---------+--------------------------------+\n
Tip
Trivy tries to detect a base image and skip those layers for secret scanning. A base image usually contains a lot of files and makes secret scanning much slower. If a secret is not detected properly, you can see base layers with the --debug flag.
"},{"location":"guide/scanner/secret/#filesystem","title":"Filesystem","text":"$ trivy fs /path/to/your_project\n...(snip)...\n\ncerts/key.pem (secrets)\n========================\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)\n\n+----------------------+------------------------+----------+---------+---------------------------------+\n| CATEGORY | DESCRIPTION | SEVERITY | LINE NO | MATCH |\n+----------------------+------------------------+----------+---------+---------------------------------+\n| AsymmetricPrivateKey | Asymmetric Private Key | HIGH | 1 | -----BEGIN RSA PRIVATE KEY----- |\n+----------------------+------------------------+----------+---------+---------------------------------+\n
Tip
Your project may have some secrets for testing. You can skip them with --skip-dirs or --skip-files. We would recommend specifying these options so that the secret scanning can be faster if those files don't need to be scanned. Also, you can specify paths to be allowed in a configuration file. See the detail here.
"},{"location":"guide/scanner/secret/#configuration","title":"Configuration","text":"This section describes secret-specific configuration. Other common options are documented here.
Trivy has a set of builtin rules for secret scanning, which can be extended or modified by a configuration file. Trivy tries to load trivy-secret.yaml in the current directory by default. If the file doesn't exist, only built-in rules are used. You can customize the config file path via the --secret-config flag.
Warning
Trivy uses Golang regexp package. To use ^ and $ as symbols of begin and end of line use multi-line mode -(?m).
"},{"location":"guide/scanner/secret/#custom-rules","title":"Custom Rules","text":"Trivy allows defining custom rules.
rules:\n - id: rule1\n category: general\n title: Generic Rule\n severity: HIGH\n path: .*\\.sh\n keywords:\n - secret\n regex: (?i)(?P<key>(secret))(=|:).{0,5}['\"](?P<secret>[0-9a-zA-Z\\-_=]{8,64})['\"]\n secret-group-name: secret\n allow-rules:\n - id: skip-text\n description: skip text files\n path: .*\\.txt\n
id (required) - Unique identifier for this rule.
category (required) - String used for metadata and reporting purposes.
title (required) - Short human-readable title of the rule.
severity (required) - How critical this rule is.
- Allowed values:
- CRITICAL
- HIGH
- MEDIUM
- LOW
regex (required) - Golang regular expression used to detect secrets.
path (optional) - Golang regular expression used to match paths.
keywords (optional, recommended) - Keywords are used for pre-regex check filtering.
- Rules that contain keywords will perform a quick string compare check to make sure the keyword(s) are in the content being scanned.
- Ideally these values should either be part of the identifier or unique strings specific to the rule's regex.
- It is recommended to define for better performance.
allow-rules (optional) - Allow rules for a single rule to reduce false positives with known secrets.
- The details are below.
"},{"location":"guide/scanner/secret/#allow-rules","title":"Allow Rules","text":"If the detected secret is matched with the specified regex, then that secret will be skipped and not detected. The same logic applies for path.
allow-rules can be defined globally and per each rule. The fields are the same.
rules:\n - id: rule1\n category: general\n title: Generic Rule\n severity: HIGH\n regex: (?i)(?P<key>(secret))(=|:).{0,5}['\"](?P<secret>[0-9a-zA-Z\\-_=]{8,64})['\"]\n allow-rules:\n - id: skip-text\n description: skip text files\n path: .*\\.txt\nallow-rules:\n - id: social-security-number\n description: skip social security number\n regex: 219-09-9999\n
id (required) - Unique identifier for this allow rule.
description (optional) - Short human-readable description of this allow rule.
regex (optional) - Golang regular expression used to allow detected secrets.
regex or path must be specified.
path (optional) - Golang regular expression used to allow matched paths.
regex or path must be specified.
"},{"location":"guide/scanner/secret/#enable-rules","title":"Enable Rules","text":"Trivy provides plenty of out-of-box rules and allow rules, but you may not need all of them. In that case, enable-builtin-rules will be helpful. If you just need AWS secret detection, you can enable only relevant rules as shown below. It specifies AWS-related rule IDs in enable-builtin-rules. All other rules are disabled, so the scanning will be much faster. We would strongly recommend using this option if you don't need all rules.
You can see a full list of built-in rule IDs and built-in allow rule IDs.
enable-builtin-rules:\n - aws-access-key-id\n - aws-account-id\n - aws-secret-access-key\n
"},{"location":"guide/scanner/secret/#disable-rules","title":"Disable Rules","text":"Trivy offers built-in rules and allow rules, but you may want to disable some of them. For example, you don't use Slack, so Slack doesn't have to be scanned. You can specify the Slack rule IDs, slack-access-token and slack-web-hook in disable-rules so that those rules will be disabled for less false positives.
You should specify either enable-builtin-rules or disable-rules. If they both are specified, disable-rules takes precedence. In case github-pat is specified in enable-builtin-rules and disable-rules, it will be disabled.
In addition, there are some allow rules. Markdown files are ignored by default, but you may want to scan markdown files as well. You can disable the allow rule by adding markdown to disable-allow-rules.
You can see a full list of built-in rule IDs and built-in allow rule IDs.
disable-rules:\n - slack-access-token\n - slack-web-hook\ndisable-allow-rules:\n - markdown\n
"},{"location":"guide/scanner/secret/#recommendation","title":"Recommendation","text":"We would recommend specifying --skip-dirs for faster secret scanning. In container image scanning, Trivy walks the file tree rooted at / and scans all the files other than built-in allowed paths. It will take a while if your image contains a lot of files even though Trivy tries to avoid scanning layers from a base image. If you want to make scanning faster, --skip-dirs and --skip-files helps so that Trivy will skip scanning those files and directories. You can see more options here.
allow-rules is also helpful. See the allow-rules section.
In addition, all the built-in rules are enabled by default, so it takes some time to scan all of them. If you don't need all those rules, you can use enable-builtin-rules or disable-rules in the configuration file. You should use enable-builtin-rules if you need only AWS secret detection, for example. All rules are disabled except for the ones you specify, so it runs very fast. On the other hand, you should use disable-rules if you just want to disable some built-in rules. See the enable-rules and disable-rules sections for the detail.
If you don't need secret scanning, you can disable it via the --scanners flag.
$ trivy image --scanners vuln alpine:3.15\n
"},{"location":"guide/scanner/secret/#example","title":"Example","text":"trivy-secret.yaml in the working directory is loaded by default.
$ cat trivy-secret.yaml\nrules:\n - id: rule1\n category: general\n title: Generic Rule\n severity: HIGH\n regex: (?i)(?P<key>(secret))(=|:).{0,5}['\"](?P<secret>[0-9a-zA-Z\\-_=]{8,64})['\"]\nallow-rules:\n - id: social-security-number\n description: skip social security number\n regex: 219-09-9999\n - id: log-dir\n description: skip log directory\n path: ^\\/var\\/log\\/\ndisable-rules:\n - slack-access-token\n - slack-web-hook\ndisable-allow-rules:\n - markdown\n\n# The following command automatically loads the above configuration.\n$ trivy image YOUR_IMAGE\n
Also, you can customize the config file path via --secret-config.
$ cat ./secret-config/trivy.yaml\nrules:\n - id: rule1\n category: general\n title: Generic Rule\n severity: HIGH\n regex: (?i)(?P<key>(secret))(=|:).{0,5}['\"](?P<secret>[0-9a-zA-Z\\-_=]{8,64})['\"]\n allow-rules:\n - id: skip-text\n description: skip text files\n path: .*\\.txt\nenable-builtin-rules:\n - aws-access-key-id\n - aws-account-id\n - aws-secret-access-key\ndisable-allow-rules:\n - usr-dirs\n\n# Pass the above config with `--secret-config`.\n$ trivy fs --secret-config ./secret-config/trivy.yaml /path/to/your_project\n
"},{"location":"guide/scanner/secret/#credit","title":"Credit","text":"This feature is inspired by gitleaks.
"},{"location":"guide/scanner/vulnerability/","title":"Vulnerability Scanning","text":"Trivy detects known vulnerabilities in software components that it finds in the scan target.
The following are supported:
- OS packages
- Language-specific packages
- Non-packaged software
- Kubernetes components
"},{"location":"guide/scanner/vulnerability/#os-packages","title":"OS Packages","text":"Trivy is capable of automatically detecting installed OS packages when scanning container images, VM images and running hosts.
Note
Trivy doesn't support third-party/self-compiled packages/binaries, but official packages provided by vendors such as Red Hat and Debian.
"},{"location":"guide/scanner/vulnerability/#supported-os","title":"Supported OS","text":"See here for the supported OSes.
"},{"location":"guide/scanner/vulnerability/#data-sources","title":"Data Sources","text":"OS Source Arch Linux Vulnerable Issues Alpine Linux secdb Wolfi Linux secdb Chainguard secdb MinimOS secdb Amazon Linux Amazon Linux Security Center Echo Echo Debian Security Bug Tracker / OVAL Ubuntu Ubuntu CVE Tracker RHEL/CentOS OVAL / Security Data AlmaLinux AlmaLinux Product Errata Rocky Linux Rocky Linux UpdateInfo Oracle Linux OVAL Azure Linux (CBL-Mariner) OVAL OpenSUSE/SLES CVRF Photon OS Photon Security Advisory Root.io Root.io Patch Feed Seal Security Seal Security vulnerability feed"},{"location":"guide/scanner/vulnerability/#data-source-selection","title":"Data Source Selection","text":"Trivy only consumes security advisories from the sources listed in the above table.
As for packages installed from OS package managers (dpkg, yum, apk, etc.), Trivy uses the advisory database from the appropriate OS vendor.
For example: for a python package installed from yum (Amazon linux), Trivy will only get advisories from ALAS. But for a python package installed from another source (e.g. pip), Trivy will get advisories from the GitLab and GitHub databases.
This advisory selection is essential to avoid getting false positives because OS vendors usually backport upstream fixes, and the fixed version can be different from the upstream fixed version.
"},{"location":"guide/scanner/vulnerability/#severity-selection","title":"Severity Selection","text":"The severity is taken from the selected data source since the severity from vendors is more accurate. Using CVE-2023-0464 as an example, while it is rated as \"HIGH\" in NVD, Red Hat has marked its 'Impact' as \"Low\". As a result, Trivy will display it as \"Low\".
The severity depends on the compile option, the default configuration, etc. NVD doesn't know how the vendor distributes the software. Red Hat evaluates the severity more accurately. That's why Trivy prefers vendor scores over NVD.
If the data source does not provide a severity, the severity is determined based on the CVSS score as follows:
Base Score Range Severity 0.1-3.9 Low 4.0-6.9 Medium 7.0-8.9 High 9.0-10.0 Critical If the CVSS score is also not provided, it falls back to NVD.
NVD and some vendors may delay severity analysis, while other vendors, such as Red Hat, are able to quickly evaluate and announce the severity of vulnerabilities. To avoid marking too many vulnerabilities as \"UNKNOWN\" severity, Trivy uses severity ratings from other vendors when the NVD information is not yet available. The order of preference for vendor severity data can be found here.
You can reference SeveritySource in the JSON reporting format to see from where the severity is taken for a given vulnerability.
\"SeveritySource\": \"debian\",\n
In addition, you can see all the vendor severity ratings.
\"VendorSeverity\": {\n \"amazon\": 2,\n \"cbl-mariner\": 4,\n \"ghsa\": 4,\n \"nvd\": 4,\n \"photon\": 4,\n \"redhat\": 2,\n \"ubuntu\": 2\n}\n
Here is the severity mapping in Trivy:
Number Severity 0 Unknown 1 Low 2 Medium 3 High 4 Critical If no vendor has a severity, the UNKNOWN severity will be used.
"},{"location":"guide/scanner/vulnerability/#unfixed-vulnerabilities","title":"Unfixed Vulnerabilities","text":"The unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution. To hide unfixed/unfixable vulnerabilities, you can use the --ignore-unfixed flag.
"},{"location":"guide/scanner/vulnerability/#language-specific-packages","title":"Language-specific Packages","text":""},{"location":"guide/scanner/vulnerability/#supported-languages","title":"Supported Languages","text":"See here for the supported languages.
"},{"location":"guide/scanner/vulnerability/#langpkg-data-sources","title":"Data Sources","text":"Language Source Commercial Use Delay1 PHP PHP Security Advisories Database \u2705 - GitHub Advisory Database (Composer) \u2705 - Python GitHub Advisory Database (pip) \u2705 - Ruby Ruby Advisory Database \u2705 - GitHub Advisory Database (RubyGems) \u2705 - Node.js Ecosystem Security Working Group \u2705 - GitHub Advisory Database (npm) \u2705 - Java GitHub Advisory Database (Maven) \u2705 - Go GitHub Advisory Database (Go) \u2705 - Go Vulnerability Database \u2705 - Rust Open Source Vulnerabilities (crates.io) \u2705 - .NET GitHub Advisory Database (NuGet) \u2705 - C/C++ GitLab Advisories Community \u2705 1 month Dart GitHub Advisory Database (Pub) \u2705 - Elixir GitHub Advisory Database (Erlang) \u2705 - Swift GitHub Advisory Database (Swift) \u2705 -"},{"location":"guide/scanner/vulnerability/#non-packaged-software","title":"Non-packaged software","text":"If you have software that is not managed by a package manager, Trivy can still detect vulnerabilities in it in some cases:
- Using SBOM from Sigstore Rekor
- Go Binaries with embedded module information
- Rust Binaries with embedded information
- SBOM embedded in container images
"},{"location":"guide/scanner/vulnerability/#detection-behavior","title":"Detection Behavior","text":"Trivy prioritizes precision in vulnerability detection, aiming to minimize false positives while potentially accepting some false negatives. This approach is particularly relevant in two key areas:
- Handling Software Installed via OS Packages
- Handling Packages with Unspecified Versions
Trivy can also detect only specific packages:
- Subset of Package Types
- Specific package Relationship
"},{"location":"guide/scanner/vulnerability/#handling-software-installed-via-os-packages","title":"Handling Software Installed via OS Packages","text":"For files installed by OS package managers, such as apt, Trivy exclusively uses advisories from the OS vendor. This means that even if a JAR file is present in a container image, if it was installed via an OS package manager (e.g., apt), Trivy will not analyze the JAR file itself and use upstream security advisories.
For example, consider the Python requests package in Red Hat Universal Base Image 8:
[root@987ee49dc93d /]# head -n 3 /usr/lib/python3.6/site-packages/requests-2.20.0-py3.6.egg-info/PKG-INFO\nMetadata-Version: 2.1\nName: requests\nVersion: 2.20.0\n
Version 2.20.0 is installed, and this package is installed by dnf.
[root@987ee49dc93d /]# rpm -ql python3-requests | grep PKG-INFO\n/usr/lib/python3.6/site-packages/requests-2.20.0-py3.6.egg-info/PKG-INFO\n
At first glance, this might seem vulnerable to CVE-2023-32681, which affects versions of requests prior to v2.31.0. However, Red Hat backported the fix to v2.20.0-3 in RHSA-2023:4520, and the package is not vulnerable.
- Upstream (PyPI requests): Fixed in v2.31.0
- Red Hat (
python-requests): Backported fix applied in v2.20.0-3 (RHSA-2023:4520)
If Trivy were to detect CVE-2023-32681 in this case, it would be a false positive. This illustrates why using the correct security advisory is crucial to avoid false detections. To minimize false positives, Trivy trusts the OS vendor's advisory for software installed via OS package managers and does not use upstream advisories for these packages.
However, this approach may lead to false negatives if the OS vendor's advisories are delayed or missing. In such cases, using --detection-priority comprehensive allows Trivy to consider upstream advisories (e.g., GitHub Advisory Database), potentially increasing false positives but reducing false negatives.
"},{"location":"guide/scanner/vulnerability/#handling-packages-with-unspecified-versions","title":"Handling Packages with Unspecified Versions","text":"When a package version cannot be uniquely determined (e.g., package-a: \">=3.0\"), Trivy typically skips vulnerability detection for that package to avoid false positives. If a lock file is present with fixed versions, Trivy will use those for detection.
To detect potential vulnerabilities even with unspecified versions, use --detection-priority comprehensive. This option makes Trivy use the minimum version in the specified range for vulnerability detection. While this may increase false positives if the actual version used is not the minimum, it helps reduce false negatives.
"},{"location":"guide/scanner/vulnerability/#package-detection","title":"Package Detection","text":"Vulnerability detection is based on package detection. This section describes the specifics of package detection, which also affect SBOM generation.
"},{"location":"guide/scanner/vulnerability/#detection-priority","title":"Detection Priority","text":"Trivy provides a --detection-priority flag to control the balance between false positives and false negatives in package/vulnerability detection. This concept is similar to the relationship between precision and recall in machine learning evaluation.
$ trivy image --detection-priority {precise|comprehensive} alpine:3.15\n
precise: This mode prioritizes reducing false positives. It results in less noisy vulnerability reports but may miss some potential vulnerabilities.comprehensive: This mode aims to detect more vulnerabilities, potentially including some that might be false positives. It provides broader coverage but may increase the noise in the results.
The default value is precise. Also refer to the detection behavior section for more information.
Regardless of the chosen mode, user review of detected vulnerabilities is crucial:
precise: Review thoroughly, considering potential missed vulnerabilities.comprehensive: Carefully investigate each reported vulnerability due to increased false positive possibility.
"},{"location":"guide/scanner/vulnerability/#enabling-a-subset-of-package-types","title":"Enabling a Subset of Package Types","text":"It's possible to only enable certain package types if you prefer. You can do so by passing the --pkg-types option. This flag takes a comma-separated list of package types.
Available values:
- os
- Scan OS packages managed by the OS package manager (e.g.
dpkg, yum, apk).
- library
- Scan language-specific packages (e.g. packages installed by
pip, npm, or gem).
$ trivy image --pkg-types os ruby:2.4.0\n
Result 2019-05-22T19:36:50.530+0200 \u001b[34mINFO\u001b[0m Updating vulnerability database...\n2019-05-22T19:36:51.681+0200 \u001b[34mINFO\u001b[0m Detecting Alpine vulnerabilities...\n2019-05-22T19:36:51.685+0200 \u001b[34mINFO\u001b[0m Updating npm Security DB...\n2019-05-22T19:36:52.389+0200 \u001b[34mINFO\u001b[0m Detecting npm vulnerabilities...\n2019-05-22T19:36:52.390+0200 \u001b[34mINFO\u001b[0m Updating pipenv Security DB...\n2019-05-22T19:36:53.406+0200 \u001b[34mINFO\u001b[0m Detecting pipenv vulnerabilities...\n\nruby:2.4.0 (debian 8.7)\n=======================\nTotal: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)\n\n+---------+------------------+----------+-------------------+---------------+----------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+---------+------------------+----------+-------------------+---------------+----------------------------------+\n| curl | CVE-2018-14618 | CRITICAL | 7.61.0-r0 | 7.61.1-r0 | curl: NTLM password overflow |\n| | | | | | via integer overflow |\n+ +------------------+----------+ +---------------+----------------------------------+\n| | CVE-2018-16839 | HIGH | | 7.61.1-r1 | curl: Integer overflow leading |\n| | | | | | to heap-based buffer overflow in |\n| | | | | | Curl_sasl_create_plain_message() |\n+---------+------------------+----------+-------------------+---------------+----------------------------------+\n| git | CVE-2018-17456 | HIGH | 2.15.2-r0 | 2.15.3-r0 | git: arbitrary code execution |\n| | | | | | via .gitmodules |\n+ +------------------+ + + +----------------------------------+\n| | CVE-2018-19486 | | | | git: Improper handling of |\n| | | | | | PATH allows for commands to be |\n| | | | | | executed from... |\n+---------+------------------+----------+-------------------+---------------+----------------------------------+\n| libssh2 | CVE-2019-3855 | CRITICAL | 1.8.0-r2 | 1.8.1-r0 | libssh2: Integer overflow in |\n| | | | | | transport read resulting in |\n| | | | | | out of bounds write... |\n+---------+------------------+----------+-------------------+---------------+----------------------------------+\n| sqlite | CVE-2018-20346 | MEDIUM | 3.21.0-r1 | 3.25.3-r0 | CVE-2018-20505 CVE-2018-20506 |\n| | | | | | sqlite: Multiple flaws in |\n| | | | | | sqlite which can be triggered |\n| | | | | | via... |\n+---------+------------------+----------+-------------------+---------------+----------------------------------+\n| tar | CVE-2018-20482 | LOW | 1.29-r1 | 1.31-r0 | tar: Infinite read loop in |\n| | | | | | sparse_dump_region function in |\n| | | | | | sparse.c |\n+---------+------------------+----------+-------------------+---------------+----------------------------------+\n
Info
This flag filters the packages themselves, so it also affects the list of detected packages in JSON reports and SBOM generation.
"},{"location":"guide/scanner/vulnerability/#filtering-by-package-relationships","title":"Filtering by Package Relationships","text":"Trivy supports filtering vulnerabilities based on the relationship of packages within a project. This is achieved through the --pkg-relationships flag. This feature allows you to focus on vulnerabilities in specific types of dependencies, such as only those in direct dependencies.
In Trivy, there are four types of package relationships:
root: The root package being scannedworkspace: Workspaces of the root package (Currently only pom.xml, yarn.lock and cargo.lock files are supported)direct: Direct dependencies of the root/workspace packageindirect: Transitive dependenciesunknown: Packages whose relationship cannot be determined
The available relationships may vary depending on the ecosystem. To see which relationships are supported for a particular project, you can use the JSON output format and check the Relationship field:
$ trivy repo -f json /path/to/project\n
To scan only the root package and its direct dependencies, you can use the flag as follows:
$ trivy repo --pkg-relationships root,direct /path/to/project\n
By default, all relationships are included in the scan.
Info
This flag filters the packages themselves, so it also affects the list of detected packages in JSON reports and SBOM generation.
Warning
As it may not provide a complete package list, --pkg-relationships cannot be used with --dependency-tree, --vex or SBOM generation.
"},{"location":"guide/scanner/vulnerability/#kubernetes","title":"Kubernetes","text":"Trivy can detect vulnerabilities in Kubernetes clusters and components by scanning a Kubernetes Cluster, or a KBOM (Kubernetes bill of Material). To learn more, see the documentation for Kubernetes scanning.
"},{"location":"guide/scanner/vulnerability/#data-sources_1","title":"Data Sources","text":"Vendor Source Kubernetes Kubernetes Official CVE feed1"},{"location":"guide/scanner/vulnerability/#databases","title":"Databases","text":"The information from the above sources is collected and stored in databases that Trivy uses for vulnerability scanning. Trivy automatically fetches, maintains, and caches the relevant databases when performing a vulnerability scan For more information about Trivy's Databases mechanism and configurations, refer to the Databases document.
"},{"location":"guide/scanner/vulnerability/#configuration","title":"Configuration","text":"This section describes vulnerability-specific configuration. Other common options are documented here.
"},{"location":"guide/scanner/vulnerability/#overriding-os-version","title":"Overriding OS version","text":"By default, Trivy automatically detects the OS during container image scanning and performs vulnerability detection based on that OS. However, in some cases, you may want to scan an image with a different OS version than the one detected. Also, you may want to specify the OS version when OS is not detected. For these cases, Trivy supports a --distro flag using the <family>/<version> format (e.g. alpine/3.20) to set the desired OS version.
"},{"location":"guide/scanner/vulnerability/#severity-selection_1","title":"Severity selection","text":"By default, Trivy automatically detects severity (as described here). But there are cases when you may want to use your own source priority. Trivy supports the --vuln-severity-source flag for this.
Fill in a list of required sources, and Trivy will check the sources in that order until it finds an existing severity. If no source has the severity - Trivy will use the UNKNOWN severity.
Note
To use the default logic in combination with your sources - use the auto value.
Example logic for the following vendor severity levels when scanning an Alpine image:
\"VendorSeverity\": {\n \"ghsa\": 3,\n \"nvd\": 4,\n}\n
--vuln-severity-source auto,nvd - severity is CRITICAL, got from auto.--vuln-severity-source alpine,auto - severity is CRITICAL, got from auto.--vuln-severity-source alpine,ghsa - severity is HIGH, got from ghsa.--vuln-severity-source alpine,alma - severity is UNKNOWN.
-
https://github.com/GoogleContainerTools/distroless \u21a9\u21a9
"},{"location":"guide/scanner/misconfiguration/","title":"Misconfiguration Scanning","text":"Trivy provides built-in checks to detect configuration issues in popular Infrastructure as Code files, such as: Docker, Kubernetes, Terraform, CloudFormation, and more. In addition to built-in checks, you can write your own custom checks, as you can see here.
"},{"location":"guide/scanner/misconfiguration/#quick-start","title":"Quick start","text":"Simply specify a directory containing IaC files such as Terraform, CloudFormation, Azure ARM templates, Helm Charts and Dockerfile.
$ trivy config [YOUR_IaC_DIRECTORY]\n
Example
$ ls build/\nDockerfile\n$ trivy config ./build\n2022-05-16T13:29:29.952+0100 INFO Detected config files: 1\n\nDockerfile (dockerfile)\n=======================\nTests: 23 (SUCCESSES: 22, FAILURES: 1)\nFailures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n\nMEDIUM: Specify a tag in the 'FROM' statement for image 'alpine'\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nWhen using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.\n\nSee https://avd.aquasec.com/misconfig/ds001\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nDockerfile:1\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n1 [ FROM alpine:latest\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n
You can also enable misconfiguration detection in container image, filesystem and git repository scanning via --scanners misconfig.
$ trivy image --scanners misconfig IMAGE_NAME\n
$ trivy fs --scanners misconfig /path/to/dir\n
Note
Misconfiguration detection is not enabled by default in image, fs and repo subcommands.
Unlike the config subcommand, image, fs and repo subcommands can also scan for vulnerabilities and secrets at the same time. You can specify --scanners vuln,misconfig,secret to enable vulnerability and secret detection as well as misconfiguration detection.
Example
$ ls myapp/\nDockerfile Pipfile.lock\n$ trivy fs --scanners vuln,misconfig,secret --severity HIGH,CRITICAL myapp/\n2022-05-16T13:42:21.440+0100 INFO Number of language-specific files: 1\n2022-05-16T13:42:21.440+0100 INFO Detecting pipenv vulnerabilities...\n2022-05-16T13:42:21.440+0100 INFO Detected config files: 1\n\nPipfile.lock (pipenv)\n=====================\nTotal: 1 (HIGH: 1, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 httplib2 \u2502 CVE-2021-21240 \u2502 HIGH \u2502 0.12.1 \u2502 0.19.0 \u2502 python-httplib2: Regular expression denial of service via \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 malicious header \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-21240 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n\nDockerfile (dockerfile)\n=======================\nTests: 17 (SUCCESSES: 16, FAILURES: 1)\nFailures: 1 (HIGH: 1, CRITICAL: 0)\n\nHIGH: Last USER command in Dockerfile should not be 'root'\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.\n\nSee https://avd.aquasec.com/misconfig/ds002\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nDockerfile:3\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n3 [ USER root\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n
In the above example, Trivy detected vulnerabilities of Python dependencies and misconfigurations in Dockerfile.
"},{"location":"guide/scanner/misconfiguration/#type-detection","title":"Type detection","text":"The specified directory can contain mixed types of IaC files. Trivy automatically detects config types and applies relevant checks.
For example, the following example holds IaC files for Terraform, CloudFormation, Kubernetes, Helm Charts, and Dockerfile in the same directory.
$ ls iac/\nDockerfile deployment.yaml main.tf mysql-8.8.26.tar\n$ trivy config --severity HIGH,CRITICAL ./iac\n
Result 2022-06-06T11:01:21.142+0100 INFO Detected config files: 8\n\nDockerfile (dockerfile)\n\nTests: 21 (SUCCESSES: 20, FAILURES: 1)\nFailures: 1 (MEDIUM: 0, HIGH: 1, CRITICAL: 0)\n\nHIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.\n\nSee https://avd.aquasec.com/misconfig/ds002\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\n\ndeployment.yaml (kubernetes)\n\nTests: 20 (SUCCESSES: 15, FAILURES: 5)\nFailures: 5 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)\n\nMEDIUM: Container 'hello-kubernetes' of Deployment 'hello-kubernetes' should set 'securityContext.allowPrivilegeEscalation' to false\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nA program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.\n\nSee https://avd.aquasec.com/misconfig/ksv001\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n deployment.yaml:16-19\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 16 \u250c - name: hello-kubernetes\n 17 \u2502 image: hello-kubernetes:1.5\n 18 \u2502 ports:\n 19 \u2514 - containerPort: 8080\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\nHIGH: Deployment 'hello-kubernetes' should not specify '/var/run/docker.socker' in 'spec.template.volumes.hostPath.path'\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nMounting docker.sock from the host can give the container full root access to the host.\n\nSee https://avd.aquasec.com/misconfig/ksv006\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n deployment.yaml:6-29\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 6 \u250c replicas: 3\n 7 \u2502 selector:\n 8 \u2502 matchLabels:\n 9 \u2502 app: hello-kubernetes\n 10 \u2502 template:\n 11 \u2502 metadata:\n 12 \u2502 labels:\n 13 \u2502 app: hello-kubernetes\n 14 \u2514 spec:\n .. \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\nMEDIUM: Container 'hello-kubernetes' of Deployment 'hello-kubernetes' should set 'securityContext.runAsNonRoot' to true\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\n'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.\n\nSee https://avd.aquasec.com/misconfig/ksv012\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n deployment.yaml:16-19\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 16 \u250c - name: hello-kubernetes\n 17 \u2502 image: hello-kubernetes:1.5\n 18 \u2502 ports:\n 19 \u2514 - containerPort: 8080\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\nMEDIUM: Deployment 'hello-kubernetes' should not set 'spec.template.volumes.hostPath'\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nHostPath volumes must be forbidden.\n\nSee https://avd.aquasec.com/misconfig/ksv023\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n deployment.yaml:6-29\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 6 \u250c replicas: 3\n 7 \u2502 selector:\n 8 \u2502 matchLabels:\n 9 \u2502 app: hello-kubernetes\n 10 \u2502 template:\n 11 \u2502 metadata:\n 12 \u2502 labels:\n 13 \u2502 app: hello-kubernetes\n 14 \u2514 spec:\n .. \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\nMEDIUM: Deployment 'hello-kubernetes' should set 'securityContext.sysctl' to the allowed values\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nSysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed 'safe' subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.\n\nSee https://avd.aquasec.com/misconfig/ksv026\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n deployment.yaml:6-29\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 6 \u250c replicas: 3\n 7 \u2502 selector:\n 8 \u2502 matchLabels:\n 9 \u2502 app: hello-kubernetes\n 10 \u2502 template:\n 11 \u2502 metadata:\n 12 \u2502 labels:\n 13 \u2502 app: hello-kubernetes\n 14 \u2514 spec:\n .. \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\n\nmysql-8.8.26.tar:templates/primary/statefulset.yaml (helm)\n\nTests: 20 (SUCCESSES: 18, FAILURES: 2)\nFailures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)\n\nMEDIUM: Container 'mysql' of StatefulSet 'mysql' should set 'securityContext.allowPrivilegeEscalation' to false\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nA program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.\n\nSee https://avd.aquasec.com/misconfig/ksv001\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n mysql-8.8.26.tar:templates/primary/statefulset.yaml:56-130\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 56 \u250c - name: mysql\n 57 \u2502 image: docker.io/bitnami/mysql:8.0.28-debian-10-r23\n 58 \u2502 imagePullPolicy: \"IfNotPresent\"\n 59 \u2502 securityContext:\n 60 \u2502 runAsUser: 1001\n 61 \u2502 env:\n 62 \u2502 - name: BITNAMI_DEBUG\n 63 \u2502 value: \"false\"\n 64 \u2514 - name: MYSQL_ROOT_PASSWORD\n .. \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\nMEDIUM: Container 'mysql' of StatefulSet 'mysql' should set 'securityContext.runAsNonRoot' to true\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\n'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.\n\nSee https://avd.aquasec.com/misconfig/ksv012\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n mysql-8.8.26.tar:templates/primary/statefulset.yaml:56-130\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 56 \u250c - name: mysql\n 57 \u2502 image: docker.io/bitnami/mysql:8.0.28-debian-10-r23\n 58 \u2502 imagePullPolicy: \"IfNotPresent\"\n 59 \u2502 securityContext:\n 60 \u2502 runAsUser: 1001\n 61 \u2502 env:\n 62 \u2502 - name: BITNAMI_DEBUG\n 63 \u2502 value: \"false\"\n 64 \u2514 - name: MYSQL_ROOT_PASSWORD\n .. \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n
You can see the config type next to each file name.
Example
Dockerfile (dockerfile)\n=======================\nTests: 23 (SUCCESSES: 22, FAILURES: 1)\nFailures: 1 (HIGH: 1, CRITICAL: 0)\n\n...\n\ndeployment.yaml (kubernetes)\n============================\nTests: 28 (SUCCESSES: 15, FAILURES: 13)\nFailures: 13 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)\n\n...\n\nmain.tf (terraform)\n===================\nTests: 23 (SUCCESSES: 14, FAILURES: 9)\nFailures: 9 (HIGH: 6, CRITICAL: 1)\n\n...\n\nbucket.yaml (cloudformation)\n============================\nTests: 9 (SUCCESSES: 3, FAILURES: 6)\nFailures: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)\n\n...\n\nmysql-8.8.26.tar:templates/primary/statefulset.yaml (helm)\n==========================================================\nTests: 20 (SUCCESSES: 18, FAILURES: 2)\nFailures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)\n
"},{"location":"guide/scanner/misconfiguration/#scan-raw-configurations","title":"Scan raw configurations","text":"IaC configurations from cloud providers such as Terraform, CloudFormation, and ARM are converted into a unified structure that is exported to Rego. Checks are developed only for the unified structure, not for each configuration type with its own structure. This avoids duplication and simplifies maintenance. Using the unified structure has a limitation: it is not possible to create checks for resources or attributes that are not exported.
The --raw-config-scanners flag allows scanning the raw configuration \u2014 that is, evaluated but not converted into the unified structure. Currently, only terraform is supported.
Note
The raw configuration scanner does not work on its own. To use --raw-config-scanners, you must also specify the corresponding --misconfig-scanners. The report will include results from both scanners.
For more information on custom checks and exported data schemas, see here.
Example check:
# METADATA\n# title: AWS required resource tags\n# description: Ensure required tags are set on AWS resources\n# scope: package\n# schemas:\n# - input: schema[\"terraform-raw\"]\n# custom:\n# id: USR-TFRAW-0001\n# severity: CRITICAL\n# short_code: required-aws-resource-tags\n# recommended_actions: Add the required tags to AWS resources.\n# input:\n# selector:\n# - type: terraform-raw\npackage user.terraform.required_aws_tags\n\nimport rego.v1\n\nresource_types_to_check := {\"aws_s3_bucket\"}\n\nresources_to_check := {block |\n some module in input.modules\n some block in module.blocks\n block.kind == \"resource\"\n block.type in resource_types_to_check\n}\n\nrequired_tags := {\"Access\", \"Owner\"}\n\ndeny contains res if {\n some block in resources_to_check\n not block.attributes.tags\n res := result.new(\n sprintf(\"The resource %q does not contain the following required tags: %v\", [block.type, required_tags]),\n block,\n )\n}\n\ndeny contains res if {\n some block in resources_to_check\n tags_attr := block.attributes.tags\n tags := object.keys(tags_attr.value)\n missing_tags := required_tags - tags\n count(missing_tags) > 0\n res := result.new(\n sprintf(\"The resource %q does not contain the following required tags: %v\", [block.type, missing_tags]),\n tags_attr,\n )\n}\n
Running Trivy:
trivy conf main.tf \\\n --check-namespaces user \\\n --config-check examples/terraform-raw/required-aws-tags.rego \\\n --misconfig-scanners terraform --raw-config-scanners terraform\n
Example output:
main.tf (terraform)\n\nTests: 10 (SUCCESSES: 0, FAILURES: 10)\nFailures: 10 (UNKNOWN: 0, LOW: 2, MEDIUM: 1, HIGH: 6, CRITICAL: 1)\n\n (CRITICAL): The resource \"aws_s3_bucket\" does not contain the following required tags: {\"Access\"}\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nEnsure required tags are set on AWS resources\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n main.tf:3-5\n via main.tf:1-6 (aws_s3_bucket.this)\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 1 resource \"aws_s3_bucket\" \"this\" {\n 2 bucket = \"test\"\n 3 \u250c tags = {\n 4 \u2502 Owner: \"user\"\n 5 \u2514 }\n 6 }\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n
"},{"location":"guide/scanner/misconfiguration/#external-connectivity","title":"External connectivity","text":"Trivy needs to connect to the internet to download the checks bundle. If you are running Trivy in an air-gapped environment, or a tightly controlled network, please refer to the Advanced Network Scenarios document.
"},{"location":"guide/scanner/misconfiguration/#configuration","title":"Configuration","text":"More misconfiguration scanning specific configurations can be found here.
"},{"location":"guide/scanner/misconfiguration/check/builtin/","title":"Built-in Checks","text":""},{"location":"guide/scanner/misconfiguration/check/builtin/#checks-sources","title":"Checks Sources","text":"Trivy has an extensive library of misconfiguration checks that is maintained at https://github.com/aquasecurity/trivy-checks. Trivy checks are mainly written in Rego, while some checks are written in Go. See here for the list of supported config types.
"},{"location":"guide/scanner/misconfiguration/check/builtin/#checks-bundle","title":"Checks Bundle","text":"When performing a misconfiguration scan, Trivy will automatically download the relevant Checks bundle. The bundle is cached locally and Trivy will reuse it for subsequent scans on the same machine. Trivy takes care of updating the cache automatically, so normally users can be oblivious to it.
"},{"location":"guide/scanner/misconfiguration/check/builtin/#checks-distribution","title":"Checks Distribution","text":"Trivy checks are distributed as an OPA bundle hosted in the following GitHub Container Registry: https://ghcr.io/aquasecurity/trivy-checks. Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
"},{"location":"guide/scanner/misconfiguration/check/builtin/#external-connectivity","title":"External connectivity","text":"Trivy needs to connect to the internet to download the bundle. If you are running Trivy in an air-gapped environment, or an tightly controlled network, please refer to the Advanced Network Scenarios document. The Checks bundle is also embedded in the Trivy binary (at build time), and will be used as a fallback if Trivy is unable to download the bundle. This means that you can still scan for misconfigurations in an air-gapped environment using the Checks from the time of the Trivy release you are using.
"},{"location":"guide/scanner/misconfiguration/config/config/","title":"Configuration","text":"This page describes misconfiguration-specific configuration.
"},{"location":"guide/scanner/misconfiguration/config/config/#enabling-a-subset-of-misconfiguration-scanners","title":"Enabling a subset of misconfiguration scanners","text":"It's possible to only enable certain misconfiguration scanners if you prefer. You can do so by passing the --misconfig-scanners option. This flag takes a comma-separated list of configuration scanner types.
trivy config --misconfig-scanners=terraform,dockerfile .\n
Will only scan for misconfigurations that pertain to Terraform and Dockerfiles.
"},{"location":"guide/scanner/misconfiguration/config/config/#loading-custom-checks","title":"Loading custom checks","text":"You can load check files or directories including your custom checks using the --config-check flag. This can be repeated for specifying multiple files or directories.
trivy config --config-check custom-policy/policy --config-check combine/policy --config-check policy.rego --namespaces user myapp\n
You can load checks bundle as OCI Image from a Container Registry using the --checks-bundle-repository flag.
trivy config --checks-bundle-repository myregistry.local/mychecks --namespaces user myapp\n
"},{"location":"guide/scanner/misconfiguration/config/config/#passing-custom-data","title":"Passing custom data","text":"You can pass directories including your custom data through --data option. This can be repeated for specifying multiple directories.
cd examples/misconf/custom-data\ntrivy config --config-check ./my-check --data ./data --namespaces user ./configs\n
For more details, see Custom Data.
"},{"location":"guide/scanner/misconfiguration/config/config/#passing-namespaces","title":"Passing namespaces","text":"By default, Trivy evaluates checks defined in builtin.*. If you want to evaluate custom checks in other packages, you have to specify package prefixes through --namespaces option. This can be repeated for specifying multiple packages.
trivy config --config-check ./my-check --namespaces main --namespaces user ./configs\n
"},{"location":"guide/scanner/misconfiguration/config/config/#limiting-rego-compile-errors","title":"Limiting Rego compile errors","text":"By default, Trivy limits the number of compile errors allowed during Rego policy compilation. You can configure this limit using the --rego-error-limit flag.
trivy config --rego-error-limit 20 ./configs\n
This flag controls the maximum number of compile errors Trivy will tolerate before stopping the compilation.
If the number of compile errors exceeds this limit, Trivy will terminate the scan. You can set --rego-error-limit 0 to enforce strict checking and disallow any compile errors.
The default value is defined internally via CompileErrorLimit.
"},{"location":"guide/scanner/misconfiguration/config/config/#private-terraform-registries","title":"Private Terraform registries","text":"Trivy can download Terraform code from private registries. To pass credentials you must use the TF_TOKEN_ environment variables. You cannot use a .terraformrc or terraform.rc file, these are not supported by trivy yet.
From the Terraform docs:
Environment variable names should have the prefix TF_TOKEN_ added to the domain name, with periods encoded as underscores. For example, the value of a variable named TF_TOKEN_app_terraform_io will be used as a bearer authorization token when the CLI makes service requests to the hostname app.terraform.io.
You must convert domain names containing non-ASCII characters to their punycode equivalent with an ACE prefix. For example, token credentials for \u4f8b\u3048\u3070.com must be set in a variable called TF_TOKEN_xn--r8j3dr99h_com.
Hyphens are also valid within host names but usually invalid as variable names and may be encoded as double underscores. For example, you can set a token for the domain name caf\u00e9.fr as TF_TOKEN_xn--caf-dma_fr or TF_TOKEN_xn_cafdmafr.
If multiple variables evaluate to the same hostname, Trivy will choose the environment variable name where the dashes have not been encoded as double underscores.
"},{"location":"guide/scanner/misconfiguration/config/config/#scan-arbitrary-json-and-yaml-configurations","title":"Scan arbitrary JSON and YAML configurations","text":"By default, scanning JSON and YAML configurations is disabled, since Trivy does not contain built-in checks for these configurations. To enable it, pass the json or yaml to --misconfig-scanners. See Enabling a subset of misconfiguration scanners for more information. Trivy will pass each file as is to the checks input.
Example
$ cat iac/serverless.yaml\nservice: serverless-rest-api-with-pynamodb\n\nframeworkVersion: \">=2.24.0\"\n\nplugins:\n - serverless-python-requirements\n...\n\n$ cat serverless.rego\n# METADATA\n# title: Serverless Framework service name not starting with \"aws-\"\n# description: Ensure that Serverless Framework service names start with \"aws-\"\n# schemas:\n# - input: schema[\"serverless-schema\"]\n# custom:\n# avd_id: AVD-SF-0001\n# severity: LOW\npackage user.serverless001\n\ndeny[res] {\n not startswith(input.service, \"aws-\")\n res := result.new(\n sprintf(\"Service name %q is not allowed\", [input.service]),\n input.service\n )\n}\n\n$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user ./iac\nserverless.yaml (yaml)\n\nTests: 4 (SUCCESSES: 3, FAILURES: 1)\nFailures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n\nLOW: Service name \"serverless-rest-api-with-pynamodb\" is not allowed\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nEnsure that Serverless Framework service names start with \"aws-\"\n
Note
In the case above, the custom check specified has a metadata annotation for the input schema input: schema[\"serverless-schema\"]. This allows Trivy to type check the input IaC files provided.
Optionally, you can also pass schemas using the config-file-schemas flag. Trivy will use these schemas for file filtering and type checking in Rego checks.
Example
$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user --config-file-schemas ./serverless-schema.json ./iac\n
If the --config-file-schemas flag is specified Trivy ensures that each input IaC config file being scanned is type-checked against the schema. If the input file does not match any of the passed schemas, it will be ignored.
If the schema is specified in the check metadata and is in the directory specified in the --config-check argument, it will be automatically loaded as specified here, and will only be used for type checking in Rego.
Note
If a user specifies the --config-file-schemas flag, all input IaC config files are ensured that they pass type-checking. It is not required to pass an input schema in case type checking is not required. This is helpful for scenarios where you simply want to write a Rego check and pass in IaC input for it. Such a use case could include scanning for a new service which Trivy might not support just yet.
Tip
It is also possible to specify multiple input schemas with --config-file-schema flag as it can accept a comma separated list of file paths or a directory as input. In the case of multiple schemas being specified, all of them will be evaluated against all the input files.
"},{"location":"guide/scanner/misconfiguration/config/config/#filtering-resources-by-inline-comments","title":"Filtering resources by inline comments","text":"Trivy supports ignoring misconfigured resources by inline comments for Terraform, CloudFormation, Helm and Dockerfile configuration files only.
In cases where Trivy can detect comments of a specific format immediately adjacent to resource definitions, it is possible to ignore findings from a single source of resource definition (in contrast to .trivyignore, which has a directory-wide scope on all of the files scanned). The format for these comments is trivy:ignore:<rule> immediately following the format-specific line-comment token.
Note
Inline ignore rules only work for checks associated with an existing resource. Checks triggered by the absence of a resource (e.g., AVD-DS-0002 when a Dockerfile lacks a USER instruction) cannot be ignored inline. Use a .trivyignore.yaml file to ignore such checks.
The ignore rule must contain one of the possible check IDs that can be found in its metadata: ID, short code or alias. The id from the metadata is not case-sensitive, so you can specify, for example, AVD-AWS-0089 or avd-aws-0089.
For example, to ignore a misconfiguration ID AVD-GCP-0051 in a Terraform HCL file:
#trivy:ignore:AVD-GCP-0051\nresource \"google_container_cluster\" \"example\" {\n name = var.cluster_name\n location = var.region\n}\n
You can add multiple ignores on the same comment line:
#trivy:ignore:AVD-GCP-0051 trivy:ignore:AVD-GCP-0053\nresource \"google_container_cluster\" \"example\" {\n name = var.cluster_name\n location = var.region\n}\n
You can also specify a long ID, which is formed as follows: <provider>-<service>-<short-code>.
As an example, consider the following check metadata:
# custom:\n # id: AVD-AWS-0089\n # avd_id: AVD-AWS-0089\n # provider: aws\n # service: s3\n # severity: LOW\n # short_code: enable-logging\n
Long ID would look like the following: aws-s3-enable-logging. Example for CloudFromation:
AWSTemplateFormatVersion: \"2010-09-09\"\nResources:\n#trivy:ignore:*\n S3Bucket:\n Type: 'AWS::S3::Bucket'\n Properties:\n BucketName: test-bucket\n
Note
Ignore rules for Helm files should be placed before the YAML object, since only it contains the location data needed for ignoring.
Example for Helm:
serviceAccountName: \"testchart.serviceAccountName\"\n containers:\n # trivy:ignore:KSV018\n - name: \"testchart\"\n securityContext:\n runAsUser: 1000\n runAsGroup: 3000\n image: \"your-repository/your-image:your-tag\"\n imagePullPolicy: \"Always\"\n
"},{"location":"guide/scanner/misconfiguration/config/config/#expiration-date","title":"Expiration Date","text":"You can specify the expiration date of the ignore rule in yyyy-mm-dd format. This is a useful feature when you want to make sure that an ignored issue is not forgotten and worth revisiting in the future. For example:
#trivy:ignore:aws-s3-enable-logging:exp:2024-03-10\nresource \"aws_s3_bucket\" \"example\" {\n bucket = \"test\"\n}\n
The aws-s3-enable-logging check will be ignored until 2024-03-10 until the ignore rule expires.
"},{"location":"guide/scanner/misconfiguration/config/config/#ignoring-by-attributes","title":"Ignoring by attributes","text":"You can ignore a resource by its attribute value. This is useful when using the for-each meta-argument. For example:
locals {\n ports = [\"3306\", \"5432\"]\n}\n\n#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=3306]\nresource \"aws_security_group_rule\" \"example\" {\n for_each = toset(local.ports)\n type = \"ingress\"\n from_port = each.key\n to_port = each.key\n protocol = \"TCP\"\n cidr_blocks = [\"0.0.0.0/0\"]\n security_group_id = aws_security_group.example.id\n source_security_group_id = aws_security_group.example.id\n}\n
The aws-ec2-no-public-ingress-sgr check will be ignored only for the aws_security_group_rule resource with port number 5432. It is important to note that the ignore rule should not enclose the attribute value in quotes, despite the fact that the port is represented as a string.
If you want to ignore multiple resources on different attributes, you can specify multiple ignore rules:
#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=3306]\n#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=5432]\n
You can also ignore a resource on multiple attributes in the same rule:
locals {\n rules = {\n first = {\n port = 1000\n type = \"ingress\"\n },\n second = {\n port = 1000\n type = \"egress\"\n }\n }\n}\n\n#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=1000,type=egress]\nresource \"aws_security_group_rule\" \"example\" {\n for_each = { for k, v in local.rules : k => v }\n\n type = each.value.type\n from_port = each.value.port\n to_port = each.value.port\n protocol = \"TCP\"\n cidr_blocks = [\"0.0.0.0/0\"]\n security_group_id = aws_security_group.example.id\n source_security_group_id = aws_security_group.example.id\n}\n
Checks can also be ignored by nested attributes:
#trivy:ignore:*[logging_config.prefix=myprefix]\nresource \"aws_cloudfront_distribution\" \"example\" {\n logging_config {\n include_cookies = false\n bucket = \"mylogs.s3.amazonaws.com\"\n prefix = \"myprefix\"\n }\n}\n
"},{"location":"guide/scanner/misconfiguration/config/config/#ignoring-module-issues","title":"Ignoring module issues","text":"Issues in third-party modules cannot be ignored using the method described above, because you may not have access to modify the module source code. In such a situation you can add ignore rules above the module block, for example:
#trivy:ignore:aws-s3-enable-logging\nmodule \"s3_bucket\" {\n source = \"terraform-aws-modules/s3-bucket/aws\"\n\n bucket = \"my-s3-bucket\"\n}\n
An example of ignoring checks for a specific bucket in a module:
locals {\n bucket = [\"test1\", \"test2\"]\n}\n\n#trivy:ignore:*[bucket=test1]\nmodule \"s3_bucket\" {\n for_each = toset(local.bucket)\n source = \"terraform-aws-modules/s3-bucket/aws\"\n bucket = each.value\n}\n
"},{"location":"guide/scanner/misconfiguration/config/config/#support-for-wildcards","title":"Support for Wildcards","text":"You can use wildcards in the ws (workspace) and ignore sections of the ignore rules.
# trivy:ignore:aws-s3-*:ws:dev-*\n
This example ignores all checks starting with aws-s3- for workspaces matching the pattern dev-*.
"},{"location":"guide/scanner/misconfiguration/custom/","title":"Custom Checks","text":""},{"location":"guide/scanner/misconfiguration/custom/#overview","title":"Overview","text":"You can write custom checks in Rego. Once you finish writing custom checks, you can pass the check files or the directory where those checks are stored with --config-check` option.
trivy config --config-check /path/to/policy.rego --config-check /path/to/custom_checks --namespaces user /path/to/config_dir\n
As for --namespaces option, the detail is described as below.
"},{"location":"guide/scanner/misconfiguration/custom/#file-formats","title":"File formats","text":"If a file name matches the following file patterns, Trivy will parse the file and pass it as input to your Rego policy.
File format File pattern JSON *.json YAML *.yaml and *.yml Dockerfile Dockerfile, Dockerfile.*, and *.Dockerfile Containerfile Containerfile, Containerfile.*, and *.Containerfile Terraform *.tf and *.tf.json"},{"location":"guide/scanner/misconfiguration/custom/#configuration-languages","title":"Configuration languages","text":"In the above general file formats, Trivy automatically identifies the following types of configuration files:
- CloudFormation (JSON/YAML)
- Kubernetes (JSON/YAML)
- Helm (YAML)
- Terraform Plan (JSON/Snapshot)
This is useful for filtering inputs, as described below.
"},{"location":"guide/scanner/misconfiguration/custom/#rego-format","title":"Rego format","text":"A single package must contain only one policy.
Example
# METADATA\n# title: Deployment not allowed\n# description: Deployments are not allowed because of some reasons.\n# schemas:\n# - input: schema[\"kubernetes\"]\n# custom:\n# id: ID001\n# severity: LOW\n# input:\n# selector: \n# - type: kubernetes\npackage user.kubernetes.ID001\n\ndeny[res] {\n input.kind == \"Deployment\"\n msg := sprintf(\"Found deployment '%s' but deployments are not allowed\", [input.metadata.name])\n res := result.new(msg, input.kind)\n}\n
In this example, ID001 \"Deployment not allowed\" is defined under user.kubernetes.ID001. If you add a new custom policy, it must be defined under a new package like user.kubernetes.ID002.
"},{"location":"guide/scanner/misconfiguration/custom/#policy-structure","title":"Policy structure","text":"# METADATA (optional unless the check will be contributed into Trivy) - SHOULD be defined for clarity since these values will be displayed in the scan results
custom.input SHOULD be set to indicate the input type the policy should be applied to. See list of available types
package (required) - MUST follow the Rego's specification
- MUST be unique per policy
- SHOULD include policy id for uniqueness
- MAY include the group name such as
kubernetes for clarity - Group name has no effect on policy evaluation
deny (required) - SHOULD be
deny or start with deny_ - Although
warn, warn_*, violation, violation_ also work for compatibility, deny is recommended as severity can be defined in __rego_metadata__.
- SHOULD return ONE OF:
- The result of a call to
result.new(msg, cause). The msg is a string describing the issue occurrence, and the cause is the property/object where the issue occurred. Providing this allows Trivy to ascertain line numbers and highlight code in the output. - A
string denoting the detected issue - Although
object with msg field is accepted, other fields are dropped and string is recommended if result.new() is not utilised. - e.g.
{\"msg\": \"deny message\", \"details\": \"something\"}
"},{"location":"guide/scanner/misconfiguration/custom/#package","title":"Package","text":"A package name must be unique per policy.
Example
package user.kubernetes.ID001\n
By default, only builtin.* packages will be evaluated. If you define custom packages, you have to specify the package prefix via --namespaces option. By default, Trivy only runs in its own namespace, unless specified by the user. Note that the custom namespace does not have to be user as in this example. It could be anything user-defined.
trivy config --config-check /path/to/custom_checks --namespaces user /path/to/config_dir\n
In this case, user.* will be evaluated. Any package prefixes such as main and user are allowed.
"},{"location":"guide/scanner/misconfiguration/custom/#metadata","title":"Metadata","text":"The check must contain a Rego Metadata section. Trivy uses standard rego metadata to define the new policy and general information about it.
Trivy supports extra fields in the custom section as described below.
Example
# METADATA\n# title: Deployment not allowed\n# description: Deployments are not allowed because of some reasons.\n# custom:\n# id: ID001\n# severity: LOW\n# input:\n# selector:\n# - type: kubernetes\n
If you are creating checks for your Trivy misconfiguration scans, some fields are optional as referenced in the table below. The schemas field should be used to enable policy validation using a built-in schema. It is recommended to use this to ensure your checks are correct and do not reference incorrect properties/values.
Field name Allowed values Default value In table In JSON title Any characters N/A \u2705 \u2705 description Any characters - \u2705 schemas.input schema[\"kubernetes\"], schema[\"dockerfile\"], schema[\"cloud\"], schema[\"terraform-raw\"] (applied to all input types) - - custom.id Any characters N/A \u2705 \u2705 custom.severity LOW, MEDIUM, HIGH, CRITICAL UNKNOWN \u2705 \u2705 custom.recommended_actions Any characters - \u2705 custom.deprecated true, false false - \u2705 custom.input.selector.type Any item(s) in this list - \u2705 custom.minimum_trivy_version The minimum version of Trivy that's required to evaluate this check - \u2705 url Any characters - \u2705"},{"location":"guide/scanner/misconfiguration/custom/#customavd_id-and-customid","title":"custom.avd_id and custom.id","text":"The AVD_ID can be used to link the check to the Aqua Vulnerability Database (AVD) entry. For example, the avd_id AVD-AWS-0176 is the ID of the check in the AWS Vulnerability Database. If you are contributing your check to trivy-checks, you need to generate an ID using make id in the trivy-checks repository. The output of the command will provide you the next free IDs for the different providers in Trivy.
The ID is based on the AVD_ID. For instance if the avd_id is AVD-AWS-0176, the ID is ID0176.
"},{"location":"guide/scanner/misconfiguration/custom/#customprovider","title":"custom.provider","text":"The provider field references the provider available in Trivy. This should be the same as the provider name in the pkg/iac/providers directory, e.g. aws.
"},{"location":"guide/scanner/misconfiguration/custom/#customservice","title":"custom.service","text":"Services are defined within a provider. For instance, RDS is a service and AWS is a provider. This should be the same as the service name in one of the provider directories. (Link), e.g. aws/rds.
"},{"location":"guide/scanner/misconfiguration/custom/#custominput","title":"custom.input","text":"The input tells Trivy what inputs this check should be applied to. Cloud provider checks should always use the selector input, and should always use the type selector with cloud. Check targeting Kubernetes yaml can use kubernetes, RBAC can use rbac, and so on.
"},{"location":"guide/scanner/misconfiguration/custom/#subtypes-in-the-custom-data","title":"Subtypes in the custom data","text":"Subtypes currently only need to be defined for cloud providers as detailed in the documentation.
"},{"location":"guide/scanner/misconfiguration/custom/#scan-result","title":"Scan Result","text":"Some fields are displayed in scan results.
k.yaml (kubernetes)\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\nTests: 32 (SUCCESSES: 31, FAILURES: 1)\nFailures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n\nLOW: Found deployment 'my-deployment' but deployments are not allowed\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nDeployments are not allowed because of some reasons.\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n k.yaml:1-2\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 1 \u250c apiVersion: v1\n 2 \u2514 kind: Deployment\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n
"},{"location":"guide/scanner/misconfiguration/custom/#input","title":"Input","text":"You can specify input format via the custom.input annotation.
Example
# METADATA\n# custom:\n# input:\n# combine: false\n# selector:\n# - type: kubernetes\n
combine (boolean) The details are here. selector (array) This option filters the input by file format or configuration language. In the above example, Trivy passes only Kubernetes files to this policy. Even if a Dockerfile exists in the specified directory, it will not be passed to the policy as input.
Possible values for input types are:
dockerfile (Dockerfile)kubernetes (Kubernetes YAML/JSON)rbac (Kubernetes RBAC YAML/JSON)cloud (Cloud format, as defined by Trivy - this is used for Terraform, CloudFormation, and Cloud/AWS scanning)yaml (Generic YAML)json (Generic JSON)toml (Generic TOML)terraform-raw (Terraform configuration is not converted to common state as for the Cloud format, allowing for more flexible and direct checks on the original code)
When configuration languages such as Kubernetes are not identified, file formats such as JSON will be used as type. When a configuration language is identified, it will overwrite type.
Example
pod.yaml including Kubernetes Pod will be handled as kubernetes, not yaml. type is overwritten by kubernetes from yaml.
type accepts kubernetes, dockerfile, cloudformation, terraform, terraformplan, json, or yaml.
"},{"location":"guide/scanner/misconfiguration/custom/#schemas","title":"Schemas","text":"See here for the detail.
"},{"location":"guide/scanner/misconfiguration/custom/combine/","title":"Combined input","text":""},{"location":"guide/scanner/misconfiguration/custom/combine/#overview","title":"Overview","text":"Trivy usually scans each configuration file individually. Sometimes it might be useful to compare values from different configuration files simultaneously.
When combine is set to true, all config files under the specified directory are combined into one input data structure.
Example
__rego_input__ := {\n \"combine\": false,\n}\n
In \"combine\" mode, the input document becomes an array, where each element is an object with two fields:
\"path\": \"path/to/file\": the relative file path of the respective file\"contents\": ...: the parsed content of the respective file
Now you can ensure that duplicate values match across the entirety of your configuration files.
"},{"location":"guide/scanner/misconfiguration/custom/combine/#return-value","title":"Return value","text":"In \"combine\" mode, the deny entrypoint must return an object with two keys
filepath (required) the relative file path of the file being evaluated msg (required) the message describing an issue Example
deny[res] {\n resource := input[i].contents\n ... some logic ...\n\n res := {\n \"filepath\": input[i].path,\n \"msg\": \"something bad\",\n }\n}\n
"},{"location":"guide/scanner/misconfiguration/custom/contribute-checks/","title":"Contribute Checks","text":""},{"location":"guide/scanner/misconfiguration/custom/contribute-checks/#contribute-rego-checks","title":"Contribute Rego Checks","text":"The contributing section provides detailed information on how to contribute custom checks to the trivy-checks repository
This way, they become accessible as default checks.
"},{"location":"guide/scanner/misconfiguration/custom/data/","title":"Custom Data","text":"Custom checks may require additional data in order to make a resolution. You can pass arbitrary data files to Trivy to be used when evaluating rego checks using the --config-data flag. Trivy recursively searches the specified data paths for JSON (*.json) and YAML (*.yaml) files.
For example, consider an allowed list of resources that can be created. Instead of hardcoding this information inside your check, you can maintain the list in a separate file.
Example data file:
services:\n ports:\n - \"20\"\n - \"20/tcp\"\n - \"20/udp\"\n - \"23\"\n - \"23/tcp\"\n
Example usage in a Rego check:
import data.services\n\nports := services.ports\n
Example loading the data file:
trivy config --config-check ./checks --config-data ./data --namespaces user ./configs\n
"},{"location":"guide/scanner/misconfiguration/custom/data/#customizing-default-checks-data","title":"Customizing default checks data","text":"Some checks allow you to customize the default data values. To do this, simply pass a data file via --config-data (see the section above).
Table of supported data for customizing and their paths:
Check ID Data path Description KSV0125 ksv0125.trusted_registries List of trusted container registries DS031 ds031.included_envs List of allowed environment variables (merged with defaults) Example of overriding trusted registries for KSV0125:
ksv0125:\n trusted_registries:\n - \"my-registry.example.com\"\n - \"registry.internal.local\"\n
"},{"location":"guide/scanner/misconfiguration/custom/debug/","title":"Debugging checks","text":"When working on more complex queries (or when learning Rego), it's useful to see exactly how the policy is applied. For this purpose you can use the --trace-rego flag. This will output a large trace from Open Policy Agent like the following:
Tip
Only failed checks show traces. If you want to debug a passed check, you need to make it fail on purpose.
$ trivy config --trace-rego configs/\n2022-05-16T13:47:58.853+0100 INFO Detected config files: 1\n\nDockerfile (dockerfile)\n=======================\nTests: 23 (SUCCESSES: 21, FAILURES: 2)\nFailures: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)\n\nMEDIUM: Specify a tag in the 'FROM' statement for image 'alpine'\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nWhen using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.\n\nSee https://avd.aquasec.com/misconfig/ds001\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n Dockerfile:1\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 1 [ FROM alpine:latest\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\nHIGH: Last USER command in Dockerfile should not be 'root'\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.\n\nSee https://avd.aquasec.com/misconfig/ds002\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n Dockerfile:3\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 3 [ USER root\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\n\nID: DS001\nFile: Dockerfile\nNamespace: builtin.dockerfile.DS001\nQuery: data.builtin.dockerfile.DS001.deny\nMessage: Specify a tag in the 'FROM' statement for image 'alpine'\nTRACE Enter data.builtin.dockerfile.DS001.deny = _\nTRACE | Eval data.builtin.dockerfile.DS001.deny = _\nTRACE | Index data.builtin.dockerfile.DS001.deny (matched 1 rule)\nTRACE | Enter data.builtin.dockerfile.DS001.deny\nTRACE | | Eval output = data.builtin.dockerfile.DS001.fail_latest[_]\nTRACE | | Index data.builtin.dockerfile.DS001.fail_latest (matched 1 rule)\nTRACE | | Enter data.builtin.dockerfile.DS001.fail_latest\nTRACE | | | Eval output = data.builtin.dockerfile.DS001.image_tags[_]\nTRACE | | | Index data.builtin.dockerfile.DS001.image_tags (matched 2 rules)\nTRACE | | | Enter data.builtin.dockerfile.DS001.image_tags\nTRACE | | | | Eval from = data.lib.docker.from[_]\nTRACE | | | | Index data.lib.docker.from (matched 1 rule)\nTRACE | | | | Enter data.lib.docker.from\nTRACE | | | | | Eval instruction = input.stages[_][_]\nTRACE | | | | | Eval instruction.Cmd = \"from\"\nTRACE | | | | | Exit data.lib.docker.from\nTRACE | | | | Redo data.lib.docker.from\nTRACE | | | | | Redo instruction.Cmd = \"from\"\nTRACE | | | | | Redo instruction = input.stages[_][_]\nTRACE | | | | | Eval instruction.Cmd = \"from\"\nTRACE | | | | | Fail instruction.Cmd = \"from\"\nTRACE | | | | | Redo instruction = input.stages[_][_]\nTRACE | | | | | Eval instruction.Cmd = \"from\"\nTRACE | | | | | Fail instruction.Cmd = \"from\"\nTRACE | | | | | Redo instruction = input.stages[_][_]\nTRACE | | | | Eval name = from.Value[0]\nTRACE | | | | Eval not startswith(name, \"$\")\nTRACE | | | | Enter startswith(name, \"$\")\nTRACE | | | | | Eval startswith(name, \"$\")\nTRACE | | | | | Fail startswith(name, \"$\")\nTRACE | | | | Eval data.builtin.dockerfile.DS001.parse_tag(name, __local505__)\nTRACE | | | | Index data.builtin.dockerfile.DS001.parse_tag (matched 2 rules)\nTRACE | | | | Enter data.builtin.dockerfile.DS001.parse_tag\nTRACE | | | | | Eval split(name, \":\", __local504__)\nTRACE | | | | | Eval [img, tag] = __local504__\nTRACE | | | | | Exit data.builtin.dockerfile.DS001.parse_tag\nTRACE | | | | Eval [img, tag] = __local505__\nTRACE | | | | Eval output = {\"cmd\": from, \"img\": img, \"tag\": tag}\nTRACE | | | | Exit data.builtin.dockerfile.DS001.image_tags\nTRACE | | | Redo data.builtin.dockerfile.DS001.image_tags\nTRACE | | | | Redo output = {\"cmd\": from, \"img\": img, \"tag\": tag}\nTRACE | | | | Redo [img, tag] = __local505__\nTRACE | | | | Redo data.builtin.dockerfile.DS001.parse_tag(name, __local505__)\nTRACE | | | | Redo data.builtin.dockerfile.DS001.parse_tag\nTRACE | | | | | Redo [img, tag] = __local504__\nTRACE | | | | | Redo split(name, \":\", __local504__)\nTRACE | | | | Enter data.builtin.dockerfile.DS001.parse_tag\nTRACE | | | | | Eval tag = \"latest\"\nTRACE | | | | | Eval not contains(img, \":\")\nTRACE | | | | | Enter contains(img, \":\")\nTRACE | | | | | | Eval contains(img, \":\")\nTRACE | | | | | | Exit contains(img, \":\")\nTRACE | | | | | Redo contains(img, \":\")\nTRACE | | | | | | Redo contains(img, \":\")\nTRACE | | | | | Fail not contains(img, \":\")\nTRACE | | | | | Redo tag = \"latest\"\nTRACE | | | | Redo name = from.Value[0]\nTRACE | | | | Redo from = data.lib.docker.from[_]\nTRACE | | | Enter data.builtin.dockerfile.DS001.image_tags\nTRACE | | | | Eval from = data.lib.docker.from[i]\nTRACE | | | | Index data.lib.docker.from (matched 1 rule)\nTRACE | | | | Eval name = from.Value[0]\nTRACE | | | | Eval cmd_obj = input.stages[j][k]\nTRACE | | | | Eval possibilities = {\"arg\", \"env\"}\nTRACE | | | | Eval cmd_obj.Cmd = possibilities[l]\nTRACE | | | | Fail cmd_obj.Cmd = possibilities[l]\nTRACE | | | | Redo possibilities = {\"arg\", \"env\"}\nTRACE | | | | Redo cmd_obj = input.stages[j][k]\nTRACE | | | | Eval possibilities = {\"arg\", \"env\"}\nTRACE | | | | Eval cmd_obj.Cmd = possibilities[l]\nTRACE | | | | Fail cmd_obj.Cmd = possibilities[l]\nTRACE | | | | Redo possibilities = {\"arg\", \"env\"}\nTRACE | | | | Redo cmd_obj = input.stages[j][k]\nTRACE | | | | Eval possibilities = {\"arg\", \"env\"}\nTRACE | | | | Eval cmd_obj.Cmd = possibilities[l]\nTRACE | | | | Fail cmd_obj.Cmd = possibilities[l]\nTRACE | | | | Redo possibilities = {\"arg\", \"env\"}\nTRACE | | | | Redo cmd_obj = input.stages[j][k]\nTRACE | | | | Redo name = from.Value[0]\nTRACE | | | | Redo from = data.lib.docker.from[i]\nTRACE | | | Eval __local752__ = output.img\nTRACE | | | Eval neq(__local752__, \"scratch\")\nTRACE | | | Eval __local753__ = output.img\nTRACE | | | Eval not data.builtin.dockerfile.DS001.is_alias(__local753__)\nTRACE | | | Enter data.builtin.dockerfile.DS001.is_alias(__local753__)\nTRACE | | | | Eval data.builtin.dockerfile.DS001.is_alias(__local753__)\nTRACE | | | | Index data.builtin.dockerfile.DS001.is_alias (matched 1 rule, early exit)\nTRACE | | | | Enter data.builtin.dockerfile.DS001.is_alias\nTRACE | | | | | Eval img = data.builtin.dockerfile.DS001.get_aliases[_]\nTRACE | | | | | Index data.builtin.dockerfile.DS001.get_aliases (matched 1 rule)\nTRACE | | | | | Enter data.builtin.dockerfile.DS001.get_aliases\nTRACE | | | | | | Eval from_cmd = data.lib.docker.from[_]\nTRACE | | | | | | Index data.lib.docker.from (matched 1 rule)\nTRACE | | | | | | Eval __local749__ = from_cmd.Value\nTRACE | | | | | | Eval data.builtin.dockerfile.DS001.get_alias(__local749__, __local503__)\nTRACE | | | | | | Index data.builtin.dockerfile.DS001.get_alias (matched 1 rule)\nTRACE | | | | | | Enter data.builtin.dockerfile.DS001.get_alias\nTRACE | | | | | | | Eval __local748__ = values[i]\nTRACE | | | | | | | Eval lower(__local748__, __local501__)\nTRACE | | | | | | | Eval \"as\" = __local501__\nTRACE | | | | | | | Fail \"as\" = __local501__\nTRACE | | | | | | | Redo lower(__local748__, __local501__)\nTRACE | | | | | | | Redo __local748__ = values[i]\nTRACE | | | | | | Fail data.builtin.dockerfile.DS001.get_alias(__local749__, __local503__)\nTRACE | | | | | | Redo __local749__ = from_cmd.Value\nTRACE | | | | | | Redo from_cmd = data.lib.docker.from[_]\nTRACE | | | | | Fail img = data.builtin.dockerfile.DS001.get_aliases[_]\nTRACE | | | | Fail data.builtin.dockerfile.DS001.is_alias(__local753__)\nTRACE | | | Eval output.tag = \"latest\"\nTRACE | | | Exit data.builtin.dockerfile.DS001.fail_latest\nTRACE | | Redo data.builtin.dockerfile.DS001.fail_latest\nTRACE | | | Redo output.tag = \"latest\"\nTRACE | | | Redo __local753__ = output.img\nTRACE | | | Redo neq(__local752__, \"scratch\")\nTRACE | | | Redo __local752__ = output.img\nTRACE | | | Redo output = data.builtin.dockerfile.DS001.image_tags[_]\nTRACE | | Eval __local754__ = output.img\nTRACE | | Eval sprintf(\"Specify a tag in the 'FROM' statement for image '%s'\", [__local754__], __local509__)\nTRACE | | Eval msg = __local509__\nTRACE | | Eval __local755__ = output.cmd\nTRACE | | Eval data.lib.docker.result(msg, __local755__, __local510__)\nTRACE | | Index data.lib.docker.result (matched 1 rule)\nTRACE | | Enter data.lib.docker.result\nTRACE | | | Eval object.get(cmd, \"EndLine\", 0, __local470__)\nTRACE | | | Eval object.get(cmd, \"Path\", \"\", __local471__)\nTRACE | | | Eval object.get(cmd, \"StartLine\", 0, __local472__)\nTRACE | | | Eval result = {\"endline\": __local470__, \"filepath\": __local471__, \"msg\": msg, \"startline\": __local472__}\nTRACE | | | Exit data.lib.docker.result\nTRACE | | Eval res = __local510__\nTRACE | | Exit data.builtin.dockerfile.DS001.deny\nTRACE | Redo data.builtin.dockerfile.DS001.deny\nTRACE | | Redo res = __local510__\nTRACE | | Redo data.lib.docker.result(msg, __local755__, __local510__)\nTRACE | | Redo data.lib.docker.result\nTRACE | | | Redo result = {\"endline\": __local470__, \"filepath\": __local471__, \"msg\": msg, \"startline\": __local472__}\nTRACE | | | Redo object.get(cmd, \"StartLine\", 0, __local472__)\nTRACE | | | Redo object.get(cmd, \"Path\", \"\", __local471__)\nTRACE | | | Redo object.get(cmd, \"EndLine\", 0, __local470__)\nTRACE | | Redo __local755__ = output.cmd\nTRACE | | Redo msg = __local509__\nTRACE | | Redo sprintf(\"Specify a tag in the 'FROM' statement for image '%s'\", [__local754__], __local509__)\nTRACE | | Redo __local754__ = output.img\nTRACE | | Redo output = data.builtin.dockerfile.DS001.fail_latest[_]\nTRACE | Exit data.builtin.dockerfile.DS001.deny = _\nTRACE Redo data.builtin.dockerfile.DS001.deny = _\nTRACE | Redo data.builtin.dockerfile.DS001.deny = _\nTRACE\n\n\nID: DS002\nFile: Dockerfile\nNamespace: builtin.dockerfile.DS002\nQuery: data.builtin.dockerfile.DS002.deny\nMessage: Last USER command in Dockerfile should not be 'root'\nTRACE Enter data.builtin.dockerfile.DS002.deny = _\nTRACE | Eval data.builtin.dockerfile.DS002.deny = _\nTRACE | Index data.builtin.dockerfile.DS002.deny (matched 2 rules)\nTRACE | Enter data.builtin.dockerfile.DS002.deny\nTRACE | | Eval data.builtin.dockerfile.DS002.fail_user_count\nTRACE | | Index data.builtin.dockerfile.DS002.fail_user_count (matched 1 rule, early exit)\nTRACE | | Enter data.builtin.dockerfile.DS002.fail_user_count\nTRACE | | | Eval __local771__ = data.builtin.dockerfile.DS002.get_user\nTRACE | | | Index data.builtin.dockerfile.DS002.get_user (matched 1 rule)\nTRACE | | | Enter data.builtin.dockerfile.DS002.get_user\nTRACE | | | | Eval user = data.lib.docker.user[_]\nTRACE | | | | Index data.lib.docker.user (matched 1 rule)\nTRACE | | | | Enter data.lib.docker.user\nTRACE | | | | | Eval instruction = input.stages[_][_]\nTRACE | | | | | Eval instruction.Cmd = \"user\"\nTRACE | | | | | Fail instruction.Cmd = \"user\"\nTRACE | | | | | Redo instruction = input.stages[_][_]\nTRACE | | | | | Eval instruction.Cmd = \"user\"\nTRACE | | | | | Exit data.lib.docker.user\nTRACE | | | | Redo data.lib.docker.user\nTRACE | | | | | Redo instruction.Cmd = \"user\"\nTRACE | | | | | Redo instruction = input.stages[_][_]\nTRACE | | | | | Eval instruction.Cmd = \"user\"\nTRACE | | | | | Fail instruction.Cmd = \"user\"\nTRACE | | | | | Redo instruction = input.stages[_][_]\nTRACE | | | | Eval username = user.Value[_]\nTRACE | | | | Exit data.builtin.dockerfile.DS002.get_user\nTRACE | | | Redo data.builtin.dockerfile.DS002.get_user\nTRACE | | | | Redo username = user.Value[_]\nTRACE | | | | Redo user = data.lib.docker.user[_]\nTRACE | | | Eval count(__local771__, __local536__)\nTRACE | | | Eval lt(__local536__, 1)\nTRACE | | | Fail lt(__local536__, 1)\nTRACE | | | Redo count(__local771__, __local536__)\nTRACE | | | Redo __local771__ = data.builtin.dockerfile.DS002.get_user\nTRACE | | Fail data.builtin.dockerfile.DS002.fail_user_count\nTRACE | Enter data.builtin.dockerfile.DS002.deny\nTRACE | | Eval cmd = data.builtin.dockerfile.DS002.fail_last_user_root[_]\nTRACE | | Index data.builtin.dockerfile.DS002.fail_last_user_root (matched 1 rule)\nTRACE | | Enter data.builtin.dockerfile.DS002.fail_last_user_root\nTRACE | | | Eval stage_users = data.lib.docker.stage_user[_]\nTRACE | | | Index data.lib.docker.stage_user (matched 1 rule)\nTRACE | | | Enter data.lib.docker.stage_user\nTRACE | | | | Eval stage = input.stages[stage_name]\nTRACE | | | | Eval users = [cmd | cmd = stage[_]; cmd.Cmd = \"user\"]\nTRACE | | | | Enter cmd = stage[_]; cmd.Cmd = \"user\"\nTRACE | | | | | Eval cmd = stage[_]\nTRACE | | | | | Eval cmd.Cmd = \"user\"\nTRACE | | | | | Fail cmd.Cmd = \"user\"\nTRACE | | | | | Redo cmd = stage[_]\nTRACE | | | | | Eval cmd.Cmd = \"user\"\nTRACE | | | | | Exit cmd = stage[_]; cmd.Cmd = \"user\"\nTRACE | | | | Redo cmd = stage[_]; cmd.Cmd = \"user\"\nTRACE | | | | | Redo cmd.Cmd = \"user\"\nTRACE | | | | | Redo cmd = stage[_]\nTRACE | | | | | Eval cmd.Cmd = \"user\"\nTRACE | | | | | Fail cmd.Cmd = \"user\"\nTRACE | | | | | Redo cmd = stage[_]\nTRACE | | | | Exit data.lib.docker.stage_user\nTRACE | | | Redo data.lib.docker.stage_user\nTRACE | | | | Redo users = [cmd | cmd = stage[_]; cmd.Cmd = \"user\"]\nTRACE | | | | Redo stage = input.stages[stage_name]\nTRACE | | | Eval count(stage_users, __local537__)\nTRACE | | | Eval len = __local537__\nTRACE | | | Eval minus(len, 1, __local538__)\nTRACE | | | Eval last = stage_users[__local538__]\nTRACE | | | Eval user = last.Value[0]\nTRACE | | | Eval user = \"root\"\nTRACE | | | Exit data.builtin.dockerfile.DS002.fail_last_user_root\nTRACE | | Redo data.builtin.dockerfile.DS002.fail_last_user_root\nTRACE | | | Redo user = \"root\"\nTRACE | | | Redo user = last.Value[0]\nTRACE | | | Redo last = stage_users[__local538__]\nTRACE | | | Redo minus(len, 1, __local538__)\nTRACE | | | Redo len = __local537__\nTRACE | | | Redo count(stage_users, __local537__)\nTRACE | | | Redo stage_users = data.lib.docker.stage_user[_]\nTRACE | | Eval msg = \"Last USER command in Dockerfile should not be 'root'\"\nTRACE | | Eval data.lib.docker.result(msg, cmd, __local540__)\nTRACE | | Index data.lib.docker.result (matched 1 rule)\nTRACE | | Enter data.lib.docker.result\nTRACE | | | Eval object.get(cmd, \"EndLine\", 0, __local470__)\nTRACE | | | Eval object.get(cmd, \"Path\", \"\", __local471__)\nTRACE | | | Eval object.get(cmd, \"StartLine\", 0, __local472__)\nTRACE | | | Eval result = {\"endline\": __local470__, \"filepath\": __local471__, \"msg\": msg, \"startline\": __local472__}\nTRACE | | | Exit data.lib.docker.result\nTRACE | | Eval res = __local540__\nTRACE | | Exit data.builtin.dockerfile.DS002.deny\nTRACE | Redo data.builtin.dockerfile.DS002.deny\nTRACE | | Redo res = __local540__\nTRACE | | Redo data.lib.docker.result(msg, cmd, __local540__)\nTRACE | | Redo data.lib.docker.result\nTRACE | | | Redo result = {\"endline\": __local470__, \"filepath\": __local471__, \"msg\": msg, \"startline\": __local472__}\nTRACE | | | Redo object.get(cmd, \"StartLine\", 0, __local472__)\nTRACE | | | Redo object.get(cmd, \"Path\", \"\", __local471__)\nTRACE | | | Redo object.get(cmd, \"EndLine\", 0, __local470__)\nTRACE | | Redo msg = \"Last USER command in Dockerfile should not be 'root'\"\nTRACE | | Redo cmd = data.builtin.dockerfile.DS002.fail_last_user_root[_]\nTRACE | Exit data.builtin.dockerfile.DS002.deny = _\nTRACE Redo data.builtin.dockerfile.DS002.deny = _\nTRACE | Redo data.builtin.dockerfile.DS002.deny = _\nTRACE\n
"},{"location":"guide/scanner/misconfiguration/custom/schema/","title":"Input Schema","text":""},{"location":"guide/scanner/misconfiguration/custom/schema/#overview","title":"Overview","text":"Schemas are declarative documents that define the structure, data types and constraints of inputs being scanned. Trivy provides certain schemas out of the box as seen in the explorer here. You can also find the source code for the schemas here.
It is not required to pass in schemas, in order to scan inputs by Trivy but are required if type-checking is needed.
Checks can be defined with custom schemas that allow inputs to be verified against them. Adding an input schema enables Trivy to show more detailed error messages when an invalid input is encountered.
"},{"location":"guide/scanner/misconfiguration/custom/schema/#unified-schema","title":"Unified Schema","text":"One of the unique advantages of Trivy is to take a variety of inputs, such as IaC files (e.g. CloudFormation, Terraform etc.) and also live cloud scanning (e.g. Trivy AWS plugin) and normalize them into a standard structure, as defined by the schema.
An example of such an application would be scanning AWS resources. You can scan them prior to deployment via the Trivy misconfiguration scanner and also scan them after they've been deployed in the cloud with Trivy AWS scanning. Both scan methods should yield the same result as resources are gathered into a unified representation as defined by the Cloud schema.
"},{"location":"guide/scanner/misconfiguration/custom/schema/#supported-schemas","title":"Supported Schemas","text":"Currently out of the box the following schemas are supported natively:
- Docker
- Kubernetes
- Cloud
- Terraform Raw Format
You can interactively view these schemas with the Trivy Schema Explorer
"},{"location":"guide/scanner/misconfiguration/custom/schema/#example","title":"Example","text":"As mentioned earlier, amongst other built-in schemas, Trivy offers a built in-schema for scanning Dockerfiles. It is available here Without input schemas, a check would be as follows:
Example
# METADATA\npackage mypackage\n\ndeny {\n input.evil == \"foo bar\"\n}\n
If this check is run against an offending Dockerfile(s), there will not be any issues as the check will fail to evaluate. Although the check's failure to evaluate is legitimate, this should not result in a positive result for the scan.
For instance if we have a check that checks for misconfigurations in a Dockerfile, we could define the schema as such
Example
# METADATA\n# schemas:\n# - input: schema[\"dockerfile\"]\npackage mypackage\n\ndeny {\n input.evil == \"foo bar\"\n}\n
Here input: schema[\"dockerfile\"] points to a schema that expects a valid Dockerfile as input. An example of this can be found here.
Now if this check is evaluated against, a more descriptive error will be available to help fix the problem.
1 error occurred: testcheck.rego:8: rego_type_error: undefined ref: input.evil\n input.evil\n ^\n have: \"evil\"\n want (one of): [\"Stages\"]\n
"},{"location":"guide/scanner/misconfiguration/custom/schema/#custom-checks-with-custom-schemas","title":"Custom Checks with Custom Schemas","text":"You can also bring a custom check that defines one or more custom schema.
Example
# METADATA\n# schemas:\n# - input: schema[\"fooschema\"]\n# - input: schema[\"barschema\"]\npackage mypackage\n\ndeny {\n input.evil == \"foo bar\"\n}\n
The checks can be placed in a structure as follows
Example
/Users/user/my-custom-checks\n\u251c\u2500\u2500 my_check.rego\n\u2514\u2500\u2500 schemas\n \u2514\u2500\u2500 fooschema.json\n \u2514\u2500\u2500 barschema.json\n
To use such a check with Trivy, use the --config-check flag that points to the check file or to the directory where the schemas and checks are contained.
$ trivy --config-check=/Users/user/my-custom-checks <path/to/iac>\n
For more details on how to define schemas within Rego checks, please see the OPA guide that describes it in more detail.
"},{"location":"guide/scanner/misconfiguration/custom/schema/#scan-arbitrary-json-and-yaml-configurations","title":"Scan arbitrary JSON and YAML configurations","text":"By default, scanning JSON and YAML configurations is disabled, since Trivy does not contain built-in checks for these configurations. To enable it, pass the json or yaml to --misconfig-scanners. Trivy will pass each file as is to the checks input.
Example
$ cat iac/serverless.yaml\nservice: serverless-rest-api-with-pynamodb\n\nframeworkVersion: \">=2.24.0\"\n\nplugins:\n - serverless-python-requirements\n...\n\n$ cat serverless.rego\n# METADATA\n# title: Serverless Framework service name not starting with \"aws-\"\n# description: Ensure that Serverless Framework service names start with \"aws-\"\n# schemas:\n# - input: schema[\"serverless-schema\"]\n# custom:\n# id: SF001\n# severity: LOW\npackage user.serverless001\n\ndeny[res] {\n not startswith(input.service, \"aws-\")\n res := result.new(\n sprintf(\"Service name %q is not allowed\", [input.service]),\n input.service\n )\n}\n\n$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user ./iac\nserverless.yaml (yaml)\n\nTests: 4 (SUCCESSES: 3, FAILURES: 1)\nFailures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n\nLOW: Service name \"serverless-rest-api-with-pynamodb\" is not allowed\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nEnsure that Serverless Framework service names start with \"aws-\"\n
Note
In the case above, the custom check specified has a metadata annotation for the input schema input: schema[\"serverless-schema\"]. This allows Trivy to type check the input IaC files provided.
Optionally, you can also pass schemas using the config-file-schemas flag. Trivy will use these schemas for file filtering and type checking in Rego checks.
Example
$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user --config-file-schemas ./serverless-schema.json ./iac\n
If the --config-file-schemas flag is specified Trivy ensures that each input IaC config file being scanned is type-checked against the schema. If the input file does not match any of the passed schemas, it will be ignored.
If the schema is specified in the check metadata and is in the directory specified in the --config-check argument, it will be automatically loaded as specified here, and will only be used for type checking in Rego.
Note
If a user specifies the --config-file-schemas flag, all input IaC config files are ensured that they pass type-checking. It is not required to pass an input schema in case type checking is not required. This is helpful for scenarios where you simply want to write a Rego check and pass in IaC input for it. Such a use case could include scanning for a new service which Trivy might not support just yet.
Tip
It is also possible to specify multiple input schemas with --config-file-schema flag as it can accept a comma seperated list of file paths or a directory as input. In the case of multiple schemas being specified, all of them will be evaluated against all the input files.
"},{"location":"guide/scanner/misconfiguration/custom/selectors/","title":"Input Selectors","text":""},{"location":"guide/scanner/misconfiguration/custom/selectors/#overview","title":"Overview","text":"Sometimes you might want to limit a certain policy to only be run on certain resources. This can be achieved with input selectors.
"},{"location":"guide/scanner/misconfiguration/custom/selectors/#use-case","title":"Use case","text":"For instance, if you have a custom policy that you only want to be evaluated if a certain resource type is being scanned. In such a case you could utilize input selectors to limit its evaluation on only those resources.
Example
# METADATA\n # title: \"RDS Publicly Accessible\"\n # description: \"Ensures RDS instances are not launched into the public cloud.\"\n # custom:\n # input:\n # selector:\n # - type: cloud\n # subtypes:\n # - provider: aws\n # service: rds\n package builtin.aws.rds.aws0999\n\n deny[res] {\n instance := input.aws.rds.instances[_]\n instance.publicaccess.value\n res := result.new(\"Instance has Public Access enabled\", instance.publicaccess)\n
Observe the following subtypes defined:
# subtypes:\n # - provider: aws\n # service: rds\n
They will ensure that the policy is only run when the input to such a policy contains an RDS instance.
"},{"location":"guide/scanner/misconfiguration/custom/selectors/#enabling-selectors-and-subtypes","title":"Enabling selectors and subtypes","text":"Currently, the following are supported:
Selector Subtype fields required Example Cloud (AWS, Azure, etc.) provider, service provider: aws, service: rds Kubernetes type: kubernetes Dockerfile type: dockerfile"},{"location":"guide/scanner/misconfiguration/custom/selectors/#default-behaviour","title":"Default behaviour","text":"If no subtypes or selectors are specified, the policy will be evaluated regardless of input.
"},{"location":"guide/scanner/misconfiguration/custom/testing/","title":"Testing","text":"It is highly recommended to write tests for your custom checks.
"},{"location":"guide/scanner/misconfiguration/custom/testing/#rego-testing","title":"Rego testing","text":"To help you verify the correctness of your custom checks, OPA gives you a framework that you can use to write tests for your checks. By writing tests for your custom checks you can speed up the development process of new rules and reduce the amount of time it takes to modify rules as requirements evolve.
For more details, see Policy Testing.
Example
package user.dockerfile.ID002\n\ntest_add_denied {\n r := deny with input as {\"stages\": {\"alpine:3.13\": [\n {\"Cmd\": \"add\", \"Value\": [\"/target/resources.tar.gz\", \"resources.jar\"]},\n {\"Cmd\": \"add\", \"Value\": [\"/target/app.jar\", \"app.jar\"]},\n ]}}\n\n count(r) == 1\n r[_] == \"Consider using 'COPY /target/app.jar app.jar' command instead of 'ADD /target/app.jar app.jar'\"\n}\n
To write tests for custom checks, you can refer to existing tests under [trivy-checks][trivy-checks].
"},{"location":"guide/scanner/misconfiguration/custom/testing/#go-testing","title":"Go testing","text":"Fanal which is a core library of Trivy can be imported as a Go library. You can scan config files in Go and test your custom checks using Go's testing methods, such as table-driven tests. This allows you to use the actual configuration file as input, making it easy to prepare test data and ensure that your custom checks work in practice.
In particular, Dockerfile and HCL need to be converted to structural data as input, which may be different from the expected input format.
Tip
We recommend writing OPA and Go tests both since they have different roles, like unit tests and integration tests.
The following example stores allowed and denied configuration files in a directory. Successes contains the result of successes, and Failures contains the result of failures.
{\n name: \"disallowed ports\",\n input: \"configs/\",\n fields: fields{\n policyPaths: []string{\"policy\"},\n dataPaths: []string{\"data\"},\n namespaces: []string{\"user\"},\n },\n want: []types.Misconfiguration{\n {\n FileType: types.Dockerfile,\n FilePath: \"Dockerfile.allowed\",\n Successes: types.MisconfResults{\n {\n Namespace: \"user.dockerfile.ID002\",\n PolicyMetadata: types.PolicyMetadata{\n ID: \"ID002\",\n Type: \"Docker Custom Check\",\n Title: \"Disallowed ports exposed\",\n Severity: \"HIGH\",\n },\n },\n },\n },\n {\n FileType: types.Dockerfile,\n FilePath: \"Dockerfile.denied\",\n Failures: types.MisconfResults{\n {\n Namespace: \"user.dockerfile.ID002\",\n Message: \"Port 23 should not be exposed\",\n PolicyMetadata: types.PolicyMetadata{\n ID: \"ID002\",\n Type: \"Docker Custom Check\",\n Title: \"Disallowed ports exposed\",\n Severity: \"HIGH\",\n },\n },\n },\n },\n },\n},\n
Dockerfile.allowed has one successful result in Successes, while Dockerfile.denied has one failure result in Failures.
"},{"location":"guide/supply-chain/sbom/","title":"SBOM","text":""},{"location":"guide/supply-chain/sbom/#generating","title":"Generating","text":"Trivy can generate the following SBOM formats.
- CycloneDX
- SPDX
"},{"location":"guide/supply-chain/sbom/#cli-commands","title":"CLI commands","text":"To generate SBOM, you can use the --format option for each subcommand such as image, fs and vm.
$ trivy image --format spdx-json --output result.json alpine:3.15\n
$ trivy fs --format cyclonedx --output result.json /app/myproject\n
Result {\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.3\",\n \"serialNumber\": \"urn:uuid:2be5773d-7cd3-4b4b-90a5-e165474ddace\",\n \"version\": 1,\n \"metadata\": {\n \"timestamp\": \"2022-02-22T15:11:40.270597Z\",\n \"tools\": [\n {\n \"vendor\": \"aquasecurity\",\n \"name\": \"trivy\",\n \"version\": \"dev\"\n }\n ],\n \"component\": {\n \"bom-ref\": \"pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64\",\n \"type\": \"container\",\n \"name\": \"alpine:3.15\",\n \"version\": \"\",\n \"purl\": \"pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64\",\n \"properties\": [\n {\n \"name\": \"aquasecurity:trivy:SchemaVersion\",\n \"value\": \"2\"\n },\n {\n \"name\": \"aquasecurity:trivy:ImageID\",\n \"value\": \"sha256:c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18\"\n },\n {\n \"name\": \"aquasecurity:trivy:RepoDigest\",\n \"value\": \"alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300\"\n },\n {\n \"name\": \"aquasecurity:trivy:DiffID\",\n \"value\": \"sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759\"\n },\n {\n \"name\": \"aquasecurity:trivy:RepoTag\",\n \"value\": \"alpine:3.15\"\n }\n ]\n }\n },\n \"components\": [\n {\n \"bom-ref\": \"pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0\",\n \"type\": \"library\",\n \"name\": \"alpine-baselayout\",\n \"version\": \"3.2.0-r18\",\n \"licenses\": [\n {\n \"expression\": \"GPL-2.0-only\"\n }\n ],\n \"purl\": \"pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0\",\n \"properties\": [\n {\n \"name\": \"aquasecurity:trivy:SrcName\",\n \"value\": \"alpine-baselayout\"\n },\n {\n \"name\": \"aquasecurity:trivy:SrcVersion\",\n \"value\": \"3.2.0-r18\"\n },\n {\n \"name\": \"aquasecurity:trivy:LayerDigest\",\n \"value\": \"sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3\"\n },\n {\n \"name\": \"aquasecurity:trivy:LayerDiffID\",\n \"value\": \"sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759\"\n }\n ]\n },\n ...(snip)...\n {\n \"bom-ref\": \"pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0\",\n \"type\": \"library\",\n \"name\": \"zlib\",\n \"version\": \"1.2.11-r3\",\n \"licenses\": [\n {\n \"expression\": \"Zlib\"\n }\n ],\n \"purl\": \"pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0\",\n \"properties\": [\n {\n \"name\": \"aquasecurity:trivy:SrcName\",\n \"value\": \"zlib\"\n },\n {\n \"name\": \"aquasecurity:trivy:SrcVersion\",\n \"value\": \"1.2.11-r3\"\n },\n {\n \"name\": \"aquasecurity:trivy:LayerDigest\",\n \"value\": \"sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3\"\n },\n {\n \"name\": \"aquasecurity:trivy:LayerDiffID\",\n \"value\": \"sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759\"\n }\n ]\n },\n {\n \"bom-ref\": \"3da6a469-964d-4b4e-b67d-e94ec7c88d37\",\n \"type\": \"operating-system\",\n \"name\": \"alpine\",\n \"version\": \"3.15.0\",\n \"properties\": [\n {\n \"name\": \"aquasecurity:trivy:Type\",\n \"value\": \"alpine\"\n },\n {\n \"name\": \"aquasecurity:trivy:Class\",\n \"value\": \"os-pkgs\"\n }\n ]\n }\n ],\n \"dependencies\": [\n {\n \"ref\": \"3da6a469-964d-4b4e-b67d-e94ec7c88d37\",\n \"dependsOn\": [\n \"pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0\",\n \"pkg:apk/alpine/alpine-keys@2.4-r1?distro=3.15.0\",\n \"pkg:apk/alpine/apk-tools@2.12.7-r3?distro=3.15.0\",\n \"pkg:apk/alpine/busybox@1.34.1-r3?distro=3.15.0\",\n \"pkg:apk/alpine/ca-certificates-bundle@20191127-r7?distro=3.15.0\",\n \"pkg:apk/alpine/libc-utils@0.7.2-r3?distro=3.15.0\",\n \"pkg:apk/alpine/libcrypto1.1@1.1.1l-r7?distro=3.15.0\",\n \"pkg:apk/alpine/libretls@3.3.4-r2?distro=3.15.0\",\n \"pkg:apk/alpine/libssl1.1@1.1.1l-r7?distro=3.15.0\",\n \"pkg:apk/alpine/musl@1.2.2-r7?distro=3.15.0\",\n \"pkg:apk/alpine/musl-utils@1.2.2-r7?distro=3.15.0\",\n \"pkg:apk/alpine/scanelf@1.3.3-r0?distro=3.15.0\",\n \"pkg:apk/alpine/ssl_client@1.34.1-r3?distro=3.15.0\",\n \"pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0\"\n ]\n },\n {\n \"ref\": \"pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64\",\n \"dependsOn\": [\n \"3da6a469-964d-4b4e-b67d-e94ec7c88d37\"\n ]\n }\n ]\n}\n
"},{"location":"guide/supply-chain/sbom/#supported-packages","title":"Supported packages","text":"Trivy supports the following packages.
- OS packages
- Language-specific packages
Trivy has a specific logic for package detection. See the package detection section for more information.
"},{"location":"guide/supply-chain/sbom/#formats","title":"Formats","text":""},{"location":"guide/supply-chain/sbom/#cyclonedx","title":"CycloneDX","text":"Trivy can generate SBOM in the CycloneDX format. Note that XML format is not supported at the moment.
You can use the regular subcommands (like image, fs and rootfs) and specify cyclonedx with the --format option.
CycloneDX can represent either or both SBOM or BOV.
- Software Bill of Materials (SBOM)
- Bill of Vulnerabilities (BOV)
By default, --format cyclonedx represents SBOM and doesn't include vulnerabilities in the CycloneDX output.
$ trivy image --format cyclonedx --output result.json alpine:3.15\n2022-07-19T07:47:27.624Z INFO \"--format cyclonedx\" disables security scanning. Specify \"--scanners vuln\" explicitly if you want to include vulnerabilities in the CycloneDX report.\n
Result $ cat result.json | jq .\n{\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"serialNumber\": \"urn:uuid:2be5773d-7cd3-4b4b-90a5-e165474ddace\",\n \"version\": 1,\n \"metadata\": {\n \"timestamp\": \"2022-02-22T15:11:40.270597Z\",\n \"tools\": {\n \"components\": [\n {\n \"type\": \"application\",\n \"group\": \"aquasecurity\",\n \"name\": \"trivy\",\n \"version\": \"dev\"\n }\n ]\n },\n \"component\": {\n \"bom-ref\": \"pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64\",\n \"type\": \"container\",\n \"name\": \"alpine:3.15\",\n \"version\": \"\",\n \"purl\": \"pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64\",\n \"properties\": [\n {\n \"name\": \"aquasecurity:trivy:SchemaVersion\",\n \"value\": \"2\"\n },\n {\n \"name\": \"aquasecurity:trivy:ImageID\",\n \"value\": \"sha256:c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18\"\n },\n {\n \"name\": \"aquasecurity:trivy:RepoDigest\",\n \"value\": \"alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300\"\n },\n {\n \"name\": \"aquasecurity:trivy:DiffID\",\n \"value\": \"sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759\"\n },\n {\n \"name\": \"aquasecurity:trivy:RepoTag\",\n \"value\": \"alpine:3.15\"\n }\n ]\n }\n },\n \"components\": [\n {\n \"bom-ref\": \"pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0\",\n \"type\": \"library\",\n \"name\": \"alpine-baselayout\",\n \"version\": \"3.2.0-r18\",\n \"licenses\": [\n {\n \"expression\": \"GPL-2.0-only\"\n }\n ],\n \"purl\": \"pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0\",\n \"properties\": [\n {\n \"name\": \"aquasecurity:trivy:SrcName\",\n \"value\": \"alpine-baselayout\"\n },\n {\n \"name\": \"aquasecurity:trivy:SrcVersion\",\n \"value\": \"3.2.0-r18\"\n },\n {\n \"name\": \"aquasecurity:trivy:LayerDigest\",\n \"value\": \"sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3\"\n },\n {\n \"name\": \"aquasecurity:trivy:LayerDiffID\",\n \"value\": \"sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759\"\n }\n ]\n },\n ...(snip)...\n {\n \"bom-ref\": \"pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0\",\n \"type\": \"library\",\n \"name\": \"zlib\",\n \"version\": \"1.2.11-r3\",\n \"licenses\": [\n {\n \"expression\": \"Zlib\"\n }\n ],\n \"purl\": \"pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0\",\n \"properties\": [\n {\n \"name\": \"aquasecurity:trivy:SrcName\",\n \"value\": \"zlib\"\n },\n {\n \"name\": \"aquasecurity:trivy:SrcVersion\",\n \"value\": \"1.2.11-r3\"\n },\n {\n \"name\": \"aquasecurity:trivy:LayerDigest\",\n \"value\": \"sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3\"\n },\n {\n \"name\": \"aquasecurity:trivy:LayerDiffID\",\n \"value\": \"sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759\"\n }\n ]\n },\n {\n \"bom-ref\": \"3da6a469-964d-4b4e-b67d-e94ec7c88d37\",\n \"type\": \"operating-system\",\n \"name\": \"alpine\",\n \"version\": \"3.15.0\",\n \"properties\": [\n {\n \"name\": \"aquasecurity:trivy:Type\",\n \"value\": \"alpine\"\n },\n {\n \"name\": \"aquasecurity:trivy:Class\",\n \"value\": \"os-pkgs\"\n }\n ]\n }\n ],\n \"dependencies\": [\n {\n \"ref\": \"3da6a469-964d-4b4e-b67d-e94ec7c88d37\",\n \"dependsOn\": [\n \"pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0\",\n \"pkg:apk/alpine/alpine-keys@2.4-r1?distro=3.15.0\",\n \"pkg:apk/alpine/apk-tools@2.12.7-r3?distro=3.15.0\",\n \"pkg:apk/alpine/busybox@1.34.1-r3?distro=3.15.0\",\n \"pkg:apk/alpine/ca-certificates-bundle@20191127-r7?distro=3.15.0\",\n \"pkg:apk/alpine/libc-utils@0.7.2-r3?distro=3.15.0\",\n \"pkg:apk/alpine/libcrypto1.1@1.1.1l-r7?distro=3.15.0\",\n \"pkg:apk/alpine/libretls@3.3.4-r2?distro=3.15.0\",\n \"pkg:apk/alpine/libssl1.1@1.1.1l-r7?distro=3.15.0\",\n \"pkg:apk/alpine/musl@1.2.2-r7?distro=3.15.0\",\n \"pkg:apk/alpine/musl-utils@1.2.2-r7?distro=3.15.0\",\n \"pkg:apk/alpine/scanelf@1.3.3-r0?distro=3.15.0\",\n \"pkg:apk/alpine/ssl_client@1.34.1-r3?distro=3.15.0\",\n \"pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0\"\n ]\n },\n {\n \"ref\": \"pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64\",\n \"dependsOn\": [\n \"3da6a469-964d-4b4e-b67d-e94ec7c88d37\"\n ]\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"CVE-2021-42386\",\n \"source\": {\n \"name\": \"alpine\",\n \"url\": \"https://secdb.alpinelinux.org/\"\n },\n \"ratings\": [\n {\n \"source\": {\n \"name\": \"nvd\"\n },\n \"score\": 7.2,\n \"severity\": \"high\",\n \"method\": \"CVSSv31\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\"\n },\n {\n \"source\": {\n \"name\": \"nvd\"\n },\n \"score\": 6.5,\n \"severity\": \"medium\",\n \"method\": \"CVSSv2\",\n \"vector\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\"\n },\n {\n \"source\": {\n \"name\": \"redhat\"\n },\n \"score\": 6.6,\n \"severity\": \"medium\",\n \"method\": \"CVSSv31\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"cwes\": [\n 416\n ],\n \"description\": \"A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function\",\n \"advisories\": [\n {\n \"url\": \"https://access.redhat.com/security/cve/CVE-2021-42386\"\n },\n {\n \"url\": \"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42386\"\n }\n ],\n \"published\": \"2021-11-15 21:15:00 +0000 UTC\",\n \"updated\": \"2022-01-04 17:14:00 +0000 UTC\",\n \"affects\": [\n {\n \"ref\": \"pkg:apk/alpine/busybox@1.33.1-r3?distro=3.14.2\"\n },\n {\n \"ref\": \"pkg:apk/alpine/ssl_client@1.33.1-r3?distro=3.14.2\"\n }\n ]\n }\n ]\n}\n
If you want to include vulnerabilities, you can enable vulnerability scanning via --scanners vuln.
$ trivy image --scanners vuln --format cyclonedx --output result.json alpine:3.15\n
"},{"location":"guide/supply-chain/sbom/#spdx","title":"SPDX","text":"Trivy can generate SBOM in the SPDX format.
You can use the regular subcommands (like image, fs and rootfs) and specify spdx or spdx-json with the --format option.
$ trivy image --format spdx --output result.spdx alpine:3.15\n
Result SPDXVersion: SPDX-2.3\nDataLicense: CC0-1.0\nSPDXID: SPDXRef-DOCUMENT\nDocumentName: alpine:3.15\nDocumentNamespace: http://trivy.dev/container_image/alpine:3.15-12db86e1-4aa4-40ec-900b-5aaa5d82461b\nCreator: Organization: aquasecurity\nCreator: Tool: trivy-0.58.0\nCreated: 2025-02-11T07:43:38Z\n\n##### Package: alpine:3.15\n\nPackageName: alpine:3.15\nSPDXID: SPDXRef-ContainerImage-d8b2a386253047e7\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: CONTAINER\nFilesAnalyzed: false\nExternalRef: PACKAGE-MANAGER purl pkg:oci/alpine@sha256%3A19b4bcc4f60e99dd5ebdca0cbce22c503bbcff197549d7e19dab4f22254dc864?arch=amd64&repository_url=index.docker.io%2Flibrary%2Falpine\n\n##### Package: alpine\n\nPackageName: alpine\nSPDXID: SPDXRef-OperatingSystem-c24750c3b737d897\nPackageVersion: 3.15.11\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: OPERATING-SYSTEM\nFilesAnalyzed: false\n\n##### Package: libretls\n\nPackageName: libretls\nSPDXID: SPDXRef-Package-343391d704e00fbd\nPackageVersion: 3.3.4-r3\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: 67dfefe5456c45192b60d76ade98c501b0ae814f\nPackageSourceInfo: built package from: libretls 3.3.4-r3\nPackageLicenseConcluded: ISC AND BSD-3-Clause AND MIT\nPackageLicenseDeclared: ISC AND BSD-3-Clause AND MIT\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/libretls@3.3.4-r3?arch=x86_64&distro=3.15.11\n\n##### Package: libc-utils\n\nPackageName: libc-utils\nSPDXID: SPDXRef-Package-43343abe5c1a0439\nPackageVersion: 0.7.2-r3\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: 798de3ebb57f3e28f408080746935f213a099722\nPackageSourceInfo: built package from: libc-dev 0.7.2-r3\nPackageLicenseConcluded: BSD-2-Clause AND BSD-3-Clause\nPackageLicenseDeclared: BSD-2-Clause AND BSD-3-Clause\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&distro=3.15.11\n\n##### Package: alpine-baselayout\n\nPackageName: alpine-baselayout\nSPDXID: SPDXRef-Package-64b7e662458dcd5f\nPackageVersion: 3.2.0-r18\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: 132992eab020986b3b5d886a77212889680467a0\nPackageSourceInfo: built package from: alpine-baselayout 3.2.0-r18\nPackageLicenseConcluded: GPL-2.0-only\nPackageLicenseDeclared: GPL-2.0-only\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/alpine-baselayout@3.2.0-r18?arch=x86_64&distro=3.15.11\n\n##### Package: busybox\n\nPackageName: busybox\nSPDXID: SPDXRef-Package-6c7c9dac75e301b7\nPackageVersion: 1.34.1-r7\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: 21f9265e7a34c795fba4e99c8ae37b57f31cd1a2\nPackageSourceInfo: built package from: busybox 1.34.1-r7\nPackageLicenseConcluded: GPL-2.0-only\nPackageLicenseDeclared: GPL-2.0-only\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/busybox@1.34.1-r7?arch=x86_64&distro=3.15.11\n\n##### Package: ca-certificates-bundle\n\nPackageName: ca-certificates-bundle\nSPDXID: SPDXRef-Package-702c9bf0cfddb42e\nPackageVersion: 20230506-r0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: 99894c0b834a3f5955e6e5d5f0d804943f05ff52\nPackageSourceInfo: built package from: ca-certificates 20230506-r0\nPackageLicenseConcluded: MPL-2.0 AND MIT\nPackageLicenseDeclared: MPL-2.0 AND MIT\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/ca-certificates-bundle@20230506-r0?arch=x86_64&distro=3.15.11\n\n##### Package: musl-utils\n\nPackageName: musl-utils\nSPDXID: SPDXRef-Package-92eb9ab29b057905\nPackageVersion: 1.2.2-r9\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: f69aa6d6a57c90358005ce61ccb4ad96cdc303f4\nPackageSourceInfo: built package from: musl 1.2.2-r9\nPackageLicenseConcluded: MIT AND BSD-3-Clause AND GPL-2.0-or-later\nPackageLicenseDeclared: MIT AND BSD-3-Clause AND GPL-2.0-or-later\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/musl-utils@1.2.2-r9?arch=x86_64&distro=3.15.11\n\n##### Package: scanelf\n\nPackageName: scanelf\nSPDXID: SPDXRef-Package-988bca2f70cf58f6\nPackageVersion: 1.3.3-r0\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: d7f7590e450870a4f79671c2369b31b5bb07349a\nPackageSourceInfo: built package from: pax-utils 1.3.3-r0\nPackageLicenseConcluded: GPL-2.0-only\nPackageLicenseDeclared: GPL-2.0-only\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/scanelf@1.3.3-r0?arch=x86_64&distro=3.15.11\n\n##### Package: apk-tools\n\nPackageName: apk-tools\nSPDXID: SPDXRef-Package-aa2e51a695e95cb9\nPackageVersion: 2.12.7-r3\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: ddf3ddf8545768bc323649559feaae1560f29273\nPackageSourceInfo: built package from: apk-tools 2.12.7-r3\nPackageLicenseConcluded: GPL-2.0-only\nPackageLicenseDeclared: GPL-2.0-only\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/apk-tools@2.12.7-r3?arch=x86_64&distro=3.15.11\n\n##### Package: libcrypto1.1\n\nPackageName: libcrypto1.1\nSPDXID: SPDXRef-Package-ba5f079c5c32fc8\nPackageVersion: 1.1.1w-r1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: e378634f5c8af32ca75ac56f41ecf4e8d49584a0\nPackageSourceInfo: built package from: openssl 1.1.1w-r1\nPackageLicenseConcluded: OpenSSL\nPackageLicenseDeclared: OpenSSL\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/libcrypto1.1@1.1.1w-r1?arch=x86_64&distro=3.15.11\n\n##### Package: alpine-keys\n\nPackageName: alpine-keys\nSPDXID: SPDXRef-Package-be18726b6be779d1\nPackageVersion: 2.4-r1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: 903176b2d2a8ddefd1ba6940f19ad17c2c1d4aff\nPackageSourceInfo: built package from: alpine-keys 2.4-r1\nPackageLicenseConcluded: MIT\nPackageLicenseDeclared: MIT\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.15.11\n\n##### Package: ssl_client\n\nPackageName: ssl_client\nSPDXID: SPDXRef-Package-d9ad92ed9413c93b\nPackageVersion: 1.34.1-r7\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: dddfa62dd51bd8807ee1d8660e860574a9dd78ed\nPackageSourceInfo: built package from: busybox 1.34.1-r7\nPackageLicenseConcluded: GPL-2.0-only\nPackageLicenseDeclared: GPL-2.0-only\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/ssl_client@1.34.1-r7?arch=x86_64&distro=3.15.11\n\n##### Package: musl\n\nPackageName: musl\nSPDXID: SPDXRef-Package-ee9b5186331e7a76\nPackageVersion: 1.2.2-r9\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: 7ebdef6cf7f9b58c0e213b333db946d22b00b777\nPackageSourceInfo: built package from: musl 1.2.2-r9\nPackageLicenseConcluded: MIT\nPackageLicenseDeclared: MIT\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/musl@1.2.2-r9?arch=x86_64&distro=3.15.11\n\n##### Package: libssl1.1\n\nPackageName: libssl1.1\nSPDXID: SPDXRef-Package-f00669065070476c\nPackageVersion: 1.1.1w-r1\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: 9306ed15b3bdfc7553d5c14c472d87a41fef8541\nPackageSourceInfo: built package from: openssl 1.1.1w-r1\nPackageLicenseConcluded: OpenSSL\nPackageLicenseDeclared: OpenSSL\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/libssl1.1@1.1.1w-r1?arch=x86_64&distro=3.15.11\n\n##### Package: zlib\n\nPackageName: zlib\nSPDXID: SPDXRef-Package-fcb106f21773cad3\nPackageVersion: 1.2.12-r3\nPackageSupplier: NOASSERTION\nPackageDownloadLocation: NONE\nPrimaryPackagePurpose: LIBRARY\nFilesAnalyzed: false\nPackageChecksum: SHA1: ab98d0416bf1dcd245c7b0800f99cbceacfa48b3\nPackageSourceInfo: built package from: zlib 1.2.12-r3\nPackageLicenseConcluded: Zlib\nPackageLicenseDeclared: Zlib\nExternalRef: PACKAGE-MANAGER purl pkg:apk/alpine/zlib@1.2.12-r3?arch=x86_64&distro=3.15.11\n\n##### Relationships\n\nRelationship: SPDXRef-ContainerImage-d8b2a386253047e7 CONTAINS SPDXRef-OperatingSystem-c24750c3b737d897\nRelationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-ContainerImage-d8b2a386253047e7\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-343391d704e00fbd\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-43343abe5c1a0439\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-64b7e662458dcd5f\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-6c7c9dac75e301b7\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-702c9bf0cfddb42e\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-92eb9ab29b057905\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-988bca2f70cf58f6\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-aa2e51a695e95cb9\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-ba5f079c5c32fc8\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-be18726b6be779d1\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-d9ad92ed9413c93b\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-ee9b5186331e7a76\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-f00669065070476c\nRelationship: SPDXRef-OperatingSystem-c24750c3b737d897 CONTAINS SPDXRef-Package-fcb106f21773cad3\nRelationship: SPDXRef-Package-343391d704e00fbd DEPENDS_ON SPDXRef-Package-702c9bf0cfddb42e\nRelationship: SPDXRef-Package-343391d704e00fbd DEPENDS_ON SPDXRef-Package-ba5f079c5c32fc8\nRelationship: SPDXRef-Package-343391d704e00fbd DEPENDS_ON SPDXRef-Package-ee9b5186331e7a76\nRelationship: SPDXRef-Package-343391d704e00fbd DEPENDS_ON SPDXRef-Package-f00669065070476c\nRelationship: SPDXRef-Package-43343abe5c1a0439 DEPENDS_ON SPDXRef-Package-92eb9ab29b057905\nRelationship: SPDXRef-Package-64b7e662458dcd5f DEPENDS_ON SPDXRef-Package-6c7c9dac75e301b7\nRelationship: SPDXRef-Package-64b7e662458dcd5f DEPENDS_ON SPDXRef-Package-ee9b5186331e7a76\nRelationship: SPDXRef-Package-6c7c9dac75e301b7 DEPENDS_ON SPDXRef-Package-ee9b5186331e7a76\nRelationship: SPDXRef-Package-92eb9ab29b057905 DEPENDS_ON SPDXRef-Package-988bca2f70cf58f6\nRelationship: SPDXRef-Package-92eb9ab29b057905 DEPENDS_ON SPDXRef-Package-ee9b5186331e7a76\nRelationship: SPDXRef-Package-988bca2f70cf58f6 DEPENDS_ON SPDXRef-Package-ee9b5186331e7a76\nRelationship: SPDXRef-Package-aa2e51a695e95cb9 DEPENDS_ON SPDXRef-Package-702c9bf0cfddb42e\nRelationship: SPDXRef-Package-aa2e51a695e95cb9 DEPENDS_ON SPDXRef-Package-ba5f079c5c32fc8\nRelationship: SPDXRef-Package-aa2e51a695e95cb9 DEPENDS_ON SPDXRef-Package-ee9b5186331e7a76\nRelationship: SPDXRef-Package-aa2e51a695e95cb9 DEPENDS_ON SPDXRef-Package-f00669065070476c\nRelationship: SPDXRef-Package-aa2e51a695e95cb9 DEPENDS_ON SPDXRef-Package-fcb106f21773cad3\nRelationship: SPDXRef-Package-ba5f079c5c32fc8 DEPENDS_ON SPDXRef-Package-ee9b5186331e7a76\nRelationship: SPDXRef-Package-d9ad92ed9413c93b DEPENDS_ON SPDXRef-Package-343391d704e00fbd\nRelationship: SPDXRef-Package-d9ad92ed9413c93b DEPENDS_ON SPDXRef-Package-ee9b5186331e7a76\nRelationship: SPDXRef-Package-f00669065070476c DEPENDS_ON SPDXRef-Package-ba5f079c5c32fc8\nRelationship: SPDXRef-Package-f00669065070476c DEPENDS_ON SPDXRef-Package-ee9b5186331e7a76\nRelationship: SPDXRef-Package-fcb106f21773cad3 DEPENDS_ON SPDXRef-Package-ee9b5186331e7a76\n
$ trivy image --format spdx-json --output result.spdx alpine:3.15\n
Result {\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"alpine:3.15\",\n \"documentNamespace\": \"http://trivy.dev/container_image/alpine:3.15-bbe0096f-0ed0-47b4-bbea-82121a9201f1\",\n \"creationInfo\": {\n \"creators\": [\n \"Organization: aquasecurity\",\n \"Tool: trivy-0.58.0\"\n ],\n \"created\": \"2025-02-13T12:22:22Z\"\n },\n \"packages\": [\n {\n \"name\": \"alpine:3.15\",\n \"SPDXID\": \"SPDXRef-ContainerImage-d8b2a386253047e7\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:oci/alpine@sha256%3A19b4bcc4f60e99dd5ebdca0cbce22c503bbcff197549d7e19dab4f22254dc864?arch=amd64\\u0026repository_url=index.docker.io%2Flibrary%2Falpine\"\n }\n ],\n \"primaryPackagePurpose\": \"CONTAINER\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"DiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"ImageID: sha256:32b91e3161c8fc2e3baf2732a594305ca5093c82ff4e0c9f6ebbd2a879468e1d\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"RepoDigest: alpine@sha256:19b4bcc4f60e99dd5ebdca0cbce22c503bbcff197549d7e19dab4f22254dc864\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"RepoTag: alpine:3.15\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"SchemaVersion: 2\"\n }\n ]\n },\n {\n \"name\": \"alpine-baselayout\",\n \"SPDXID\": \"SPDXRef-Package-64b7e662458dcd5f\",\n \"versionInfo\": \"3.2.0-r18\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"132992eab020986b3b5d886a77212889680467a0\"\n }\n ],\n \"sourceInfo\": \"built package from: alpine-baselayout 3.2.0-r18\",\n \"licenseConcluded\": \"GPL-2.0-only\",\n \"licenseDeclared\": \"GPL-2.0-only\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/alpine-baselayout@3.2.0-r18?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: alpine-baselayout@3.2.0-r18\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"alpine-keys\",\n \"SPDXID\": \"SPDXRef-Package-be18726b6be779d1\",\n \"versionInfo\": \"2.4-r1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"903176b2d2a8ddefd1ba6940f19ad17c2c1d4aff\"\n }\n ],\n \"sourceInfo\": \"built package from: alpine-keys 2.4-r1\",\n \"licenseConcluded\": \"MIT\",\n \"licenseDeclared\": \"MIT\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: alpine-keys@2.4-r1\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"apk-tools\",\n \"SPDXID\": \"SPDXRef-Package-aa2e51a695e95cb9\",\n \"versionInfo\": \"2.12.7-r3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"ddf3ddf8545768bc323649559feaae1560f29273\"\n }\n ],\n \"sourceInfo\": \"built package from: apk-tools 2.12.7-r3\",\n \"licenseConcluded\": \"GPL-2.0-only\",\n \"licenseDeclared\": \"GPL-2.0-only\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/apk-tools@2.12.7-r3?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: apk-tools@2.12.7-r3\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"busybox\",\n \"SPDXID\": \"SPDXRef-Package-6c7c9dac75e301b7\",\n \"versionInfo\": \"1.34.1-r7\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"21f9265e7a34c795fba4e99c8ae37b57f31cd1a2\"\n }\n ],\n \"sourceInfo\": \"built package from: busybox 1.34.1-r7\",\n \"licenseConcluded\": \"GPL-2.0-only\",\n \"licenseDeclared\": \"GPL-2.0-only\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/busybox@1.34.1-r7?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: busybox@1.34.1-r7\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"ca-certificates-bundle\",\n \"SPDXID\": \"SPDXRef-Package-702c9bf0cfddb42e\",\n \"versionInfo\": \"20230506-r0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"99894c0b834a3f5955e6e5d5f0d804943f05ff52\"\n }\n ],\n \"sourceInfo\": \"built package from: ca-certificates 20230506-r0\",\n \"licenseConcluded\": \"MPL-2.0 AND MIT\",\n \"licenseDeclared\": \"MPL-2.0 AND MIT\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/ca-certificates-bundle@20230506-r0?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: ca-certificates-bundle@20230506-r0\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"libc-utils\",\n \"SPDXID\": \"SPDXRef-Package-43343abe5c1a0439\",\n \"versionInfo\": \"0.7.2-r3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"798de3ebb57f3e28f408080746935f213a099722\"\n }\n ],\n \"sourceInfo\": \"built package from: libc-dev 0.7.2-r3\",\n \"licenseConcluded\": \"BSD-2-Clause AND BSD-3-Clause\",\n \"licenseDeclared\": \"BSD-2-Clause AND BSD-3-Clause\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: libc-utils@0.7.2-r3\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"libcrypto1.1\",\n \"SPDXID\": \"SPDXRef-Package-ba5f079c5c32fc8\",\n \"versionInfo\": \"1.1.1w-r1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"e378634f5c8af32ca75ac56f41ecf4e8d49584a0\"\n }\n ],\n \"sourceInfo\": \"built package from: openssl 1.1.1w-r1\",\n \"licenseConcluded\": \"OpenSSL\",\n \"licenseDeclared\": \"OpenSSL\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/libcrypto1.1@1.1.1w-r1?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: libcrypto1.1@1.1.1w-r1\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"libretls\",\n \"SPDXID\": \"SPDXRef-Package-343391d704e00fbd\",\n \"versionInfo\": \"3.3.4-r3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"67dfefe5456c45192b60d76ade98c501b0ae814f\"\n }\n ],\n \"sourceInfo\": \"built package from: libretls 3.3.4-r3\",\n \"licenseConcluded\": \"ISC AND BSD-3-Clause AND MIT\",\n \"licenseDeclared\": \"ISC AND BSD-3-Clause AND MIT\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/libretls@3.3.4-r3?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: libretls@3.3.4-r3\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"libssl1.1\",\n \"SPDXID\": \"SPDXRef-Package-f00669065070476c\",\n \"versionInfo\": \"1.1.1w-r1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"9306ed15b3bdfc7553d5c14c472d87a41fef8541\"\n }\n ],\n \"sourceInfo\": \"built package from: openssl 1.1.1w-r1\",\n \"licenseConcluded\": \"OpenSSL\",\n \"licenseDeclared\": \"OpenSSL\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/libssl1.1@1.1.1w-r1?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: libssl1.1@1.1.1w-r1\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"musl\",\n \"SPDXID\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"versionInfo\": \"1.2.2-r9\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"7ebdef6cf7f9b58c0e213b333db946d22b00b777\"\n }\n ],\n \"sourceInfo\": \"built package from: musl 1.2.2-r9\",\n \"licenseConcluded\": \"MIT\",\n \"licenseDeclared\": \"MIT\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/musl@1.2.2-r9?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: musl@1.2.2-r9\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"musl-utils\",\n \"SPDXID\": \"SPDXRef-Package-92eb9ab29b057905\",\n \"versionInfo\": \"1.2.2-r9\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"f69aa6d6a57c90358005ce61ccb4ad96cdc303f4\"\n }\n ],\n \"sourceInfo\": \"built package from: musl 1.2.2-r9\",\n \"licenseConcluded\": \"MIT AND BSD-3-Clause AND GPL-2.0-or-later\",\n \"licenseDeclared\": \"MIT AND BSD-3-Clause AND GPL-2.0-or-later\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/musl-utils@1.2.2-r9?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: musl-utils@1.2.2-r9\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"scanelf\",\n \"SPDXID\": \"SPDXRef-Package-988bca2f70cf58f6\",\n \"versionInfo\": \"1.3.3-r0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"d7f7590e450870a4f79671c2369b31b5bb07349a\"\n }\n ],\n \"sourceInfo\": \"built package from: pax-utils 1.3.3-r0\",\n \"licenseConcluded\": \"GPL-2.0-only\",\n \"licenseDeclared\": \"GPL-2.0-only\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/scanelf@1.3.3-r0?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: scanelf@1.3.3-r0\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"ssl_client\",\n \"SPDXID\": \"SPDXRef-Package-d9ad92ed9413c93b\",\n \"versionInfo\": \"1.34.1-r7\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"dddfa62dd51bd8807ee1d8660e860574a9dd78ed\"\n }\n ],\n \"sourceInfo\": \"built package from: busybox 1.34.1-r7\",\n \"licenseConcluded\": \"GPL-2.0-only\",\n \"licenseDeclared\": \"GPL-2.0-only\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/ssl_client@1.34.1-r7?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: ssl_client@1.34.1-r7\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"zlib\",\n \"SPDXID\": \"SPDXRef-Package-fcb106f21773cad3\",\n \"versionInfo\": \"1.2.12-r3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"checksums\": [\n {\n \"algorithm\": \"SHA1\",\n \"checksumValue\": \"ab98d0416bf1dcd245c7b0800f99cbceacfa48b3\"\n }\n ],\n \"sourceInfo\": \"built package from: zlib 1.2.12-r3\",\n \"licenseConcluded\": \"Zlib\",\n \"licenseDeclared\": \"Zlib\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:apk/alpine/zlib@1.2.12-r3?arch=x86_64\\u0026distro=3.15.11\"\n }\n ],\n \"primaryPackagePurpose\": \"LIBRARY\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDiffID: sha256:2879a4821959ab702528e28a1c59cd26c4956112497f6d1dbfd86c8d88003983\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"LayerDigest: sha256:d078792c4f9122259f14b539315bd92cbd9490ed73e08255a08689122b143108\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgID: zlib@1.2.12-r3\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"PkgType: alpine\"\n }\n ]\n },\n {\n \"name\": \"alpine\",\n \"SPDXID\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"versionInfo\": \"3.15.11\",\n \"downloadLocation\": \"NONE\",\n \"filesAnalyzed\": false,\n \"primaryPackagePurpose\": \"OPERATING-SYSTEM\",\n \"annotations\": [\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"Class: os-pkgs\"\n },\n {\n \"annotator\": \"Tool: trivy-0.58.0\",\n \"annotationDate\": \"2025-02-13T12:22:22Z\",\n \"annotationType\": \"OTHER\",\n \"comment\": \"Type: alpine\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-ContainerImage-d8b2a386253047e7\",\n \"relatedSpdxElement\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-ContainerImage-d8b2a386253047e7\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-343391d704e00fbd\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-43343abe5c1a0439\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-64b7e662458dcd5f\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-6c7c9dac75e301b7\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-702c9bf0cfddb42e\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-92eb9ab29b057905\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-988bca2f70cf58f6\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-aa2e51a695e95cb9\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ba5f079c5c32fc8\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-be18726b6be779d1\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-d9ad92ed9413c93b\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-f00669065070476c\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-OperatingSystem-c24750c3b737d897\",\n \"relatedSpdxElement\": \"SPDXRef-Package-fcb106f21773cad3\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-343391d704e00fbd\",\n \"relatedSpdxElement\": \"SPDXRef-Package-702c9bf0cfddb42e\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-343391d704e00fbd\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ba5f079c5c32fc8\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-343391d704e00fbd\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-343391d704e00fbd\",\n \"relatedSpdxElement\": \"SPDXRef-Package-f00669065070476c\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-43343abe5c1a0439\",\n \"relatedSpdxElement\": \"SPDXRef-Package-92eb9ab29b057905\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-64b7e662458dcd5f\",\n \"relatedSpdxElement\": \"SPDXRef-Package-6c7c9dac75e301b7\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-64b7e662458dcd5f\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-6c7c9dac75e301b7\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-92eb9ab29b057905\",\n \"relatedSpdxElement\": \"SPDXRef-Package-988bca2f70cf58f6\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-92eb9ab29b057905\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-988bca2f70cf58f6\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-aa2e51a695e95cb9\",\n \"relatedSpdxElement\": \"SPDXRef-Package-702c9bf0cfddb42e\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-aa2e51a695e95cb9\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ba5f079c5c32fc8\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-aa2e51a695e95cb9\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-aa2e51a695e95cb9\",\n \"relatedSpdxElement\": \"SPDXRef-Package-f00669065070476c\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-aa2e51a695e95cb9\",\n \"relatedSpdxElement\": \"SPDXRef-Package-fcb106f21773cad3\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-ba5f079c5c32fc8\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-d9ad92ed9413c93b\",\n \"relatedSpdxElement\": \"SPDXRef-Package-343391d704e00fbd\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-d9ad92ed9413c93b\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-f00669065070476c\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ba5f079c5c32fc8\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-f00669065070476c\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"DEPENDS_ON\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-fcb106f21773cad3\",\n \"relatedSpdxElement\": \"SPDXRef-Package-ee9b5186331e7a76\",\n \"relationshipType\": \"DEPENDS_ON\"\n }\n ]\n}\n
"},{"location":"guide/supply-chain/sbom/#scanning","title":"Scanning","text":""},{"location":"guide/supply-chain/sbom/#sbom-as-target","title":"SBOM as Target","text":"Trivy can take SBOM documents as input for scanning, e.g trivy sbom ./sbom.spdx. See here for more details.
"},{"location":"guide/supply-chain/sbom/#sbom-detection-inside-targets","title":"SBOM Detection inside Targets","text":"Trivy searches for SBOM files in container images with the following extensions:
.spdx.spdx.json.cdx.cdx.json
In addition, Trivy automatically detects SBOM files in Bitnami images, see here for more details.
It is enabled in the following targets.
Target Enabled Container Image \u2713 Filesystem Rootfs \u2713 Git Repository VM Image \u2713 Kubernetes AWS SBOM"},{"location":"guide/supply-chain/sbom/#sbom-discovery-for-container-images","title":"SBOM Discovery for Container Images","text":"When scanning container images, Trivy can discover SBOM for those images. See here for more details.
"},{"location":"guide/supply-chain/attestation/rekor/","title":"Scan SBOM attestation in Rekor","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
"},{"location":"guide/supply-chain/attestation/rekor/#container-images","title":"Container images","text":"Trivy can retrieve SBOM attestation of the specified container image in the Rekor instance and scan it for vulnerabilities.
"},{"location":"guide/supply-chain/attestation/rekor/#prerequisites","title":"Prerequisites","text":" - SBOM attestation stored in Rekor
- See the \"Keyless signing\" section if you want to upload your SBOM attestation to Rekor.
"},{"location":"guide/supply-chain/attestation/rekor/#scanning","title":"Scanning","text":"You need to pass --sbom-sources rekor so that Trivy will look for SBOM attestation in Rekor.
Note
--sbom-sources can be used only with trivy image at the moment.
$ trivy image --sbom-sources rekor otms61/alpine:3.7.3 [~/src/github.com/aquasecurity/trivy]\n2022-09-16T17:37:13.258+0900 INFO Vulnerability scanning is enabled\n2022-09-16T17:37:13.258+0900 INFO Secret scanning is enabled\n2022-09-16T17:37:13.258+0900 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning\n2022-09-16T17:37:13.258+0900 INFO Please see also https://trivy.dev/dev/docs/secret/scanning/#recommendation for faster secret detection\n2022-09-16T17:37:14.827+0900 INFO Detected SBOM format: cyclonedx-json\n2022-09-16T17:37:14.901+0900 INFO Found SBOM (cyclonedx) attestation in Rekor\n2022-09-16T17:37:14.903+0900 INFO Detected OS: alpine\n2022-09-16T17:37:14.903+0900 INFO Detecting Alpine vulnerabilities...\n2022-09-16T17:37:14.907+0900 INFO Number of language-specific files: 0\n2022-09-16T17:37:14.908+0900 WARN This OS version is no longer supported by the distribution: alpine 3.7.3\n2022-09-16T17:37:14.908+0900 WARN The vulnerability detection may be insufficient because security updates are not provided\n\notms61/alpine:3.7.3 (alpine 3.7.3)\n==================================\nTotal: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 musl \u2502 CVE-2019-14697 \u2502 CRITICAL \u2502 1.1.18-r3 \u2502 1.1.18-r4 \u2502 musl libc through 1.1.23 has an x87 floating-point stack \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 adjustment im ...... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2019-14697 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 musl-utils \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
If you have your own Rekor instance, you can specify the URL via --rekor-url.
$ trivy image --sbom-sources rekor --rekor-url https://my-rekor.dev otms61/alpine:3.7.3\n
"},{"location":"guide/supply-chain/attestation/rekor/#non-packaged-binaries","title":"Non-packaged binaries","text":"Trivy can retrieve SBOM attestation of non-packaged binaries in the Rekor instance and scan it for vulnerabilities.
"},{"location":"guide/supply-chain/attestation/rekor/#prerequisites_1","title":"Prerequisites","text":" - SBOM attestation stored in Rekor
- See the \"Keyless signing\" section if you want to upload your SBOM attestation to Rekor.
Cosign currently does not support keyless signing for blob attestation, so use our plugin at the moment. This example uses a cat clone bat written in Rust. You need to generate SBOM from lock files like Cargo.lock at first.
$ git clone -b v0.20.0 https://github.com/sharkdp/bat\n$ trivy fs --format cyclonedx --output bat.cdx ./bat/Cargo.lock\n
Then our attestation plugin allows you to store the SBOM attestation linking to a bat binary in the Rekor instance.
$ wget https://github.com/sharkdp/bat/releases/download/v0.20.0/bat-v0.20.0-x86_64-apple-darwin.tar.gz\n$ tar xvf bat-v0.20.0-x86_64-apple-darwin.tar.gz\n$ trivy plugin install github.com/aquasecurity/trivy-plugin-attest\n$ trivy attest --predicate ./bat.cdx --type cyclonedx ./bat-v0.20.0-x86_64-apple-darwin/bat\n
Note
The public instance of the Rekor maintained by the Sigstore team limits the attestation size. If you are using the public instance, please make sure that your SBOM is small enough. To get more detail, please refer to the Rekor project's documentation.
"},{"location":"guide/supply-chain/attestation/rekor/#scan-a-non-packaged-binary","title":"Scan a non-packaged binary","text":"Trivy calculates the digest of the bat binary and searches for the SBOM attestation by the digest in Rekor. If it is found, Trivy uses that for vulnerability scanning.
$ trivy fs --sbom-sources rekor ./bat-v0.20.0-x86_64-apple-darwin/bat\n2022-10-25T13:27:25.950+0300 INFO Found SBOM attestation in Rekor: bat\n2022-10-25T13:27:25.993+0300 INFO Number of language-specific files: 1\n2022-10-25T13:27:25.993+0300 INFO Detecting cargo vulnerabilities...\n\nbat (cargo)\n===========\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 regex \u2502 CVE-2022-24713 \u2502 HIGH \u2502 1.5.4 \u2502 1.5.5 \u2502 Mozilla: Denial of Service via complex regular expressions \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2022-24713 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
Also, it is applied to non-packaged binaries even in container images.
$ trivy image --sbom-sources rekor --scanners vuln alpine-with-bat\n2022-10-25T13:40:14.920+0300 INFO Vulnerability scanning is enabled\n2022-10-25T13:40:18.047+0300 INFO Found SBOM attestation in Rekor: bat\n2022-10-25T13:40:18.186+0300 INFO Detected OS: alpine\n2022-10-25T13:40:18.186+0300 INFO Detecting Alpine vulnerabilities...\n2022-10-25T13:40:18.199+0300 INFO Number of language-specific files: 1\n2022-10-25T13:40:18.199+0300 INFO Detecting cargo vulnerabilities...\n\nalpine-with-bat (alpine 3.15.6)\n===============================\nTotal: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n\n\nbat (cargo)\n===========\nTotal: 4 (UNKNOWN: 3, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 regex \u2502 CVE-2022-24713 \u2502 HIGH \u2502 1.5.4 \u2502 1.5.5 \u2502 Mozilla: Denial of Service via complex regular expressions \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2022-24713 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
Note
The --sbom-sources rekor flag slows down the scanning as it queries Rekor on the Internet for all non-packaged binaries.
"},{"location":"guide/supply-chain/attestation/sbom/","title":"SBOM attestation","text":"Cosign supports generating and verifying in-toto attestations. This tool enables you to sign and verify SBOM attestation. And, Trivy can take an SBOM attestation as input and scan for vulnerabilities
Note
In the following examples, the cosign command will write an attestation to a target OCI registry, so you must have permission to write. If you want to avoid writing an OCI registry and only want to see an attestation, add the --no-upload option to the cosign command.
"},{"location":"guide/supply-chain/attestation/sbom/#sign-with-a-local-key-pair","title":"Sign with a local key pair","text":"Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about how to generate key pairs.
$ cosign generate-key-pair\n
In the following example, Trivy generates an SBOM in the CycloneDX format, and then Cosign attaches an attestation of the SBOM to a container image with a local key pair.
# The cyclonedx type is supported in Cosign v1.10.0 or later.\n$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>\n$ cosign attest --key /path/to/cosign.key --type cyclonedx --predicate sbom.cdx.json <IMAGE>\n
Then, you can verify attestations on the image.
$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE>\n
You can also create attestations of other formatted SBOM.
# spdx\n$ trivy image --format spdx -o sbom.spdx <IMAGE>\n$ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx <IMAGE>\n\n# spdx-json\n$ trivy image --format spdx-json -o sbom.spdx.json <IMAGE>\n$ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx.json <IMAGE>\n
"},{"location":"guide/supply-chain/attestation/sbom/#keyless-signing","title":"Keyless signing","text":"You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
# The cyclonedx type is supported in Cosign v1.10.0 or later.\n$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>\n# The following command uploads SBOM attestation to the public Rekor instance.\n$ COSIGN_EXPERIMENTAL=1 cosign attest --type cyclonedx --predicate sbom.cdx.json <IMAGE>\n
You can verify attestations.
$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type cyclonedx <IMAGE>\n
"},{"location":"guide/supply-chain/attestation/sbom/#scanning","title":"Scanning","text":"Trivy can take an SBOM attestation as input and scan for vulnerabilities. Currently, Trivy supports CycloneDX-type attestation.
In the following example, Cosign can get an CycloneDX-type attestation and trivy scan it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the Sign with a local key pair section.
$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl\n$ trivy sbom ./sbom.cdx.intoto.jsonl\n\nsbom.cdx.intoto.jsonl (alpine 3.7.3)\n=========================\nTotal: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 musl \u2502 CVE-2019-14697 \u2502 CRITICAL \u2502 1.1.18-r3 \u2502 1.1.18-r4 \u2502 musl libc through 1.1.23 has an x87 floating-point stack \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 adjustment im ...... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2019-14697 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 musl-utils \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/supply-chain/attestation/vuln/","title":"Cosign Vulnerability Attestation","text":""},{"location":"guide/supply-chain/attestation/vuln/#generate-cosign-vulnerability-scan-record","title":"Generate Cosign Vulnerability Scan Record","text":"Trivy generates reports in the Cosign vulnerability scan record format.
You can use the regular subcommands (like image, fs and rootfs) and specify cosign-vuln with the --format option.
$ trivy image --format cosign-vuln --output vuln.json alpine:3.10\n
Result {\n \"invocation\": {\n \"parameters\": null,\n \"uri\": \"\",\n \"event_id\": \"\",\n \"builder.id\": \"\"\n },\n \"scanner\": {\n \"uri\": \"pkg:github/aquasecurity/trivy@v0.30.1-8-gf9cb8a28\",\n \"version\": \"v0.30.1-8-gf9cb8a28\",\n \"db\": {\n \"uri\": \"\",\n \"version\": \"\"\n },\n \"result\": {\n \"SchemaVersion\": 2,\n \"CreatedAt\": 1629894030,\n \"ArtifactName\": \"alpine:3.10\",\n \"ArtifactType\": \"container_image\",\n \"Metadata\": {\n \"OS\": {\n \"Family\": \"alpine\",\n \"Name\": \"3.10.9\",\n \"EOSL\": true\n },\n \"ImageID\": \"sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a\",\n \"DiffIDs\": [\n \"sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635\"\n ],\n \"RepoTags\": [\n \"alpine:3.10\"\n ],\n \"RepoDigests\": [\n \"alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98\"\n ],\n \"ImageConfig\": {\n \"architecture\": \"amd64\",\n \"container\": \"fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4\",\n \"created\": \"2021-04-14T19:20:05.338397761Z\",\n \"docker_version\": \"19.03.12\",\n \"history\": [\n {\n \"created\": \"2021-04-14T19:20:04.987219124Z\",\n \"created_by\": \"/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / \"\n },\n {\n \"created\": \"2021-04-14T19:20:05.338397761Z\",\n \"created_by\": \"/bin/sh -c #(nop) CMD [\\\"/bin/sh\\\"]\",\n \"empty_layer\": true\n }\n ],\n \"os\": \"linux\",\n \"rootfs\": {\n \"type\": \"layers\",\n \"diff_ids\": [\n \"sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635\"\n ]\n },\n \"config\": {\n \"Cmd\": [\n \"/bin/sh\"\n ],\n \"Env\": [\n \"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"\n ],\n \"Image\": \"sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8\"\n }\n }\n },\n \"Results\": [\n {\n \"Target\": \"alpine:3.10 (alpine 3.10.9)\",\n \"Class\": \"os-pkgs\",\n \"Type\": \"alpine\",\n \"Vulnerabilities\": [\n {\n \"VulnerabilityID\": \"CVE-2021-36159\",\n \"PkgName\": \"apk-tools\",\n \"InstalledVersion\": \"2.10.6-r0\",\n \"FixedVersion\": \"2.10.7-r0\",\n \"Layer\": {\n \"Digest\": \"sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5\",\n \"DiffID\": \"sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635\"\n },\n \"SeveritySource\": \"nvd\",\n \"PrimaryURL\": \"https://avd.aquasec.com/nvd/cve-2021-36159\",\n \"DataSource\": {\n \"ID\": \"alpine\",\n \"Name\": \"Alpine Secdb\",\n \"URL\": \"https://secdb.alpinelinux.org/\"\n },\n \"Description\": \"libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\\\0' terminator one byte too late.\",\n \"Severity\": \"CRITICAL\",\n \"CweIDs\": [\n \"CWE-125\"\n ],\n \"CVSS\": {\n \"nvd\": {\n \"V2Vector\": \"AV:N/AC:L/Au:N/C:P/I:N/A:P\",\n \"V3Vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"V2Score\": 6.4,\n \"V3Score\": 9.1\n }\n },\n \"References\": [\n \"https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch\",\n \"https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749\",\n \"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E\",\n \"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E\",\n \"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E\",\n \"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E\"\n ],\n \"PublishedDate\": \"2021-08-03T14:15:00Z\",\n \"LastModifiedDate\": \"2021-10-18T12:19:00Z\"\n }\n ]\n }\n ]\n }\n },\n \"metadata\": {\n \"scanStartedOn\": \"2022-07-24T17:14:04.864682+09:00\",\n \"scanFinishedOn\": \"2022-07-24T17:14:04.864682+09:00\"\n }\n}\n
"},{"location":"guide/supply-chain/attestation/vuln/#create-cosign-vulnerability-attestation","title":"Create Cosign Vulnerability Attestation","text":"Cosign supports generating and verifying in-toto attestations. This tool enables you to sign and verify Cosign vulnerability attestation.
Note
In the following examples, the cosign command will write an attestation to a target OCI registry, so you must have permission to write. If you want to avoid writing an OCI registry and only want to see an attestation, add the --no-upload option to the cosign command.
"},{"location":"guide/supply-chain/attestation/vuln/#sign-with-a-local-key-pair","title":"Sign with a local key pair","text":"Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about how to generate key pairs.
$ cosign generate-key-pair\n
In the following example, Trivy generates a cosign vulnerability scan record, and then Cosign attaches an attestation of it to a container image with a local key pair.
$ trivy image --format cosign-vuln --output vuln.json <IMAGE>\n$ cosign attest --key /path/to/cosign.key --type vuln --predicate vuln.json <IMAGE>\n
Then, you can verify attestations on the image.
$ cosign verify-attestation --key /path/to/cosign.pub --type vuln <IMAGE>\n
"},{"location":"guide/supply-chain/attestation/vuln/#keyless-signing","title":"Keyless signing","text":"You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft).
$ trivy image --format cosign-vuln -o vuln.json <IMAGE>\n$ cosign attest --type vuln --predicate vuln.json <IMAGE>\n
This will provide a certificate in the output section. You can verify attestations:
$ cosign verify-attestation --certificate=path-to-the-certificate --type vuln --certificate-identity Email-used-to-sign --certificate-oidc-issuer='the-issuer-used' <IMAGE>\n
"},{"location":"guide/supply-chain/vex/","title":"Vulnerability Exploitability Exchange (VEX)","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy supports filtering detected vulnerabilities using the Vulnerability Exploitability eXchange (VEX), a standardized format for sharing and exchanging information about vulnerabilities. By providing VEX during scanning, it is possible to filter vulnerabilities based on their status.
"},{"location":"guide/supply-chain/vex/#vex-usage-methods","title":"VEX Usage Methods","text":"Trivy currently supports four methods for utilizing VEX:
- VEX Repository
- Local VEX Files
- VEX Attestation
- SBOM Reference
"},{"location":"guide/supply-chain/vex/#enabling-vex","title":"Enabling VEX","text":"To enable VEX, use the --vex option. You can specify the method to use:
- To enable the VEX Repository:
--vex repo - To use a local VEX file:
--vex /path/to/vex-document.json - To enable VEX attestation discovery in OCI registry:
--vex oci - To use remote VEX files referenced in SBOMs:
--vex sbom-ref
$ trivy image ghcr.io/aquasecurity/trivy:0.52.0 --vex repo\n
You can enable these methods simultaneously. The order of specification determines the priority:
--vex repo --vex /path/to/vex-document.json: VEX Repository has priority--vex /path/to/vex-document.json --vex repo: Local file has priority
For detailed information on each method, please refer to each page.
"},{"location":"guide/supply-chain/vex/file/","title":"Local VEX Files","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
In addition to VEX repositories, Trivy also supports the use of local VEX files for vulnerability filtering. This method is useful when you have specific VEX documents that you want to apply to your scans. Currently, Trivy supports the following formats:
- CycloneDX
- OpenVEX
- CSAF
"},{"location":"guide/supply-chain/vex/file/#cyclonedx","title":"CycloneDX","text":"Target Supported Container Image Filesystem Code Repository VM Image Kubernetes SBOM \u2705 There are two VEX formats for CycloneDX:
- Independent BOM and VEX BOM
- BOM With Embedded VEX
Trivy only supports the Independent BOM and VEX BOM format, so you need to provide a separate VEX file alongside the SBOM. The input SBOM format must be in CycloneDX format.
The following steps are required:
- Generate a CycloneDX SBOM
- Create a VEX based on the SBOM generated in step 1
- Provide the VEX when scanning the CycloneDX SBOM
"},{"location":"guide/supply-chain/vex/file/#generate-the-sbom","title":"Generate the SBOM","text":"You can generate a CycloneDX SBOM with Trivy as follows:
$ trivy image --format cyclonedx --output debian11.sbom.cdx debian:11\n
"},{"location":"guide/supply-chain/vex/file/#create-the-vex","title":"Create the VEX","text":"Next, create a VEX based on the generated SBOM. Multiple vulnerability statuses can be defined under vulnerabilities. Take a look at the example below.
$ cat <<EOF > trivy.vex.cdx\n{\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"vulnerabilities\": [\n {\n \"id\": \"CVE-2020-8911\",\n \"analysis\": {\n \"state\": \"not_affected\",\n \"justification\": \"code_not_reachable\",\n \"response\": [\"will_not_fix\", \"update\"],\n \"detail\": \"The vulnerable function is not called\"\n },\n \"affects\": [\n {\n \"ref\": \"urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:golang/github.com/aws/aws-sdk-go@v1.44.234\"\n }\n ]\n }\n ]\n}\nEOF\n
This is a VEX document in the CycloneDX format. The vulnerability ID, such as a CVE-ID or GHSA-ID, should be placed in vulnerabilities.id. When the analysis.state is set to not_affected, Trivy will not detect the vulnerability.
BOM-Links must be placed in affects.ref. The BOM-Link has the following syntax and consists of three elements:
urn:cdx:serialNumber/version#bom-ref\n
- serialNumber
- version
- bom-ref
These values must be obtained from the CycloneDX SBOM. Please note that while the serialNumber starts with urn:uuid:, the BOM-Link starts with urn:cdx:.
The bom-ref must contain the BOM-Ref of the package affected by the vulnerability. In the example above, since the Go package github.com/aws/aws-sdk-go is affected by CVE-2020-8911, it was necessary to specify the SBOM's BOM-Ref, pkg:golang/github.com/aws/aws-sdk-go@1.44.234.
For more details on CycloneDX VEX and BOM-Link, please refer to the following links:
- CycloneDX VEX
- BOM-Link
- Examples
"},{"location":"guide/supply-chain/vex/file/#scan-sbom-with-vex","title":"Scan SBOM with VEX","text":"Provide the VEX when scanning the CycloneDX SBOM.
$ trivy sbom trivy.sbom.cdx --vex trivy.vex.cdx\n...\n2023-04-13T12:55:44.838+0300 INFO Filtered out the detected vulnerability {\"VEX format\": \"CycloneDX\", \"vulnerability-id\": \"CVE-2020-8911\", \"status\": \"not_affected\", \"justification\": \"code_not_reachable\"}\n\ngo.mod (gomod)\n==============\nTotal: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 github.com/aws/aws-sdk-go \u2502 CVE-2020-8912 \u2502 LOW \u2502 v1.44.234 \u2502 \u2502 aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 SDK for golang... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2020-8912 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
CVE-2020-8911 is no longer shown as it is filtered out according to the given CycloneDX VEX document.
"},{"location":"guide/supply-chain/vex/file/#openvex","title":"OpenVEX","text":"Target Supported Container Image \u2705 Filesystem \u2705 Code Repository \u2705 VM Image \u2705 Kubernetes \u2705 SBOM \u2705 Trivy also supports OpenVEX that is designed to be minimal, compliant, interoperable, and embeddable. OpenVEX can be used in all Trivy targets, unlike CycloneDX VEX.
The following steps are required:
- Create a VEX document
- Provide the VEX when scanning your target
"},{"location":"guide/supply-chain/vex/file/#create-the-vex-document","title":"Create the VEX document","text":"Please see also the example. Trivy requires the Package URL (PURL) as the product identifier.
$ cat <<EOF > debian11.openvex.json\n{\n \"@context\": \"https://openvex.dev/ns/v0.2.0\",\n \"@id\": \"https://openvex.dev/docs/public/vex-2e67563e128250cbcb3e98930df948dd053e43271d70dc50cfa22d57e03fe96f\",\n \"author\": \"Aqua Security\",\n \"timestamp\": \"2023-08-29T19:07:16.853479631-06:00\",\n \"version\": 1,\n \"statements\": [\n {\n \"vulnerability\": {\"name\": \"CVE-2019-8457\"},\n \"products\": [\n {\"@id\": \"pkg:deb/debian/libdb5.3@5.3.28+dfsg1-0.8\"}\n ],\n \"status\": \"not_affected\",\n \"justification\": \"vulnerable_code_not_in_execute_path\"\n }\n ]\n}\nEOF\n
In the above example, PURLs, pkg:deb/debian/libdb5.3@5.3.28+dfsg1-0.8 are used for the product identifier. You can find PURLs in the JSON report generated by Trivy. This VEX statement is applied if the PURL specified in the VEX matches the PURL found during the scan. See here for more details of PURL matching.
Trivy also supports OpenVEX subcomponents, which allow for more precise specification of the scope of a VEX statement, reducing the risk of incorrect filtering. Let's say you want to suppress vulnerabilities within a container image. If you only specify the PURL of the container image as the product, the resulting VEX would look like this:
OpenVEX products only \"statements\": [\n {\n \"vulnerability\": {\"name\": \"CVE-2024-32002\"},\n \"products\": [\n {\"@id\": \"pkg:oci/trivy?repository_url=ghcr.io%2Faquasecurity%2Ftrivy\"}\n ],\n \"status\": \"not_affected\",\n \"justification\": \"vulnerable_code_not_in_execute_path\"\n }\n]\n
However, this approach would suppress all instances of CVE-2024-32002 within the container image. If the intention is to declare that the git package distributed by Alpine Linux within this image is not affected, subcomponents can be utilized as follows:
OpenVEX subcomponents \"statements\": [\n {\n \"vulnerability\": {\"name\": \"CVE-2024-32002\"},\n \"products\": [\n {\n \"@id\": \"pkg:oci/trivy?repository_url=ghcr.io%2Faquasecurity%2Ftrivy\",\n \"subcomponents\": [\n {\"@id\": \"pkg:apk/alpine/git\"}\n ]\n }\n ],\n \"status\": \"not_affected\",\n \"justification\": \"vulnerable_code_not_in_execute_path\"\n }\n]\n
By declaring the subcomponent in this manner, Trivy will filter the results, considering only the git package within the ghcr.io/aquasecurity/trivy container image as not affected. Omitting the version in the PURL applies the statement to all versions of the package. More details about PURL matching can be found here.
Furthermore, the product specified in a VEX statement does not necessarily need to be the target of the scan. It is possible to specify a component that is included in the scan target as the product. For example, you can designate a specific Go project as the product and its dependent modules as subcomponents.
In the following example, the VEX statement declares that the github.com/docker/docker module, which is a dependency of the github.com/aquasecurity/trivy Go project, is not affected by CVE-2024-29018.
OpenVEX intermediate components \"statements\": [\n {\n \"vulnerability\": {\"name\": \"CVE-2024-29018\"},\n \"products\": [\n {\n \"@id\": \"pkg:golang/github.com/aquasecurity/trivy\",\n \"subcomponents\": [\n { \"@id\": \"pkg:golang/github.com/docker/docker\" }\n ]\n }\n ],\n \"status\": \"not_affected\",\n \"justification\": \"vulnerable_code_not_in_execute_path\"\n }\n]\n
This VEX document can be used when scanning a container image as well as other targets. The VEX statement will be applied when Trivy finds the Go binary within the container image.
$ trivy image ghcr.io/aquasecurity/trivy:0.50.0 --vex trivy.openvex.json\n
VEX documents can indeed be reused across different container images, eliminating the need to issue separate VEX documents for each image. This is particularly useful when there is a common component or library that is used across multiple projects or container images.
You can see the appendix for more details on how VEX is applied in Trivy.
"},{"location":"guide/supply-chain/vex/file/#scan-with-vex","title":"Scan with VEX","text":"Provide the VEX when scanning your target.
$ trivy image debian:11.6 --vex debian11.openvex.json\n...\n2023-04-26T17:56:05.358+0300 INFO Filtered out the detected vulnerability {\"VEX format\": \"OpenVEX\", \"vulnerability-id\": \"CVE-2019-8457\", \"status\": \"not_affected\", \"justification\": \"vulnerable_code_not_in_execute_path\"}\n\ndebian:11.6 (debian 11.6)\n\nTotal: 176 (UNKNOWN: 1, LOW: 82, MEDIUM: 46, HIGH: 41, CRITICAL: 5)\n
CVE-2019-8457 is no longer shown as it is filtered out according to the given OpenVEX document.
"},{"location":"guide/supply-chain/vex/file/#csaf","title":"CSAF","text":"Target Supported Container Image \u2705 Filesystem \u2705 Code Repository \u2705 VM Image \u2705 Kubernetes \u2705 SBOM \u2705 Trivy also supports CSAF format for VEX. Since CSAF aims to be SBOM format agnostic, both CycloneDX and SPDX formats are available for use as input SBOMs in Trivy.
The following steps are required:
- Create a CSAF document
- Provide the CSAF when scanning your target
"},{"location":"guide/supply-chain/vex/file/#create-the-csaf-document","title":"Create the CSAF document","text":"Create a CSAF document in JSON format as follows:
CSAF VEX $ cat <<EOF > debian11.vex.csaf\n{\n \"document\": {\n \"category\": \"csaf_vex\",\n \"csaf_version\": \"2.0\",\n \"notes\": [\n {\n \"category\": \"summary\",\n \"text\": \"Example Company VEX document. Unofficial content for demonstration purposes only.\",\n \"title\": \"Author comment\"\n }\n ],\n \"publisher\": {\n \"category\": \"vendor\",\n \"name\": \"Example Company ProductCERT\",\n \"namespace\": \"https://psirt.example.com\"\n },\n \"title\": \"AquaSecurity example VEX document\",\n \"tracking\": {\n \"current_release_date\": \"2024-01-01T11:00:00.000Z\",\n \"generator\": {\n \"date\": \"2024-01-01T11:00:00.000Z\",\n \"engine\": {\n \"name\": \"Secvisogram\",\n \"version\": \"1.11.0\"\n }\n },\n \"id\": \"2024-EVD-UC-01-A-001\",\n \"initial_release_date\": \"2024-01-01T11:00:00.000Z\",\n \"revision_history\": [\n {\n \"date\": \"2024-01-01T11:00:00.000Z\",\n \"number\": \"1\",\n \"summary\": \"Initial version.\"\n }\n ],\n \"status\": \"final\",\n \"version\": \"1\"\n }\n },\n \"product_tree\": {\n \"branches\": [\n {\n \"branches\": [\n {\n \"branches\": [\n {\n \"category\": \"product_version\",\n \"name\": \"5.3\",\n \"product\": {\n \"name\": \"Database Libraries 5.3\",\n \"product_id\": \"LIBDB-5328\",\n \"product_identification_helper\": {\n \"purl\": \"pkg:deb/debian/libdb5.3@5.3.28%2Bdfsg1-0.8?arch=amd64\\u0026distro=debian-11.8\"\n }\n }\n }\n ],\n \"category\": \"product_name\",\n \"name\": \"Database Libraries\"\n }\n ],\n \"category\": \"vendor\",\n \"name\": \"Debian\"\n }\n ]\n },\n \"vulnerabilities\": [\n {\n \"cve\": \"CVE-2019-8457\",\n \"notes\": [\n {\n \"category\": \"description\",\n \"text\": \"SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.\",\n \"title\": \"CVE description\"\n }\n ],\n \"product_status\": {\n \"known_not_affected\": [\n \"LIBDB-5328\"\n ]\n },\n \"threats\": [\n {\n \"category\": \"impact\",\n \"details\": \"Vulnerable code not in execute path.\",\n \"product_ids\": [\n \"LIBDB-5328\"\n ]\n }\n ]\n }\n ]\n}\nEOF\n
Trivy also supports CSAF relationships, reducing the risk of incorrect filtering. It works in the same way as OpenVEX subcomponents. At present, the specified relationship category is not taken into account and all the following categories are treated internally as \"depends_on\".
- default_component_of
- installed_on
- installed_with
You can see the appendix for more details on how VEX is applied in Trivy.
"},{"location":"guide/supply-chain/vex/file/#scan-with-csaf-vex","title":"Scan with CSAF VEX","text":"Provide the CSAF document when scanning your target.
$ trivy image debian:11.8 --vex debian11.vex.csaf\n...\n2024-01-02T10:28:26.704+0100 INFO Filtered out the detected vulnerability {\"VEX format\": \"CSAF\", \"vulnerability-id\": \"CVE-2019-8457\", \"status\": \"not_affected\"}\n\ndebian:11.8 (debian 11.8)\n\nTotal: 153 (UNKNOWN: 1, LOW: 82, MEDIUM: 33, HIGH: 32, CRITICAL: 5)\n
CVE-2019-8457 is no longer shown as it is filtered out according to the given CSAF document.
"},{"location":"guide/supply-chain/vex/file/#appendix","title":"Appendix","text":""},{"location":"guide/supply-chain/vex/file/#purl-matching","title":"PURL matching","text":"In the context of VEX, Package URLs (PURLs) are utilized to identify specific software packages and their versions. The PURL matching specification outlines how PURLs are interpreted for vulnerability exception processing, ensuring precise identification and broad coverage of software packages.
Note
The following PURL matching rules are not formally defined within the current official PURL specification. Instead, they represent a community consensus on how to interpret PURLs.
Below are the key aspects of the PURL matching rules:
"},{"location":"guide/supply-chain/vex/file/#matching-without-version","title":"Matching Without Version","text":"A PURL without a specified version (e.g., pkg:maven/com.google.guava/guava) matches all versions of that package. This rule simplifies the application of vulnerability exceptions to all versions of a package.
Example: pkg:maven/com.google.guava/guava matches:
- All versions of
guava, such as com.google.guava:guava:24.1.1, com.google.guava:guava:30.0.
"},{"location":"guide/supply-chain/vex/file/#matching-without-qualifiers","title":"Matching Without Qualifiers","text":"A PURL without any qualifiers (e.g., pkg:maven/com.google.guava/guava@24.1.1) matches any variation of that package, irrespective of qualifiers. This approach ensures broad matching capabilities, covering all architectural or platform-specific variations of a package version.
Example: pkg:maven/com.google.guava/guava@24.1.1 matches:
pkg:maven/com.google.guava/guava@24.1.1?classifier=x86pkg:maven/com.google.guava/guava@24.1.1?type=pom
"},{"location":"guide/supply-chain/vex/file/#matching-with-specific-qualifiers","title":"Matching With Specific Qualifiers","text":"A PURL that includes specific qualifiers (e.g., pkg:maven/com.google.guava/guava@24.1.1?classifier=x86) matches only those package versions that include the same qualifiers.
Example: pkg:maven/com.google.guava/guava@24.1.1?classifier=x86 matches:
pkg:maven/com.google.guava/guava@24.1.1?classifier=x86&type=dll - Extra qualifiers (e.g.,
type=dll) are ignored.
does not match:
pkg:maven/com.google.guava/guava@24.1.1 classifier=x86 is missing.
pkg:maven/com.google.guava/guava@24.1.1?classifier=sources classifier must have the same value.
"},{"location":"guide/supply-chain/vex/file/#applying-vex-to-dependency-trees","title":"Applying VEX to Dependency Trees","text":"Trivy internally generates a dependency tree and applies VEX statements to this graph. Let's consider a project with the following dependency tree, where Module C v2.0.0 is assumed to have a vulnerability CVE-XXXX-YYYY:
graph TD;\n modRootA(Module Root A v1.0.0)\n modB(Module B v1.0.0) \n modC(Module C v2.0.0)\n\n modRootA-->modB\n modB-->modC
Now, suppose a VEX statement is issued for Module B as follows:
\"statements\": [\n {\n \"vulnerability\": {\"name\": \"CVE-XXXX-YYYY\"},\n \"products\": [\n {\n \"@id\": \"pkg:golang/module-b@v1.0.0\",\n \"subcomponents\": [\n { \"@id\": \"pkg:golang/module-c@v2.0.0\" }\n ]\n }\n ],\n \"status\": \"not_affected\",\n \"justification\": \"vulnerable_code_not_in_execute_path\" \n }\n]\n
It declares that Module B is not affected by CVE-XXXX-YYYY on Module C.
Note
The VEX in this example defines the relationship between Module B and Module C. However, as Trivy traverses all parents from vulnerable packages, it is also possible to define a VEX for the relationship between a vulnerable package and any parent, such as Module A and Module C, etc.
Mapping this VEX onto the dependency tree would look like this:
graph TD;\n modRootA(Module Root A v1.0.0)\n\n subgraph \"VEX (Not Affected)\"\n modB(Module B v1.0.0)\n modC(Module C v2.0.0)\n end\n\n modRootA-->modB\n modB-->modC
In this case, it's clear that Module Root A is also not affected by CVE-XXXX-YYYY, so this vulnerability is suppressed.
Now, let's consider another project:
graph TD;\n modRootZ(Module Root Z v1.0.0)\n modB'(Module B v1.0.0)\n modC'(Module C v2.0.0)\n modD'(Module D v3.0.0)\n\n modRootZ-->modB'\n modRootZ-->modD'\n modB'-->modC'\n modD'-->modC'
Assuming the same VEX as before, applying it to this dependency tree would look like:
graph TD;\n modRootZ(Module Root Z v1.0.0)\n\n subgraph \"VEX (Not Affected)\"\n modB'(Module B v1.0.0)\n modC'(Module C v2.0.0)\n end\n\n modD'(Module D v3.0.0)\n\n modRootZ-->modB'\n modRootZ-->modD'\n modB'-->modC'\n modD'-->modC'
Module Root Z depends on Module C via multiple paths. While the VEX tells us that Module B is not affected by the vulnerability, Module D might be. In the absence of a VEX, the default assumption is that it is affected. Taking all of this into account, Trivy determines that Module Root Z is affected by this vulnerability.
"},{"location":"guide/supply-chain/vex/oci/","title":"Discover VEX Attestation in OCI Registry","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy can discover VEX attestations for container images. This feature allows you to automatically use VEX during container image scanning.
"},{"location":"guide/supply-chain/vex/oci/#how-it-works","title":"How It Works","text":"Trivy can automatically discover and utilize VEX attestations for container images during scanning by using the --vex oci flag. This process enhances vulnerability detection results by incorporating the information from the VEX attestation.
To use this feature, follow these three steps:
- Create a VEX document
- Generate and upload a VEX attestation to an OCI registry
- Use the VEX attestation with Trivy
Steps 1 and 2 are not necessary if you are trying to scan a third-party container image and already have VEX attestation attached.
Let's go through each step in detail.
Note
In the following examples, the cosign command will write an attestation to a target OCI registry, so you must have permission to write. If you want to avoid writing an OCI registry and only want to see an attestation, add the --no-upload option to the cosign command.
"},{"location":"guide/supply-chain/vex/oci/#step-1-create-a-vex-document","title":"Step 1: Create a VEX Document","text":"Currently, Trivy does not have a built-in feature to create VEX documents, so you need to create them manually. You can refer to the OpenVEX section for guidance on creating VEX files.
For container image vulnerabilities, the product ID should be the OCI type in the PURL format. For example:
pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy\n
This product ID applies the VEX statement to all tags of the ghcr.io/aquasecurity/trivy container image. If you want to declare a statement for a specific digest only, you can use:
pkg:oci/trivy@sha256:5bd5ab35814f86783561603ebb35d5d5d99006dcdcd5c3f828ea1afb4c12d159?repository_url=ghcr.io/aquasecurity/trivy\n
Note
Using an image tag, like pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy&tag=0.50.0, is not supported in the product ID at the moment.
Next, specify vulnerable packages as subcomponents, such as pkg:apk/alpine/busybox. You can also include the package version and other qualifiers (e.g., arch) to limit statements, like pkg:apk/alpine/busybox@1.36.1-r29?arch=x86.
Lastly, include the vulnerability IDs.
Here's an example VEX document:
{\n \"@context\": \"https://openvex.dev/ns/v0.2.0\",\n \"@id\": \"https://openvex.dev/docs/public/vex-2e67563e128250cbcb3e98930df948dd053e43271d70dc50cfa22d57e03fe96f\",\n \"author\": \"Aqua Security\",\n \"timestamp\": \"2024-07-30T19:07:16.853479631-06:00\",\n \"version\": 1,\n \"statements\": [\n {\n \"vulnerability\": {\n \"name\": \"CVE-2023-42363\"\n },\n \"products\": [\n {\n \"@id\": \"pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy\",\n \"subcomponents\": [\n {\"@id\": \"pkg:apk/alpine/busybox\"},\n {\"@id\": \"pkg:apk/alpine/busybox-binsh\"}\n ]\n }\n ],\n \"status\": \"not_affected\",\n \"justification\": \"vulnerable_code_cannot_be_controlled_by_adversary\",\n \"impact_statement\": \"awk is not used\"\n }\n ]\n}\n
You can also refer to Trivy's example for more inspiration.
"},{"location":"guide/supply-chain/vex/oci/#step-2-generate-and-upload-a-vex-attestation-to-an-oci-registry","title":"Step 2: Generate and Upload a VEX Attestation to an OCI Registry","text":"You can use the Cosign command to generate and upload the VEX attestation. Cosign offers methods both with and without keys. For detailed instructions, please refer to the Cosign documentation.
To generate and attach a VEX attestation to your image, use the following command:
$ cosign attest --predicate oci.openvex.json --type openvex <IMAGE>\n
Note that this command attaches the attestation only to the specified image tag. If needed, repeat the process for other tags and digests.
"},{"location":"guide/supply-chain/vex/oci/#step-3-use-vex-attestation-with-trivy","title":"Step 3: Use VEX Attestation with Trivy","text":"Once you've attached the VEX attestation to the container image, Trivy can automatically discover and use it during scanning. Simply add the --vex oci flag when scanning a container image:
$ trivy image --vex oci <IMAGE>\n
To see which vulnerabilities were filtered by the VEX attestation, use the --show-suppressed flag:
$ trivy image --vex oci --show-suppressed <IMAGE>\n
The <IMAGE> specified in these commands must be the same as the one to which you attached the VEX attestation.
"},{"location":"guide/supply-chain/vex/repo/","title":"VEX Repository","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
"},{"location":"guide/supply-chain/vex/repo/#using-vex-repository","title":"Using VEX Repository","text":"Trivy can download and utilize VEX documents from repositories that comply with the VEX Repository Specification. While it's planned to be enabled by default in the future, currently it can be activated by explicitly specifying --vex repo.
$ trivy image ghcr.io/aquasecurity/trivy:0.52.0 --vex repo\n2024-07-20T11:22:58+04:00 INFO [vex] The default repository config has been created \nfile_path=\"/Users/teppei/.trivy/vex/repository.yaml\"\n2024-07-20T11:23:23+04:00 INFO [vex] Updating repository... repo=\"default\" url=\"https://github.com/aquasecurity/vexhub\"\n
During scanning, Trivy generates PURLs for discovered packages and searches for matching PURLs in the VEX Repository. If a match is found, the corresponding VEX is utilized.
"},{"location":"guide/supply-chain/vex/repo/#configuration-file","title":"Configuration File","text":""},{"location":"guide/supply-chain/vex/repo/#default-configuration","title":"Default Configuration","text":"When --vex repo is specified for the first time, a default configuration file is created at $HOME/.trivy/vex/repository.yaml. The home directory can be configured through environment variable $XDG_DATA_HOME.
You can also create the configuration file in advance using the trivy vex repo init command and edit it.
The default configuration file looks like this:
repositories:\n - name: default\n url: https://github.com/aquasecurity/vexhub\n enabled: true\n username: \"\"\n password: \"\"\n token: \"\"\n
By default, VEX Hub managed by Aqua Security is used. VEX Hub primarily trusts VEX documents published by the package maintainers.
"},{"location":"guide/supply-chain/vex/repo/#show-configuration","title":"Show Configuration","text":"You can see the config file path and the configured repositories with trivy vex repo list:
$ trivy vex repo list\nVEX Repositories (config: /home/username/.trivy/vex/repository.yaml)\n\n- Name: default\n URL: https://github.com/aquasecurity/vexhub\n Status: Enabled\n
"},{"location":"guide/supply-chain/vex/repo/#custom-repositories","title":"Custom Repositories","text":"If you want to trust VEX documents published by other organizations or use your own VEX repository, you can specify a custom repository that complies with the VEX Repository Specification. You can add a custom repository as below:
- name: custom\n url: https://example.com/custom-repo\n enabled: true\n
"},{"location":"guide/supply-chain/vex/repo/#authentication","title":"Authentication","text":"For private repositories:
username/password can be used for Basic authenticationtoken can be used for Bearer authentication
- name: custom\n url: https://example.com/custom-repo\n enabled: true\n token: \"my-token\"\n
"},{"location":"guide/supply-chain/vex/repo/#repository-priority","title":"Repository Priority","text":"The priority of VEX repositories is determined by their order in the configuration file. You can add repositories with higher priority than the default or even remove the default VEX Hub.
- name: repo1\n url: https://example.com/repo1\n- name: repo2\n url: https://example.com/repo2\n
In this configuration, when Trivy detects a vulnerability in a package, it generates a PURL for that package and searches for matching VEX documents in the configured repositories. The search process follows this order:
- Trivy first looks for a VEX document matching the package's PURL in
repo1. - If no matching VEX document is found in
repo1, Trivy then searches in repo2. - This process continues through all configured repositories until a match is found.
If a matching VEX document is found in any repository (e.g., repo1), the search stops, and Trivy uses that VEX document. Subsequent repositories (e.g., repo2) are not checked for that specific vulnerability and package combination.
It's important to note that the first matching VEX document found determines the final status of the vulnerability. For example, if repo1 states that a package is \"Affected\" by a vulnerability, this status will be used even if repo2 states that the same package is \"Not Affected\" for the same vulnerability. The \"Affected\" status from the higher-priority repository (repo1) takes precedence, and Trivy will consider the package as affected by the vulnerability.
"},{"location":"guide/supply-chain/vex/repo/#repository-updates","title":"Repository Updates","text":"VEX repositories are automatically updated during scanning. Updates are performed based on the update frequency specified by the repository.
To disable auto-update, pass --skip-vex-repo-update.
$ trivy image ghcr.io/aquasecurity/trivy:0.50.0 --vex repo --skip-vex-repo-update\n
To download VEX repositories in advance without scanning, use trivy vex repo download.
The cache can be cleared with trivy clean --vex-repo.
"},{"location":"guide/supply-chain/vex/repo/#displaying-filtered-vulnerabilities","title":"Displaying Filtered Vulnerabilities","text":"To see which vulnerabilities were filtered and why, use the --show-suppressed option:
$ trivy image ghcr.io/aquasecurity/trivy:0.50.0 --vex repo --show-suppressed\n...\n\nSuppressed Vulnerabilities (Total: 4)\n=====================================\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Status \u2502 Statement \u2502 Source \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 busybox \u2502 CVE-2023-42364 \u2502 MEDIUM \u2502 not_affected \u2502 vulnerable_code_cannot_be_controlled_by_adversary \u2502 VEX Repository: default \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 (https://github.com/aquasecurity/vexhub) \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 CVE-2023-42365 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502\n\u2502 busybox-binsh \u2502 CVE-2023-42364 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 CVE-2023-42365 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/supply-chain/vex/repo/#publishing-vex-documents","title":"Publishing VEX Documents","text":""},{"location":"guide/supply-chain/vex/repo/#for-oss-projects","title":"For OSS Projects","text":"As an OSS developer or maintainer, you may encounter vulnerabilities in the packages your project depends on. These vulnerabilities might be discovered through your own scans or reported by third parties using your OSS project.
While Trivy strives to minimize false positives, it doesn't perform code graph analysis, which means it can't evaluate exploitability at the code level. Consequently, Trivy may report vulnerabilities even in cases where:
- The vulnerable function in a dependency is never called in your project.
- The vulnerable code cannot be controlled by an attacker in the context of your project.
If you're confident that a reported vulnerability in a dependency doesn't affect your OSS project or container image, you can publish a VEX document to reduce noise in Trivy scans. To assess exploitability, you have several options:
- Manual assessment: As a maintainer, you can read the source code and determine if the vulnerability is exploitable in your project's context.
- Automated assessment: You can use SAST (Static Application Security Testing) tools or similar tools to analyze the code and determine exploitability.
By publishing VEX documents in the source repository, Trivy can automatically utilize them through VEX Hub. The main steps are:
- Generate a VEX document
- Commit the VEX document to the
.vex/ directory in the source repository (e.g., Trivy's VEX) - Register your project's PURL in VEX Hub
Step 3 is only necessary once. After that, updating the VEX file in your repository will automatically be fetched by VEX Hub and utilized by Trivy. See the VEX Hub repository for more information.
If you want to issue a VEX for an OSS project that you don't maintain, consider first proposing the VEX publication to the original repository. Many OSS maintainers are open to contributions that improve the security posture of their projects. However, if your proposal is not accepted, or if you want to issue a VEX with statements that differ from the maintainer's judgment, you may want to consider creating a custom repository.
"},{"location":"guide/supply-chain/vex/repo/#for-private-projects","title":"For Private Projects","text":"If you're working on private software or personal projects, you have several options:
- Local VEX files: You can create local VEX files and have Trivy read them during scans. This is suitable for individual use or small teams.
- .trivyignore: For simpler cases, using a .trivyignore file might be sufficient to suppress specific vulnerabilities.
- Custom repositories: For large organizations wanting to share VEX information for internally used software across different departments, setting up a custom VEX repository might be the best approach.
"},{"location":"guide/supply-chain/vex/repo/#hosting-custom-repositories","title":"Hosting Custom Repositories","text":"While the principle is to store VEX documents for OSS packages in the source repository, it's possible to create a custom repository if that's difficult.
There are various use cases for providing custom repositories:
- A Pull Request to add a VEX document upstream was not merged
- Consolidating VEX documents output by SAST tools
- Publishing vendor-specific VEX documents that differ from OSS maintainer statements
- Creating a private VEX repository to publish common VEX for your company
In these cases, you can create a repository that complies with the VEX Repository Specification to make it available for use with Trivy.
"},{"location":"guide/supply-chain/vex/sbom-ref/","title":"VEX SBOM Reference","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
"},{"location":"guide/supply-chain/vex/sbom-ref/#using-externally-referenced-vex-documents","title":"Using externally referenced VEX documents","text":"Trivy can discover and download VEX documents referenced in the externalReferences of a scanned CycloneDX SBOM. This requires the references to be of type exploitability-statement.
To be picked up by Trivy, following top level content needs to be part of a CycloneDx SBOM to dynamically resolve a remotely hosted file VEX file at the location https://vex.example.com:
\"externalReferences\": [\n {\n \"type\": \"exploitability-statement\",\n \"url\": \"https://vex.example.com/vex\"\n }\n ]\n
This can also be used to dynamically retrieve VEX files stored on GitHub with an externalReference such as:
\"externalReferences\": [\n {\n \"type\": \"exploitability-statement\",\n \"url\": \"https://raw.githubusercontent.com/aquasecurity/trivy/refs/heads/main/.vex/trivy.openvex.json\"\n }\n ]\n
This is not enabled by default at the moment, but can be used when scanning a CycloneDx SBOM and explicitly specifying --vex sbom-ref.
$ trivy sbom trivy.cdx.json --vex sbom-ref\n2025-01-19T13:29:31+01:00 INFO [vex] Retrieving external VEX document from host vex.example.com type=\"externalReference\"\n2025-01-19T13:29:31+01:00 INFO Some vulnerabilities have been ignored/suppressed. Use the \"--show-suppressed\" flag to display them.\n
All the referenced VEX files are retrieved via HTTP/HTTPS and used in the same way as if they were explicitly specified via a file reference.
"},{"location":"guide/target/container_image/","title":"Container Image","text":"Trivy supports two targets for container images.
- Files inside container images
- Container image metadata
"},{"location":"guide/target/container_image/#files-inside-container-images","title":"Files inside container images","text":"Container images consist of files. For instance, new files will be installed if you install a package.
Trivy scans the files inside container images for
- Vulnerabilities
- Misconfigurations
- Secrets
- Licenses
By default, vulnerability and secret scanning are enabled, and you can configure that with --scanners.
"},{"location":"guide/target/container_image/#vulnerabilities","title":"Vulnerabilities","text":"It is enabled by default. You can simply specify your image name (and a tag). It detects known vulnerabilities in your container image. See here for the detail.
$ trivy image [YOUR_IMAGE_NAME]\n
For example:
$ trivy image python:3.4-alpine\n
Result 2019-05-16T01:20:43.180+0900 INFO Updating vulnerability database...\n2019-05-16T01:20:53.029+0900 INFO Detecting Alpine vulnerabilities...\n\npython:3.4-alpine3.9 (alpine 3.9.2)\n===================================\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n\n+---------+------------------+----------+-------------------+---------------+--------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+---------+------------------+----------+-------------------+---------------+--------------------------------+\n| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |\n| | | | | | with long nonces |\n+---------+------------------+----------+-------------------+---------------+--------------------------------+\n
To enable only vulnerability scanning, you can specify --scanners vuln.
$ trivy image --scanners vuln [YOUR_IMAGE_NAME]\n
"},{"location":"guide/target/container_image/#misconfigurations","title":"Misconfigurations","text":"It is supported, but it is not useful in most cases. As mentioned here, Trivy mainly supports Infrastructure as Code (IaC) files for misconfigurations. If your container image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with --scanners misconfig.
$ trivy image --scanners misconfig [YOUR_IMAGE_NAME]\n
"},{"location":"guide/target/container_image/#secrets","title":"Secrets","text":"It is enabled by default. See here for the detail.
$ trivy image [YOUR_IMAGE_NAME]\n
"},{"location":"guide/target/container_image/#licenses","title":"Licenses","text":"It is disabled by default. See here for the detail.
$ trivy image --scanners license [YOUR_IMAGE_NAME]\n
"},{"location":"guide/target/container_image/#container-image-metadata","title":"Container image metadata","text":"Container images have configuration. docker inspect and docker history show the information according to the configuration.
Trivy scans the configuration of container images for
- Misconfigurations
- Secrets
They are disabled by default. You can enable them with --image-config-scanners.
Tips
The configuration can be exported as the JSON file by docker save.
"},{"location":"guide/target/container_image/#misconfigurations_1","title":"Misconfigurations","text":"Trivy detects misconfigurations on the configuration of container images. The image config is converted into Dockerfile and Trivy handles it as Dockerfile. See here for the detail of Dockerfile scanning.
It is disabled by default. You can enable it with --image-config-scanners misconfig.
$ trivy image --image-config-scanners misconfig [YOUR_IMAGE_NAME]\n
Result alpine:3.17 (dockerfile)\n========================\nTests: 24 (SUCCESSES: 21, FAILURES: 3)\nFailures: 3 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 1, CRITICAL: 0)\n\nHIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.\n\nSee https://avd.aquasec.com/misconfig/ds002\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\nLOW: Consider using 'COPY file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /' command instead of 'ADD file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /'\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nYou should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.\n\nSee https://avd.aquasec.com/misconfig/ds005\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n alpine:3.17:1\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 1 [ ADD file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\nLOW: Add HEALTHCHECK instruction in your Dockerfile\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.\n\nSee https://avd.aquasec.com/misconfig/ds026\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n
Tip
You can see how each layer is created with docker history.
"},{"location":"guide/target/container_image/#disabled-checks","title":"Disabled checks","text":"The following checks are disabled for this scan type due to known issues. See the linked issues for more details.
Check ID Reason Issue AVD-DS-0007 This check detects multiple ENTRYPOINT instructions in a stage, but since image history analysis does not identify stages, this check is not relevant for this scan type. #8364 AVD-DS-0016 This check detects multiple CMD instructions in a stage, but since image history analysis does not identify stages, this check is not relevant for this scan type. #7368"},{"location":"guide/target/container_image/#secrets_1","title":"Secrets","text":"Trivy detects secrets on the configuration of container images. The image config is converted into JSON and Trivy scans the file for secrets. It is especially useful for environment variables that are likely to have credentials by accident. See here for the detail.
$ trivy image --image-config-scanners secret [YOUR_IMAGE_NAME]\n
Result vuln-image (alpine 3.17.1)\n==========================\nTotal: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n\n\nvuln-image (secrets)\n====================\nTotal: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)\n\nCRITICAL: GitHub (github-pat)\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nGitHub Personal Access Token\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n test:16\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 14 {\n 15 \"created\": \"2023-01-09T17:05:20Z\",\n 16 [ \"created_by\": \"ENV secret=****************************************\",\n 17 \"comment\": \"buildkit.dockerfile.v0\",\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\nCRITICAL: GitHub (github-pat)\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nGitHub Personal Access Token\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n test:34\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n 32 \"Env\": [\n 33 \"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\n 34 [ \"secret=****************************************\"\n 35 ]\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n
Tip
You can see environment variables with docker inspect.
"},{"location":"guide/target/container_image/#supported","title":"Supported","text":"Trivy will look for the specified image in a series of locations. By default, it will first look in the local Docker Engine, then Containerd, Podman, and finally container registry.
This behavior can be modified with the --image-src flag. For example, the command
trivy image --image-src podman,containerd alpine:3.7.3\n
Will first search in Podman. If the image is found there, it will be scanned and the results returned. If the image is not found in Podman, then Trivy will search in Containerd. If the image is not found there either, the scan will fail and no more image sources will be searched.
"},{"location":"guide/target/container_image/#docker-engine","title":"Docker Engine","text":"Trivy tries to look for the specified image in your local Docker Engine. It will be skipped if Docker Engine is not running locally.
If your docker socket is not the default path, you can override it via DOCKER_HOST.
"},{"location":"guide/target/container_image/#containerd","title":"containerd","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy tries to look for the specified image in your local containerd. It will be skipped if containerd is not running locally.
Specify your image name in containerd running locally.
$ nerdctl images\nREPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE\naquasec/nginx latest 2bcabc23b454 3 hours ago linux/amd64 149.1 MiB 54.1 MiB\n$ trivy image aquasec/nginx\n
If your containerd socket is not the default path (//run/containerd/containerd.sock), you can override it via CONTAINERD_ADDRESS.
$ export CONTAINERD_ADDRESS=/run/k3s/containerd/containerd.sock\n$ trivy image aquasec/nginx\n
If your scan targets are images in a namespace other than containerd's default namespace (default), you can override it via CONTAINERD_NAMESPACE.
$ export CONTAINERD_NAMESPACE=k8s.io\n$ trivy image aquasec/nginx\n
"},{"location":"guide/target/container_image/#podman","title":"Podman","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Scan your image in Podman (>=2.0) running locally. The remote Podman is not supported. If you prefer to keep the socket open at all times, then before performing Trivy commands, you can enable the podman.sock systemd service on your machine. For more details, see here.
$ systemctl --user enable --now podman.socket\n
Then, you can scan your image in Podman.
$ cat Dockerfile\nFROM alpine:3.12\nRUN apk add --no-cache bash\n$ podman build -t test .\n$ podman images\nREPOSITORY TAG IMAGE ID CREATED SIZE\nlocalhost/test latest efc372d4e0de About a minute ago 7.94 MB\n$ trivy image test\n
If you prefer not to keep the socket open at all times, but to limit the socket opening for your trivy scanning duration only then you can scan your image with the following command:
podman system service --time=0 \"${TMP_PODMAN_SOCKET}\" & \nPODMAN_SYSTEM_SERVICE_PID=\"$!\" \ntrivy image --podman-host=\"${TMP_PODMAN_SOCKET}\" --docker-host=\"${TMP_PODMAN_SOCKET}\" test\nkill \"${PODMAN_SYSTEM_SERVICE_PID}\"\n
"},{"location":"guide/target/container_image/#container-registry","title":"Container Registry","text":"Trivy supports registries that comply with the following specifications.
- Docker Registry HTTP API V2
- OCI Distribution Specification
You can configure credentials with trivy registry login. See here for the detail.
"},{"location":"guide/target/container_image/#tar-files","title":"Tar Files","text":"Trivy supports image tar files generated by the following tools.
- Docker Image Specification
- Moby Project
- Buildah
- Podman
- img
- Kaniko
$ docker pull ruby:3.1-alpine3.15\n$ docker save ruby:3.1-alpine3.15 -o ruby-3.1.tar\n$ trivy image --input ruby-3.1.tar\n
Result 2022-02-03T10:08:19.127Z INFO Detected OS: alpine\n2022-02-03T10:08:19.127Z WARN This OS version is not on the EOL list: alpine 3.15\n2022-02-03T10:08:19.127Z INFO Detecting Alpine vulnerabilities...\n2022-02-03T10:08:19.127Z INFO Number of language-specific files: 2\n2022-02-03T10:08:19.127Z INFO Detecting gemspec vulnerabilities...\n2022-02-03T10:08:19.128Z INFO Detecting node-pkg vulnerabilities...\n2022-02-03T10:08:19.128Z WARN This OS version is no longer supported by the distribution: alpine 3.15.0\n2022-02-03T10:08:19.128Z WARN The vulnerability detection may be insufficient because security updates are not provided\n\nruby-3.1.tar (alpine 3.15.0)\n============================\nTotal: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0)\n\n+----------+------------------+----------+-------------------+---------------+---------------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+----------+------------------+----------+-------------------+---------------+---------------------------------------+\n| gmp | CVE-2021-43618 | HIGH | 6.2.1-r0 | 6.2.1-r1 | gmp: Integer overflow and resultant |\n| | | | | | buffer overflow via crafted input |\n| | | | | | -->avd.aquasec.com/nvd/cve-2021-43618 |\n+----------+ + + + + +\n| gmp-dev | | | | | |\n| | | | | | |\n| | | | | | |\n+----------+ + + + + +\n| libgmpxx | | | | | |\n| | | | | | |\n| | | | | | |\n+----------+------------------+----------+-------------------+---------------+---------------------------------------+\n\nNode.js (node-pkg)\n==================\nTotal: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n\n\nRuby (gemspec)\n==============\nTotal: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n
"},{"location":"guide/target/container_image/#oci-layout","title":"OCI Layout","text":"Trivy supports image directories compliant with Open Container Image Layout Specification.
Buildah:
$ buildah push docker.io/library/alpine:3.11 oci:/path/to/alpine\n$ trivy image --input /path/to/alpine\n
Skopeo:
$ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine\n$ trivy image --input /path/to/alpine\n
Referencing specific images can be done by their tag or by their manifest digest:
# Referenced by tag\n$ trivy image --input /path/to/alpine:3.15\n\n# Referenced by digest\n$ trivy image --input /path/to/alpine@sha256:82389ea44e50c696aba18393b168a833929506f5b29b9d75eb817acceb6d54ba\n
"},{"location":"guide/target/container_image/#sbom","title":"SBOM","text":"Trivy supports the generation of Software Bill of Materials (SBOM) for container images and the search for SBOMs during vulnerability scanning.
"},{"location":"guide/target/container_image/#generation","title":"Generation","text":"Trivy can generate SBOM for container images. See here for details.
"},{"location":"guide/target/container_image/#discover-sbom-inside-container-images","title":"Discover SBOM inside container images","text":"Trivy can search for Software Bill of Materials (SBOMs) within container image files and scan their components for vulnerabilities.
"},{"location":"guide/target/container_image/#third-party-sbom-files","title":"Third-party SBOM files","text":"SBOM specifications define key requirements for component documentation2. However, different tools and systems often have varying approaches to documenting component types and their relationships.
Due to these variations, Trivy cannot always accurately interpret SBOMs generated by other tools. For example, it may have difficulty determining the correct file paths to component information files (such as lock files or binaries). In such cases, Trivy uses the path to the scanned SBOM file itself to maintain traceability and ensure accurate dependency reporting.
"},{"location":"guide/target/container_image/#discover-sbom-referencing-the-container-image","title":"Discover SBOM referencing the container image","text":"Trivy can search for Software Bill of Materials (SBOMs) that reference container images. If an SBOM is found, the vulnerability scan is performed using the SBOM instead of the container image. By using the SBOM, you can perform a vulnerability scan more quickly, as it allows you to skip pulling the container image and analyzing its layers.
To enable this functionality, you need to specify the --sbom-sources flag. The following two sources are supported:
- OCI Registry (
oci) - Rekor (
rekor)
Example:
$ trivy image --sbom-sources oci ghcr.io/knqyf263/oci-referrers\n2023-03-05T17:36:55.278+0200 INFO Vulnerability scanning is enabled\n2023-03-05T17:36:58.103+0200 INFO Detected SBOM format: cyclonedx-json\n2023-03-05T17:36:58.129+0200 INFO Found SBOM (cyclonedx) in the OCI referrers\n...\n\nghcr.io/knqyf263/oci-referrers (alpine 3.16.2)\n==============================================\nTotal: 17 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 9, CRITICAL: 3)\n
The OCI Registry utilizes the Referrers API. For more information about Rekor, please refer to its documentation.
"},{"location":"guide/target/container_image/#compliance","title":"Compliance","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
This section describes container image specific compliance reports. For an overview of Trivy's Compliance feature, including working with custom compliance, check out the Compliance documentation.
"},{"location":"guide/target/container_image/#built-in-reports","title":"Built in reports","text":"The following reports are available out of the box:
Compliance Version Name for command More info CIS Docker Community Edition Benchmark 1.1.0 docker-cis-1.6.0 Link"},{"location":"guide/target/container_image/#examples","title":"Examples","text":"Scan a container image configuration and generate a compliance summary report:
trivy image --compliance docker-cis-1.6.0 [YOUR_IMAGE_NAME]\n
Note
The Issues column represent the total number of failed checks for this control.
"},{"location":"guide/target/container_image/#authentication","title":"Authentication","text":"Please reference this page.
"},{"location":"guide/target/container_image/#scan-cache","title":"Scan Cache","text":"When scanning container images, it stores analysis results in the cache, using the image ID and the layer IDs as the key. This approach enables faster scans of the same container image or different images that share layers.
More details are available in the cache documentation.
"},{"location":"guide/target/container_image/#options","title":"Options","text":""},{"location":"guide/target/container_image/#scan-image-on-a-specific-architecture-and-os","title":"Scan Image on a specific Architecture and OS","text":"By default, Trivy loads an image on a \"linux/amd64\" machine. To customise this, pass a --platform argument in the format OS/Architecture for the image:
$ trivy image --platform=os/architecture [YOUR_IMAGE_NAME]\n
For example:
$ trivy image --platform=linux/arm alpine:3.16.1\n
Result 2022-10-25T21:00:50.972+0300 INFO Vulnerability scanning is enabled\n2022-10-25T21:00:50.972+0300 INFO Secret scanning is enabled\n2022-10-25T21:00:50.972+0300 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning\n2022-10-25T21:00:50.972+0300 INFO Please see also https://trivy.dev/dev/docs/secret/scanning/#recommendation for faster secret detection\n2022-10-25T21:00:56.190+0300 INFO Detected OS: alpine\n2022-10-25T21:00:56.190+0300 INFO Detecting Alpine vulnerabilities...\n2022-10-25T21:00:56.191+0300 INFO Number of language-specific files: 0\n\nalpine:3.16.1 (alpine 3.16.1)\n=============================\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 zlib \u2502 CVE-2022-37434 \u2502 CRITICAL \u2502 1.2.12-r1 \u2502 1.2.12-r2 \u2502 zlib: heap-based buffer over-read and overflow in inflate() \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 in inflate.c via a... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2022-37434 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/target/container_image/#configure-docker-daemon-socket-to-connect-to","title":"Configure Docker daemon socket to connect to.","text":"You can configure Docker daemon socket with DOCKER_HOST or --docker-host.
$ trivy image --docker-host tcp://127.0.0.1:2375 YOUR_IMAGE\n
"},{"location":"guide/target/container_image/#configure-podman-daemon-socket-to-connect-to","title":"Configure Podman daemon socket to connect to.","text":"You can configure Podman daemon socket with --podman-host.
$ trivy image --podman-host /run/user/1000/podman/podman.sock YOUR_IMAGE\n
"},{"location":"guide/target/container_image/#prevent-scanning-oversized-container-images","title":"Prevent scanning oversized container images","text":"Use the --max-image-size flag to avoid scanning images that exceed a specified size. The size is specified in a human-readable format1 (e.g., 100MB, 10GB).
An error is returned in the following cases:
- if the compressed image size exceeds the limit,
- if the accumulated size of the uncompressed layers exceeds the limit during their pulling.
The layers are pulled into a temporary folder during their pulling and are always cleaned up, even after a successful scan.
EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Example Usage:
# Limit uncompressed image size to 10GB\n$ trivy image --max-image-size=10GB myapp:latest\n
Error Output:
Error: uncompressed image size (15GB) exceeds maximum allowed size (10GB)\n
-
Trivy uses decimal (SI) prefixes (based on 1000) for size.\u00a0\u21a9
-
SPDX uses package instead of component.\u00a0\u21a9
"},{"location":"guide/target/filesystem/","title":"Filesystem","text":"Scan your local projects for
- Vulnerabilities
- Misconfigurations
- Secrets
- Licenses
By default, vulnerability and secret scanning are enabled, and you can configure that with --scanners.
$ trivy fs /path/to/project\n
It's also possible to scan a single file.
$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test/Pipfile.lock\n
"},{"location":"guide/target/filesystem/#scanners","title":"Scanners","text":""},{"location":"guide/target/filesystem/#vulnerabilities","title":"Vulnerabilities","text":"It is enabled by default. Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json. See here for the detail.
$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test\n
Result 2020-06-01T17:06:58.652+0300 WARN OS is not detected and vulnerabilities in OS packages are not detected.\n2020-06-01T17:06:58.652+0300 INFO Detecting pipenv vulnerabilities...\n2020-06-01T17:06:58.691+0300 INFO Detecting cargo vulnerabilities...\n\nPipfile.lock\n============\nTotal: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)\n\n+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+\n| django | CVE-2020-7471 | HIGH | 2.0.9 | 3.0.3, 2.2.10, 1.11.28 | django: potential |\n| | | | | | SQL injection via |\n| | | | | | StringAgg(delimiter) |\n+ +------------------+----------+ +------------------------+------------------------------------+\n| | CVE-2019-19844 | MEDIUM | | 3.0.1, 2.2.9, 1.11.27 | Django: crafted email address |\n| | | | | | allows account takeover |\n+ +------------------+ + +------------------------+------------------------------------+\n| | CVE-2019-3498 | | | 2.1.5, 2.0.10, 1.11.18 | python-django: Content |\n| | | | | | spoofing via URL path in |\n| | | | | | default 404 page |\n+ +------------------+ + +------------------------+------------------------------------+\n| | CVE-2019-6975 | | | 2.1.6, 2.0.11, 1.11.19 | python-django: |\n| | | | | | memory exhaustion in |\n| | | | | | django.utils.numberformat.format() |\n+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+\n...\n
"},{"location":"guide/target/filesystem/#misconfigurations","title":"Misconfigurations","text":"It is disabled by default and can be enabled with --scanners misconfig. See here for the detail.
$ trivy fs --scanners misconfig /path/to/project\n
"},{"location":"guide/target/filesystem/#secrets","title":"Secrets","text":"It is enabled by default. See here for the detail.
$ trivy fs /path/to/project\n
"},{"location":"guide/target/filesystem/#licenses","title":"Licenses","text":"It is disabled by default. See here for the detail.
$ trivy fs --scanners license /path/to/project\n
"},{"location":"guide/target/filesystem/#sbom-generation","title":"SBOM generation","text":"Trivy can generate SBOM for local projects. See here for the detail.
"},{"location":"guide/target/filesystem/#scan-cache","title":"Scan Cache","text":"When scanning local projects, it doesn't use the cache by default. However, when the local project is a git repository with clean status and the cache backend other than the memory one is enabled, it stores analysis results, using the latest commit hash as the key.
$ trivy fs --cache-backend fs /path/to/git/repo\n
More details are available in the cache documentation.
"},{"location":"guide/target/kubernetes/","title":"Kubernetes","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy can connect to your Kubernetes cluster and scan it for security issues using the trivy k8s command. This page covers the technical capabilities of Trivy Kubernetes scanning. Trivy can also be installed inside your cluster as a Kubernetes Operator, and continuously scan it. For more about this, please see the Trivy Operator project.
When scanning a Kubernetes cluster, Trivy differentiates between the following:
- Cluster infrastructure (e.g api-server, kubelet, addons)
- Cluster configuration (e.g Roles, ClusterRoles).
- Application workloads (e.g nginx, postgresql).
When scanning any of the above, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
Container image is scanned for:
- Vulnerabilities
- Misconfigurations
- Exposed secrets
Kubernetes resource definition is scanned for:
- Vulnerabilities (Open Source Libraries, Control Plane and Node Components)
- Misconfigurations
- Exposed secrets
"},{"location":"guide/target/kubernetes/#kubernetes-target-configurations","title":"Kubernetes target configurations","text":"trivy k8s [flags] [CONTEXT] - if the target name [CONTEXT] is not specified, the default will be used.\n
for example:
trivy k8s --report summary\n
JSON result for multi-container pods
For multi-container pods, it may be challenging to associate results with specific images in the JSON summary report. Kubernetes treats a pod as a single object, so individual images within the pod aren't distinguished. For detailed information, please use the --report all option.
By default Trivy will look for a kubeconfig configuration file in the default location, and use the default cluster that is specified. You can also specify a kubeconfig using the --kubeconfig flag:
trivy k8s --kubeconfig ~/.kube/config2\n
"},{"location":"guide/target/kubernetes/#required-roles","title":"Required roles","text":"To successfully scan a Kubernetes cluster, trivy kubernetes subcommand must be executed under a role or a cluster role that has some specific permissions.
The role must have list verb for all resources (\"*\") inside the following API groups: core (\"\"), \"apps\", \"batch\",\"networking.k8s.io\", \"rbac.authorization.k8s.io\":
- apiGroups: [\"\"]\n resources: [\"*\"]\n verbs: [\"list\"]\n- apiGroups: [\"apps\", \"batch\", \"networking.k8s.io\", \"rbac.authorization.k8s.io\"]\n resources: [\"*\"]\n verbs: [\"list\"]\n
If node collector is enabled (default: enabled), Trivy needs a cluster role with some additional permissions to run and track the jobs: - apiGroups: [\"\"]\n resources: [\"nodes/proxy\", \"pods/log\"]\n verbs: [\"get\"]\n- apiGroups: [\"\"]\n resources: [\"events\"]\n verbs: [\"watch\"]\n- apiGroups: [\"batch\"]\n resources: [\"jobs\", \"cronjobs\"]\n verbs: [\"list\", \"get\"]\n- apiGroups: [\"batch\"]\n resources: [\"jobs\"]\n verbs: [\"create\",\"delete\", \"watch\"]\n- apiGroups: [\"\"]\n resources: [\"namespaces\"]\n verbs: [\"create\"]\n
"},{"location":"guide/target/kubernetes/#skip-images","title":"Skip-images","text":"By default, all cluster resource images will be downloaded and scanned.
You can control whether Trivy will scan and download the cluster resource images. To disable this feature, add the --skip-images flag.
--skip-images flag will prevent the downloading and scanning of images (including vulnerabilities and secrets) in the cluster resources.
Example:
trivy k8s --report summary --skip-images\n
"},{"location":"guide/target/kubernetes/#includeexclude-kinds","title":"Include/Exclude Kinds","text":"You can control which kinds of resources will be discovered using the --include-kinds or --exclude-kinds comma-separated flags:
Note: Both flags (--include-kinds or --exclude-kinds) cannot be set in conjunction.
--include-kinds will include the listed kinds in cluster scanning.--exclude-kinds will exclude the listed kinds from cluster scanning.
By default, all kinds will be included in cluster scanning.
Example:
trivy k8s --report summary --exclude-kinds node,pod\n
"},{"location":"guide/target/kubernetes/#includeexclude-namespaces","title":"Include/Exclude Namespaces","text":"You can control which namespaces will be discovered using the --include-namespaces or --exclude-namespaces comma-separated flags:
Note: Both flags (--include-namespaces or --exclude-namespaces) cannot be set in conjunction.
--include-namespaces will include the listed namespaces in cluster scanning.--exclude-namespaces will exclude the listed namespaces from cluster scanning.
By default, all namespaces will be included in cluster scanning.
using --exclude-namespaces
Trivy requires a complete list of namespaces to exclude specific ones. Therefore, --exclude-namespaces option is only available for cluster roles now.
Example:
trivy k8s --report summary --exclude-namespace dev-system,staging-system\n
"},{"location":"guide/target/kubernetes/#control-plane-and-node-components-vulnerability-scanning","title":"Control Plane and Node Components Vulnerability Scanning","text":"Trivy is capable of discovering Kubernetes control plane (apiserver, controller-manager and etc) and node components(kubelet, kube-proxy and etc), matching them against the official Kubernetes vulnerability database feed, and reporting any vulnerabilities it finds.
To read more about KBOM, see the documentation for Kubernetes scanning.
trivy k8s --scanners vuln --report all\n\nNodeComponents/kind-control-plane (kubernetes)\n\nTotal: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Status \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 k8s.io/kubelet \u2502 CVE-2023-2431 \u2502 LOW \u2502 fixed \u2502 1.21.1 \u2502 1.24.14, 1.25.10, 1.26.5, 1.27.2 \u2502 Bypass of seccomp profile enforcement \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2023-2431 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2021-25741 \u2502 HIGH \u2502 \u2502 \u2502 1.19.16, 1.20.11, 1.21.5, 1.22.1 \u2502 Symlink exchange can allow host filesystem access \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-25741 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2021-25749 \u2502 \u2502 \u2502 \u2502 1.22.14, 1.23.11, 1.24.5 \u2502 runAsNonRoot logic bypass for Windows containers \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-25749 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/target/kubernetes/#node-collector","title":"Node-Collector","text":"Node-collector is a scan job that collects node configuration parameters and permission information. This information will be evaluated against Kubernetes hardening (e.g. CIS benchmark) and best practices values. The scan results will be output in infrastructure assessment and CIS benchmark compliance reports.
"},{"location":"guide/target/kubernetes/#disable-node-collector","title":"Disable Node Collector","text":"You can control whether the node scan-job (node-collector) will run in the cluster. To disable it, add the --disable-node-collector flag
--disable-node-collector This flag will exclude findings related to Node (infra assessment) misconfigurations
By default, the node scan-job (node-collector) will run in the cluster.
Example:
trivy k8s --report summary --disable-node-collector\n
"},{"location":"guide/target/kubernetes/#taints-and-tolerations","title":"Taints and Tolerations","text":"The node-collector scan-job will run on every node. In case the node has been tainted, it is possible to add toleration to the scan job for it to be scheduled on the tainted node. for more details see k8s docs
--tolerations key1=value1:NoExecute,key2=value2:NoSchedule this flag will enable node-collector to be schedule on tainted Node
Example:
trivy k8s --report summary --tolerations key1=value1:NoExecute,key2=value2:NoSchedule\n
"},{"location":"guide/target/kubernetes/#exclude-nodes-by-label","title":"Exclude Nodes by Label","text":"You can exclude specific nodes from the scan using the --exclude-nodes flag, which takes a label in the format label-name:label-value and excludes all matching nodes:
trivy k8s --report summary --exclude-nodes kubernetes.io/arch:arm6\n
"},{"location":"guide/target/kubernetes/#reporting-and-filtering","title":"Reporting and filtering","text":"Since scanning an entire cluster for any security issue can be overwhelming, By default Trivy summarizes the results in a simple \"summary\" view. By scoping the scan on a specific resource, you can see the detailed report. You can always choose the report granularity using the --report summary/--report all flag.
Scan a full cluster and generate a simple summary report:
trivy k8s --report=summary\n
Filter by severity:
trivy k8s --severity=CRITICAL --report=all\n
Filter by scanners (Vulnerabilities, Secrets or Misconfigurations):
trivy k8s --scanners=secret --report=summary\n# or\ntrivy k8s --scanners=misconfig --report=summary\n
The supported output formats are table, which is the default, and json.
trivy k8s --format json -o results.json cluster\n
Result {\n \"ClusterName\": \"minikube\",\n \"Vulnerabilities\": [\n {\n \"Namespace\": \"default\",\n \"Kind\": \"Deployment\",\n \"Name\": \"app\",\n \"Results\": [\n {\n \"Target\": \"ubuntu:latest (ubuntu 22.04)\",\n \"Class\": \"os-pkgs\",\n \"Type\": \"ubuntu\",\n \"Vulnerabilities\": [\n {\n \"VulnerabilityID\": \"CVE-2016-2781\",\n \"PkgName\": \"coreutils\",\n \"InstalledVersion\": \"8.32-4.1ubuntu1\",\n \"Layer\": {\n \"Digest\": \"sha256:125a6e411906fe6b0aaa50fc9d600bf6ff9bb11a8651727ce1ed482dc271c24c\",\n \"DiffID\": \"sha256:e59fc94956120a6c7629f085027578e6357b48061d45714107e79f04a81a6f0c\"\n },\n \"SeveritySource\": \"ubuntu\",\n \"PrimaryURL\": \"https://avd.aquasec.com/nvd/cve-2016-2781\",\n \"DataSource\": {\n \"ID\": \"ubuntu\",\n \"Name\": \"Ubuntu CVE Tracker\",\n \"URL\": \"https://git.launchpad.net/ubuntu-cve-tracker\"\n },\n \"Title\": \"coreutils: Non-privileged session can escape to the parent session in chroot\",\n \"Description\": \"chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.\",\n \"Severity\": \"LOW\",\n \"CweIDs\": [\n \"CWE-20\"\n ],\n \"VendorSeverity\": {\n \"cbl-mariner\": 2,\n \"nvd\": 2,\n \"redhat\": 2,\n \"ubuntu\": 1\n },\n \"CVSS\": {\n \"nvd\": {\n \"V2Vector\": \"AV:L/AC:L/Au:N/C:N/I:P/A:N\",\n \"V3Vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N\",\n \"V2Score\": 2.1,\n \"V3Score\": 6.5\n },\n \"redhat\": {\n \"V2Vector\": \"AV:L/AC:H/Au:N/C:C/I:C/A:C\",\n \"V3Vector\": \"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\",\n \"V2Score\": 6.2,\n \"V3Score\": 8.6\n }\n },\n \"References\": [\n \"http://seclists.org/oss-sec/2016/q1/452\",\n \"http://www.openwall.com/lists/oss-security/2016/02/28/2\",\n \"http://www.openwall.com/lists/oss-security/2016/02/28/3\",\n \"https://access.redhat.com/security/cve/CVE-2016-2781\",\n \"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2781\",\n \"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E\",\n \"https://lore.kernel.org/patchwork/patch/793178/\",\n \"https://nvd.nist.gov/vuln/detail/CVE-2016-2781\"\n ],\n \"PublishedDate\": \"2017-02-07T15:59:00Z\",\n \"LastModifiedDate\": \"2021-02-25T17:15:00Z\"\n }\n ]\n }\n ]\n }\n ],\n \"Misconfigurations\": [\n {\n \"Namespace\": \"default\",\n \"Kind\": \"Deployment\",\n \"Name\": \"app\",\n \"Results\": [\n {\n \"Target\": \"Deployment/app\",\n \"Class\": \"config\",\n \"Type\": \"kubernetes\",\n \"MisconfSummary\": {\n \"Successes\": 20,\n \"Failures\": 19\n },\n \"Misconfigurations\": [\n {\n \"Type\": \"Kubernetes Security Check\",\n \"ID\": \"KSV001\",\n \"Title\": \"Process can elevate its own privileges\",\n \"Description\": \"A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.\",\n \"Message\": \"Container 'app' of Deployment 'app' should set 'securityContext.allowPrivilegeEscalation' to false\",\n \"Namespace\": \"builtin.kubernetes.KSV001\",\n \"Query\": \"data.builtin.kubernetes.KSV001.deny\",\n \"Resolution\": \"Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.\",\n \"Severity\": \"MEDIUM\",\n \"PrimaryURL\": \"https://avd.aquasec.com/misconfig/ksv001\",\n \"References\": [\n \"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted\",\n \"https://avd.aquasec.com/misconfig/ksv001\"\n ],\n \"Status\": \"FAIL\",\n \"Layer\": {},\n \"IacMetadata\": {\n \"Provider\": \"Kubernetes\",\n \"Service\": \"general\",\n \"StartLine\": 121,\n \"EndLine\": 133\n }\n },\n {\n \"Type\": \"Kubernetes Security Check\",\n \"ID\": \"KSV003\",\n \"Title\": \"Default capabilities not dropped\",\n \"Description\": \"The container should drop all default capabilities and add only those that are needed for its execution.\",\n \"Message\": \"Container 'app' of Deployment 'app' should add 'ALL' to 'securityContext.capabilities.drop'\",\n \"Namespace\": \"builtin.kubernetes.KSV003\",\n \"Query\": \"data.builtin.kubernetes.KSV003.deny\",\n \"Resolution\": \"Add 'ALL' to containers[].securityContext.capabilities.drop.\",\n \"Severity\": \"LOW\",\n \"PrimaryURL\": \"https://avd.aquasec.com/misconfig/ksv003\",\n \"References\": [\n \"https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/\",\n \"https://avd.aquasec.com/misconfig/ksv003\"\n ],\n \"Status\": \"FAIL\",\n \"Layer\": {},\n \"IacMetadata\": {\n \"Provider\": \"Kubernetes\",\n \"Service\": \"general\",\n \"StartLine\": 121,\n \"EndLine\": 133\n }\n }\n ]\n }\n ]\n },\n {\n \"Namespace\": \"default\",\n \"Kind\": \"ConfigMap\",\n \"Name\": \"kube-root-ca.crt\"\n }\n ]\n}\n
"},{"location":"guide/target/kubernetes/#compliance","title":"Compliance","text":"This section describes Kubernetes specific compliance reports. For an overview of Trivy's Compliance feature, including working with custom compliance, check out the Compliance documentation.
The following reports are available out of the box:
Compliance Name for command More info NSA, CISA Kubernetes Hardening Guidance v1.0 k8s-nsa-1.0 Link CIS Benchmark for Kubernetes v1.23 k8s-cis-1.23 Link CIS Benchmark for RKE2 v1.24 rke2-cis-1.24 Link CIS Benchmark for EKS v1.4 eks-cis-1.4 Link Pod Security Standards, Baseline k8s-pss-baseline-0.1 Link Pod Security Standards, Restricted k8s-pss-restricted-0.1 Link Examples:
Scan the cluster for Kubernetes Pod Security Standards Baseline compliance:
trivy k8s --compliance=k8s-pss-baseline --report summary\n
Get the detailed report for checks:
trivy k8s --compliance=k8s-cis-1.23 --report all\n
Get summary report in JSON format:
trivy k8s --compliance=k8s-cis-1.23 --report summary --format json\n
Get detailed report in JSON format:
trivy k8s --compliance=k8s-cis-1.23 --report all --format json\n
"},{"location":"guide/target/kubernetes/#kbom","title":"KBOM","text":"KBOM, Kubernetes Bill of Materials, is a manifest of all the important components that make up your Kubernetes cluster \u2013 Control plane components, Node Components, and Addons, including their versions and images. Which \u201capi-server\u201d version are you currently running? Which flavor of \"kubelet\" is running on each node? What kind of etcd or storage are you currently using? And most importantly \u2013 are there any vulnerabilities known to affect these components? These are all questions that KBOM can help you answer. For more background on KBOM, see here.
Trivy can generate KBOM in CycloneDX format:
trivy k8s --format cyclonedx --output mykbom.cdx.json\n
Trivy can also scan that generated KBOM (or any SBOM) for vulnerabilities:
trivy sbom mykbom.cdx.json\n
Result 2023-09-28T22:52:25.707+0300 INFO Vulnerability scanning is enabled\n 2023-09-28T22:52:25.707+0300 INFO Detected SBOM format: cyclonedx-json\n 2023-09-28T22:52:25.717+0300 WARN No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages.\n 2023-09-28T22:52:25.717+0300 WARN e.g. files under \"/lib/apk/db/\", \"/var/lib/dpkg/\" and \"/var/lib/rpm\"\n 2023-09-28T22:52:25.717+0300 INFO Detected OS: debian gnu/linux\n 2023-09-28T22:52:25.717+0300 WARN unsupported os : debian gnu/linux\n 2023-09-28T22:52:25.717+0300 INFO Number of language-specific files: 3\n 2023-09-28T22:52:25.717+0300 INFO Detecting kubernetes vulnerabilities...\n 2023-09-28T22:52:25.718+0300 INFO Detecting gobinary vulnerabilities...\n Kubernetes (kubernetes)\n Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)\n \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n \u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Status \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n \u2502 k8s.io/kubelet \u2502 CVE-2021-25749 \u2502 HIGH \u2502 fixed \u2502 1.24.0 \u2502 1.22.14, 1.23.11, 1.24.5 \u2502 runAsNonRoot logic bypass for Windows containers \u2502\n \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-25749 \u2502\n \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n \u2502 \u2502 CVE-2023-2431 \u2502 LOW \u2502 \u2502 \u2502 1.24.14, 1.25.9, 1.26.4, 1.27.1 \u2502 Bypass of seccomp profile enforcement \u2502\n \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2023-2431 \u2502\n \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
Find more in the documentation for SBOM scanning.
Currently KBOM vulnerability matching works for plain Kubernetes distributions and does not work well for vendor variants, including some cloud managed distributions.
"},{"location":"guide/target/repository/","title":"Code Repository","text":"Scan your local or remote code repositories for
- Vulnerabilities
- Misconfigurations
- Secrets
- Licenses
By default, vulnerability and secret scanning are enabled, and you can configure that with --scanners.
$ trivy repo (REPO_PATH | REPO_URL)\n
For example, you can scan a local repository as below.
$ trivy repo ./\n
It's also possible to scan a single file.
$ trivy repo ./trivy-ci-test/Pipfile.lock\n
To scan remote code repositories, you need to specify the URL.
$ trivy repo https://github.com/aquasecurity/trivy-ci-test\n
"},{"location":"guide/target/repository/#rationale","title":"Rationale","text":"trivy repo is designed to scan code repositories, and it is intended to be used for scanning local/remote repositories in your machine or in your CI environment. Therefore, unlike container/VM image scanning, it targets lock files such as package-lock.json and does not target artifacts like JAR files, binary files, etc. See here for the detail.
"},{"location":"guide/target/repository/#scanners","title":"Scanners","text":""},{"location":"guide/target/repository/#vulnerabilities","title":"Vulnerabilities","text":"It is enabled by default. Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json. See here for the detail.
$ trivy repo ~/src/github.com/aquasecurity/trivy-ci-test\n
Result 2020-06-01T17:06:58.652+0300 WARN OS is not detected and vulnerabilities in OS packages are not detected.\n2020-06-01T17:06:58.652+0300 INFO Detecting pipenv vulnerabilities...\n2020-06-01T17:06:58.691+0300 INFO Detecting cargo vulnerabilities...\n\nPipfile.lock\n============\nTotal: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)\n\n+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+\n| django | CVE-2020-7471 | HIGH | 2.0.9 | 3.0.3, 2.2.10, 1.11.28 | django: potential |\n| | | | | | SQL injection via |\n| | | | | | StringAgg(delimiter) |\n+ +------------------+----------+ +------------------------+------------------------------------+\n| | CVE-2019-19844 | MEDIUM | | 3.0.1, 2.2.9, 1.11.27 | Django: crafted email address |\n| | | | | | allows account takeover |\n+ +------------------+ + +------------------------+------------------------------------+\n| | CVE-2019-3498 | | | 2.1.5, 2.0.10, 1.11.18 | python-django: Content |\n| | | | | | spoofing via URL path in |\n| | | | | | default 404 page |\n+ +------------------+ + +------------------------+------------------------------------+\n| | CVE-2019-6975 | | | 2.1.6, 2.0.11, 1.11.19 | python-django: |\n| | | | | | memory exhaustion in |\n| | | | | | django.utils.numberformat.format() |\n+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+\n...\n
"},{"location":"guide/target/repository/#misconfigurations","title":"Misconfigurations","text":"It is disabled by default and can be enabled with --scanners misconfig. See here for the detail.
$ trivy repo --scanners misconfig (REPO_PATH | REPO_URL)\n
"},{"location":"guide/target/repository/#secrets","title":"Secrets","text":"It is enabled by default. See here for the detail.
$ trivy repo (REPO_PATH | REPO_URL)\n
"},{"location":"guide/target/repository/#licenses","title":"Licenses","text":"It is disabled by default. See here for the detail.
$ trivy repo --scanners license (REPO_PATH | REPO_URL)\n
"},{"location":"guide/target/repository/#sbom-generation","title":"SBOM generation","text":"Trivy can generate SBOM for code repositories. See here for the detail.
"},{"location":"guide/target/repository/#git-metadata","title":"Git Metadata","text":"When scanning git repositories (both local and remote), Trivy automatically extracts and includes git metadata in the scan results. This metadata provides context about the scanned repository.
The metadata includes information such as:
- Repository URL
- Branch name
- Tags
- Commit details (hash, message, commiter)
- Author information
This feature works automatically for any git repository. When using JSON format output, the git metadata will be included in the Metadata field. For detailed information about the available fields, please refer to the JSON output of your scan results.
$ trivy repo --format json <repo-name>\n
"},{"location":"guide/target/repository/#scan-cache","title":"Scan Cache","text":"When scanning git repositories, it stores analysis results in the cache, using the latest commit hash as the key. Note that the cache is not used when the repository is dirty, otherwise Trivy will miss the files that are not committed.
More details are available in the cache documentation.
"},{"location":"guide/target/repository/#references","title":"References","text":"The following flags and environmental variables are available for remote git repositories.
"},{"location":"guide/target/repository/#scanning-a-branch","title":"Scanning a Branch","text":"Pass a --branch argument with a valid branch name on the remote repository provided:
$ trivy repo --branch <branch-name> <repo-name>\n
"},{"location":"guide/target/repository/#scanning-upto-a-commit","title":"Scanning upto a Commit","text":"Pass a --commit argument with a valid commit hash on the remote repository provided:
$ trivy repo --commit <commit-hash> <repo-name>\n
"},{"location":"guide/target/repository/#scanning-a-tag","title":"Scanning a Tag","text":"Pass a --tag argument with a valid tag on the remote repository provided:
$ trivy repo --tag <tag-name> <repo-name>\n
"},{"location":"guide/target/repository/#scanning-private-repositories","title":"Scanning Private Repositories","text":"In order to scan private GitHub or GitLab repositories, the environment variable GITHUB_TOKEN or GITLAB_TOKEN must be set, respectively, with a valid token that has access to the private repository being scanned.
The GITHUB_TOKEN environment variable will take precedence over GITLAB_TOKEN, so if a private GitLab repository will be scanned, then GITHUB_TOKEN must be unset.
You can find how to generate your GitHub Token in the following GitHub documentation.
For example:
$ export GITHUB_TOKEN=\"your_private_github_token\"\n$ trivy repo <your private GitHub repo URL>\n\n# or\n$ export GITLAB_TOKEN=\"your_private_gitlab_token\"\n$ trivy repo <your private GitLab repo URL>\n
"},{"location":"guide/target/rootfs/","title":"Rootfs","text":"Rootfs scanning is for special use cases such as
- Host machine
- Root filesystem
- Unpacked filesystem
$ trivy rootfs /path/to/rootfs\n
Note
Rootfs scanning works differently from the Filesystem scanning. You should use trivy fs to scan your local projects in CI/CD. See here for the differences.
Note
Scanning vulnerabilities for Red Hat has a limitation, see the Red Hat page for details.
"},{"location":"guide/target/rootfs/#performance-optimization","title":"Performance Optimization","text":"By default, Trivy traverses all files from the specified root directory to find target files for scanning. However, when you only need to scan specific files with absolute paths, you can avoid this traversal, which makes scanning faster. For example, when scanning only OS packages, no full traversal is performed:
$ trivy rootfs --pkg-types os --scanners vuln /\n
When scanning language-specific packages or secrets, traversal is necessary because the location of these files is unknown. If you want to exclude specific directories from scanning for better performance, you can use the --skip-dirs option.
"},{"location":"guide/target/sbom/","title":"SBOM scanning","text":"Trivy can take the following SBOM formats as an input and scan for vulnerabilities and licenses.
- CycloneDX
- SPDX
- SPDX JSON
- CycloneDX-type attestation
- KBOM in CycloneDX format
To scan SBOM, you can use the sbom subcommand and pass the path to the SBOM. The input format is automatically detected.
$ trivy sbom /path/to/sbom_file\n
By default, vulnerability scan in SBOM is executed. You can use --scanners vuln,license command property to select also license scan, or --scanners license alone.
Note
Passing SBOMs generated by tool other than Trivy may result in inaccurate detection because Trivy relies on custom properties in SBOM for accurate scanning.
"},{"location":"guide/target/sbom/#cyclonedx","title":"CycloneDX","text":"Trivy supports CycloneDX as an input.
Note
CycloneDX XML is not supported at the moment.
$ trivy sbom /path/to/cyclonedx.json\n
"},{"location":"guide/target/sbom/#spdx","title":"SPDX","text":"Trivy supports the SPDX SBOM as an input.
The following SPDX formats are supported:
- Tag-value (
--format spdx) - JSON (
--format spdx-json)
$ trivy image --format spdx-json --output spdx.json alpine:3.16.0\n$ trivy sbom spdx.json\n
Result 2022-09-15T21:32:27.168+0300 INFO Vulnerability scanning is enabled\n2022-09-15T21:32:27.169+0300 INFO Detected SBOM format: spdx-json\n2022-09-15T21:32:27.210+0300 INFO Detected OS: alpine\n2022-09-15T21:32:27.210+0300 INFO Detecting Alpine vulnerabilities...\n2022-09-15T21:32:27.211+0300 INFO Number of language-specific files: 0\n\nspdx.json (alpine 3.16.0)\n=========================\nTotal: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 1)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 busybox \u2502 CVE-2022-30065 \u2502 HIGH \u2502 1.35.0-r13 \u2502 1.35.0-r15 \u2502 busybox: A use-after-free in Busybox's awk applet leads to \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 denial of service... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2022-30065 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 libcrypto1.1 \u2502 CVE-2022-2097 \u2502 MEDIUM \u2502 1.1.1o-r0 \u2502 1.1.1q-r0 \u2502 openssl: AES OCB fails to encrypt some bytes \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2022-2097 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 libssl1.1 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 ssl_client \u2502 CVE-2022-30065 \u2502 HIGH \u2502 1.35.0-r13 \u2502 1.35.0-r15 \u2502 busybox: A use-after-free in Busybox's awk applet leads to \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 denial of service... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2022-30065 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 zlib \u2502 CVE-2022-37434 \u2502 CRITICAL \u2502 1.2.12-r1 \u2502 1.2.12-r2 \u2502 zlib: a heap-based buffer over-read or buffer overflow in \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 inflate in inflate.c... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2022-37434 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/target/sbom/#sbom-attestation","title":"SBOM attestation","text":"You can also scan an SBOM attestation. In the following example, Cosign gets an attestation and Trivy scans it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the SBOM attestation page.
$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl\n$ trivy sbom ./sbom.cdx.intoto.jsonl\n\nsbom.cdx.intoto.jsonl (alpine 3.7.3)\n=========================\nTotal: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 musl \u2502 CVE-2019-14697 \u2502 CRITICAL \u2502 1.1.18-r3 \u2502 1.1.18-r4 \u2502 musl libc through 1.1.23 has an x87 floating-point stack \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 adjustment im ...... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2019-14697 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 musl-utils \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/target/sbom/#kbom","title":"KBOM","text":"To read more about KBOM, see the documentation for Kubernetes scanning.
The supported Kubernetes distributions for core components vulnerability scanning are:
- Kubernetes upstream
- Rancher rke2
$ trivy k8s --format cyclonedx cluster -o kbom.json\n$ trivy sbom kbom.json\n2023-09-28T22:52:25.707+0300 INFO Vulnerability scanning is enabled\n2023-09-28T22:52:25.717+0300 INFO Number of language-specific files: 3\n2023-09-28T22:52:25.717+0300 INFO Detecting kubernetes vulnerabilities...\n2023-09-28T22:52:25.718+0300 INFO Detecting gobinary vulnerabilities...\n\nKubernetes (kubernetes)\n\nTotal: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)\n\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Status \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 k8s.io/kubelet \u2502 CVE-2021-25749 \u2502 HIGH \u2502 fixed \u2502 1.24.0 \u2502 1.22.14, 1.23.11, 1.24.5 \u2502 runAsNonRoot logic bypass for Windows containers \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-25749 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2023-2431 \u2502 LOW \u2502 \u2502 \u25021.24.14, 1.25.9, 1.26.4, 1.27.1 \u2502 Bypass of seccomp profile enforcement \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2023-2431 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n
"},{"location":"guide/target/vm/","title":"Virtual Machine Image","text":"EXPERIMENTAL
This feature might change without preserving backwards compatibility.
To scan virtual machine (VM) images, you can use the vm subcommand.
"},{"location":"guide/target/vm/#targets","title":"Targets","text":"The following targets are currently supported:
- Local file
- AWS EC2
- Amazon Machine Image (AMI)
- Amazon Elastic Block Store (EBS) Snapshot
"},{"location":"guide/target/vm/#local-file","title":"Local file","text":"Pass the path to your local VM image file.
$ trivy vm --scanners vuln disk.vmdk\n
Result disk.vmdk (amazon 2 (Karoo))\n===========================================================================================\nTotal: 802 (UNKNOWN: 0, LOW: 17, MEDIUM: 554, HIGH: 221, CRITICAL: 10)\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Library \u2502 Vulnerability \u2502 Severity \u2502 Installed Version \u2502 Fixed Version \u2502 Title \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 amazon-ssm-agent \u2502 CVE-2022-24675 \u2502 HIGH \u2502 3.0.529.0-1.amzn2 \u2502 3.1.1575.0-1.amzn2 \u2502 golang: encoding/pem: fix stack overflow in Decode \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2022-24675 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 bind-export-libs \u2502 CVE-2021-25215 \u2502 \u2502 32:9.11.4-26.P2.amzn2.4 \u2502 32:9.11.4-26.P2.amzn2.5 \u2502 bind: An assertion check can fail while answering queries \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 for DNAME records... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-25215 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2021-25214 \u2502 MEDIUM \u2502 \u2502 32:9.11.4-26.P2.amzn2.5.2 \u2502 bind: Broken inbound incremental zone update (IXFR) can \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 cause named to terminate... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-25214 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 bind-libs \u2502 CVE-2021-25215 \u2502 HIGH \u2502 \u2502 32:9.11.4-26.P2.amzn2.5 \u2502 bind: An assertion check can fail while answering queries \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 for DNAME records... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-25215 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2021-25214 \u2502 MEDIUM \u2502 \u2502 32:9.11.4-26.P2.amzn2.5.2 \u2502 bind: Broken inbound incremental zone update (IXFR) can \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 cause named to terminate... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-25214 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 bind-libs-lite \u2502 CVE-2021-25215 \u2502 HIGH \u2502 \u2502 32:9.11.4-26.P2.amzn2.5 \u2502 bind: An assertion check can fail while answering queries \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 for DNAME records... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-25215 \u2502\n\u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 \u2502 CVE-2021-25214 \u2502 MEDIUM \u2502 \u2502 32:9.11.4-26.P2.amzn2.5.2 \u2502 bind: Broken inbound incremental zone update (IXFR) can \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 cause named to terminate... \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502 https://avd.aquasec.com/nvd/cve-2021-25214 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n...\n
"},{"location":"guide/target/vm/#amazon-machine-image-ami","title":"Amazon Machine Image (AMI)","text":"You can specify your AMI ID with the ami: prefix.
$ trivy vm ami:${your_ami_id}\n
Note
AMIs in the marketplace are not supported because the EBS direct APIs don't support that. See the AWS documentation for the detail.
"},{"location":"guide/target/vm/#example","title":"Example","text":"$ trivy vm --scanners vuln ami:ami-0123456789abcdefg\n
If you want to scan a AMI of non-default setting region, you can set any region via --aws-region option.
$ trivy vm --aws-region ap-northeast-1 ami:ami-0123456789abcdefg\n
"},{"location":"guide/target/vm/#required-actions","title":"Required Actions","text":"Some actions on EBS are also necessary since Trivy scans an EBS snapshot tied to the specified AMI under the hood.
- ec2:DescribeImages
- ebs:ListSnapshotBlocks
- ebs:GetSnapshotBlock
"},{"location":"guide/target/vm/#amazon-elastic-block-store-ebs-snapshot","title":"Amazon Elastic Block Store (EBS) Snapshot","text":"You can specify your EBS snapshot ID with the ebs: prefix.
$ trivy vm ebs:${your_ebs_snapshot_id}\n
Note
Public snapshots are not supported because the EBS direct APIs don't support that. See the AWS documentation for the detail.
"},{"location":"guide/target/vm/#example_1","title":"Example","text":"$ trivy vm --scanners vuln ebs:snap-0123456789abcdefg\n
If you want to scan an EBS Snapshot of non-default setting region, you can set any region via --aws-region option.
$ trivy vm --aws-region ap-northeast-1 ebs:ebs-0123456789abcdefg\n
The above command takes a while as it calls EBS API and fetches the EBS blocks. If you want to scan the same snapshot several times, you can download the snapshot locally by using coldsnap maintained by AWS. Then, Trivy can scan the local VM image file.
$ coldsnap download snap-0123456789abcdefg disk.img\n$ trivy vm ./disk.img\n
"},{"location":"guide/target/vm/#required-actions_1","title":"Required Actions","text":" - ebs:ListSnapshotBlocks
- ebs:GetSnapshotBlock
"},{"location":"guide/target/vm/#scanners","title":"Scanners","text":"Trivy supports VM image scanning for
- Vulnerabilities
- Misconfigurations
- Secrets
- Licenses
"},{"location":"guide/target/vm/#vulnerabilities","title":"Vulnerabilities","text":"It is enabled by default. You can simply specify your VM image location. It detects known vulnerabilities in your VM image. See here for the detail.
$ trivy vm [YOUR_VM_IMAGE]\n
Note
Scanning Red Hat has a limitation, see the Red Hat page for details.
"},{"location":"guide/target/vm/#misconfigurations","title":"Misconfigurations","text":"It is supported, but it is not useful in most cases. As mentioned here, Trivy mainly supports Infrastructure as Code (IaC) files for misconfigurations. If your VM image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with --scanners misconfig.
$ trivy vm --scanners misconfig [YOUR_VM_IMAGE]\n
"},{"location":"guide/target/vm/#secrets","title":"Secrets","text":"It is enabled by default. See here for the detail.
$ trivy vm [YOUR_VM_IMAGE]\n
Tip
The scanning could be faster if you enable only vulnerability scanning (--scanners vuln) because Trivy tries to download only necessary blocks for vulnerability detection.
"},{"location":"guide/target/vm/#licenses","title":"Licenses","text":"It is disabled by default. See here for the detail.
$ trivy vm --scanners license [YOUR_VM_IMAGE]\n
"},{"location":"guide/target/vm/#sbom-generation","title":"SBOM generation","text":"Trivy can generate SBOM for VM images. See here for the detail.
"},{"location":"guide/target/vm/#scan-cache","title":"Scan Cache","text":"When scanning AMI or EBS snapshots, it stores analysis results in the cache, using the snapshot ID. Scanning the same snapshot several times skips analysis if the cache is already available.
When scanning local files, it doesn't use the cache by default.
More details are available in the cache documentation.
"},{"location":"guide/target/vm/#supported-architectures","title":"Supported Architectures","text":""},{"location":"guide/target/vm/#virtual-machine-images","title":"Virtual machine images","text":"Image format Support VMDK \u2714 OVA VHD VHDX QCOW2"},{"location":"guide/target/vm/#vmdk-disk-types","title":"VMDK disk types","text":"VMDK disk type Support streamOptimized \u2714 monolithicSparse vmfs vmfsSparse twoGbMaxExtentSparse monolithicFlat twoGbMaxExtentFlat vmfsRaw fullDevice partitionedDevice vmfsRawDeviceMap vmfsPassthroughRawDeviceMap Reference: VMware Virtual Disk Format 1.1.pdf
"},{"location":"guide/target/vm/#disk-partitions","title":"Disk partitions","text":"Disk format Support Master boot record (MBR) \u2714 Extended master boot record GUID partition table (GPT) \u2714 Logical volume manager (LVM)"},{"location":"guide/target/vm/#filesystems","title":"Filesystems","text":"Filesystem format Support XFS \u2714 EXT4 \u2714 EXT2/3 \u2714 ZFS"},{"location":"tutorials/overview/","title":"Tutorials","text":"In this section you can find step-by-step guides that help you accomplish specific tasks.
\ud83d\udc48 Please use the side-navigation on the left in order to browse the different topics.
"},{"location":"tutorials/overview/#adding-tutorials","title":"Adding tutorials","text":"You are welcome to create tutorials and showcase them here. Tutorials can be either included in here as full articles, or included as external links under external community resources. Before sending a PR, please first create an issue (of kind \"Documentation\") and describe the suggestion, whether it's an external link or article, and what category it's under.
Guidelines:
- Focus on a specific use case. Start by clearly describing the use case and when/who it is relevant for.
- Provide an end-to-end set of instructions. Make sure anyone can easily follow.
- Describe the expected outcome after each step. Include examples as much as possible.
"},{"location":"tutorials/additional-resources/cks/","title":"CKS preparation resources","text":"The Certified Kubernetes Security Specialist (CKS) Exam is offered by The Linux Foundation. It provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime. CKA certification is required to sit for this exam.
"},{"location":"tutorials/additional-resources/cks/#community-resources","title":"Community Resources","text":" - Trivy Video overview (short)
- Example questions from the exam
- More example questions
- CKS exam study guide
- Docker Image Vulnerabilities & Trivy Image Scanning Demo | K21Academy
"},{"location":"tutorials/additional-resources/cks/#aqua-security-blog-posts-to-learn-more","title":"Aqua Security Blog posts to learn more","text":" - Supply chain security best practices
- Supply chain attacks
If you know of interesting resources, please start a PR to add those to the list.
"},{"location":"tutorials/additional-resources/community/","title":"Community References","text":"Below is a list of additional resources from the community.
"},{"location":"tutorials/additional-resources/community/#vulnerability-scanning","title":"Vulnerability Scanning","text":" - Detecting Spring4Shell with Trivy and Grype
- Scan OS of your EC2 instances with Trivy
"},{"location":"tutorials/additional-resources/community/#cicd-pipelines","title":"CI/CD Pipelines","text":" - How to use Tekton to set up a CI pipeline with OpenShift Pipelines
- Continuous Container Vulnerability Testing with Trivy
- Getting Started With Trivy and Jenkins
- How to use Tekton to set up a CI pipeline with OpenShift Pipelines
"},{"location":"tutorials/additional-resources/community/#misconfiguration-scanning","title":"Misconfiguration Scanning","text":" - Identifying Misconfigurations in your Terraform
- How to write custom checks for Trivy
"},{"location":"tutorials/additional-resources/community/#sbom-attestation-related","title":"SBOM, Attestation & related","text":" - Attesting Image Scans With Kyverno
"},{"location":"tutorials/additional-resources/community/#trivy-kubernetes","title":"Trivy Kubernetes","text":" - Using Trivy Kubernetes in OVHCloud documentation.
"},{"location":"tutorials/additional-resources/community/#comparisons","title":"Comparisons","text":" - the vulnerability remediation lifecycle of Alpine containers
- Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy
- Docker Image Security: Static Analysis Tool Comparison \u2013 Anchore Engine vs Clair vs Trivy
"},{"location":"tutorials/additional-resources/community/#evaluations","title":"Evaluations","text":" - Istio evaluating to use Trivy
- Research Spike: evaluate Trivy for scanning running containers
"},{"location":"tutorials/additional-resources/references/","title":"Additional Resources and Tutorials","text":"Below is a list of additional resources from Aqua Security.
"},{"location":"tutorials/additional-resources/references/#announcements","title":"Announcements","text":" - Trivy Vulnerability Scanner Joins the Aqua Open-source Family
- Trivy Image Vulnerability Scanner Now Under Apache 2.0 License
"},{"location":"tutorials/additional-resources/references/#vulnerability-scanning","title":"Vulnerability Scanning","text":" - Using Trivy to Discover Vulnerabilities in VS Code Projects
- How does a vulnerability scanner identify packages?
- Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security
"},{"location":"tutorials/additional-resources/references/#cicd-pipelines","title":"CI/CD Pipelines","text":" - DevSecOps with Trivy and GitHub Actions
- Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action
"},{"location":"tutorials/additional-resources/references/#misconfiguration-scanning","title":"Misconfiguration Scanning","text":" - Identifying Misconfigurations in your Terraform
"},{"location":"tutorials/additional-resources/references/#clientserver","title":"Client/Server","text":" - Using Trivy in client server mode
"},{"location":"tutorials/additional-resources/references/#workshops","title":"Workshops","text":" - Trivy Live Demo & Q&A
- First Steps to Full Lifecycle Security with Open Source Tools - Rory McCune & Anais Urlichs
"},{"location":"tutorials/additional-resources/references/#older-resources","title":"Older Resources","text":" - Webinar: Trivy Open Source Scanner for Container Images \u2013 Just Download and Run!
- Kubernetes Security through GitOps Best Practices: ArgoCD and Starboard
- Get started with Kubernetes Security and Starboard
"},{"location":"tutorials/integrations/","title":"Integrations","text":"Scan your image automatically as part of your CI workflow, failing the workflow if a vulnerability is found. When you don't want to fail the test, specify --exit-code 0.
"},{"location":"tutorials/integrations/aws-codepipeline/","title":"AWS CodePipeline","text":"See this blog post for an example of using Trivy within AWS CodePipeline.
"},{"location":"tutorials/integrations/aws-security-hub/","title":"AWS Security Hub","text":""},{"location":"tutorials/integrations/aws-security-hub/#upload-findings-to-security-hub","title":"Upload findings to Security Hub","text":"In the following example using the template asff.tpl, ASFF file can be generated.
$ AWS_REGION=us-west-1 AWS_ACCOUNT_ID=123456789012 trivy image --format template --template \"@contrib/asff.tpl\" -o report.asff golang:1.12-alpine\n
ASFF template needs AWS_REGION and AWS_ACCOUNT_ID from environment variables.
The Product ARN field follows the pattern below to match what AWS requires for the product resource type.
\"ProductArn\": \"arn:aws:securityhub:{{ env \"AWS_REGION\" }}::product/aquasecurity/aquasecurity\",\n
In order to upload results you must first run enable-import-findings-for-product like:
aws securityhub enable-import-findings-for-product --product-arn arn:aws:securityhub:<AWS_REGION>::product/aquasecurity/aquasecurity\n
The findings are formatted for the API with a key of Findings and a value of the array of findings. In order to upload via the CLI the outer wrapping must be removed being left with only the array of findings. The easiest way of doing this is with the jq library using the command
cat report.asff | jq '.Findings'\n
Then, you can upload it with AWS CLI.
$ aws securityhub batch-import-findings --findings file://report.asff\n
"},{"location":"tutorials/integrations/aws-security-hub/#note","title":"Note","text":"The batch-import-findings command limits the number of findings uploaded to 100 per request. The best known workaround to this problem is using jq to run the following command
jq '.[:100]' report.asff 1> short_report.asff\n
"},{"location":"tutorials/integrations/aws-security-hub/#customize","title":"Customize","text":"You can customize asff.tpl
$ export AWS_REGION=us-west-1\n$ export AWS_ACCOUNT_ID=123456789012\n$ trivy image --format template --template \"@your-asff.tpl\" -o report.asff golang:1.12-alpine\n
"},{"location":"tutorials/integrations/aws-security-hub/#reference","title":"Reference","text":"aws.amazon.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/
"},{"location":"tutorials/integrations/azure-devops/","title":"Azure Devops","text":" - Here is the Azure DevOps Pipelines Task for Trivy
"},{"location":"tutorials/integrations/azure-devops/#use-imagecleaner-to-clean-up-stale-images-on-your-azure-kubernetes-service-cluster","title":"Use ImageCleaner to clean up stale images on your Azure Kubernetes Service cluster","text":"It's common to use pipelines to build and deploy images on Azure Kubernetes Service (AKS) clusters. While great for image creation, this process often doesn't account for the stale images left behind and can lead to image bloat on cluster nodes. These images can present security issues as they may contain vulnerabilities. By cleaning these unreferenced images, you can remove an area of risk in your clusters. When done manually, this process can be time intensive, which ImageCleaner can mitigate via automatic image identification and removal.
Vulnerability is determined based on a trivy scan, after which images with a LOW, MEDIUM, HIGH, or CRITICAL classification are flagged. An updated ImageList will be automatically generated by ImageCleaner based on a set time interval, and can also be supplied manually.
"},{"location":"tutorials/integrations/azure-devops/#microsoft-defender-for-container-registries-and-trivy","title":"Microsoft Defender for container registries and Trivy","text":"This blog explains how to scan your Azure Container Registry-based container images with the integrated vulnerability scanner when they're built as part of your GitHub workflows.
To set up the scanner, you'll need to enable Microsoft Defender for Containers and the CI/CD integration. When your CI/CD workflows push images to your registries, you can view registry scan results and a summary of CI/CD scan results.
The findings of the CI/CD scans are an enrichment to the existing registry scan findings by Qualys. Defender for Cloud's CI/CD scanning is powered by Aqua Trivy
"},{"location":"tutorials/integrations/bitbucket/","title":"Bitbucket Pipelines","text":"See trivy-pipe for the details.
"},{"location":"tutorials/integrations/circleci/","title":"CircleCI","text":"$ cat .circleci/config.yml\njobs:\n build:\n docker:\n - image: docker:stable-git\n steps:\n - checkout\n - setup_remote_docker\n - run:\n name: Build image\n command: docker build -t trivy-ci-test:${CIRCLE_SHA1} .\n - run:\n name: Install trivy\n command: |\n apk add --update-cache --upgrade curl\n curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin\n - run:\n name: Scan the local image with trivy\n command: trivy image --exit-code 0 --no-progress trivy-ci-test:${CIRCLE_SHA1}\nworkflows:\n version: 2\n release:\n jobs:\n - build\n
Example Repository
"},{"location":"tutorials/integrations/github-actions/","title":"GitHub Actions","text":" - Here is the Trivy GitHub Action
- The Microsoft Azure team have written a container-scan action that uses Trivy and Dockle
- For full control over the options specified to Trivy, this blog post describes adding Trivy into your own GitHub action workflows
"},{"location":"tutorials/integrations/gitlab-ci/","title":"GitLab CI","text":"GitLab 15.0 includes free integration with Trivy.
To configure container scanning with Trivy in GitLab, simply include the CI template in your .gitlab-ci.yml file:
include:\n - template: Security/Container-Scanning.gitlab-ci.yml\n
If you're a GitLab 14.x Ultimate customer, you can use the same configuration above.
Alternatively, you can always use the example configurations below.
stages:\n - test\n\ntrivy:\n stage: test\n image: docker:stable\n services:\n - name: docker:dind\n entrypoint: [\"env\", \"-u\", \"DOCKER_HOST\"]\n command: [\"dockerd-entrypoint.sh\"]\n variables:\n DOCKER_HOST: tcp://docker:2375/\n DOCKER_DRIVER: overlay2\n # See https://github.com/docker-library/docker/pull/166\n DOCKER_TLS_CERTDIR: \"\"\n IMAGE: trivy-ci-test:$CI_COMMIT_SHA\n TRIVY_NO_PROGRESS: \"true\"\n TRIVY_CACHE_DIR: \".trivycache/\"\n before_script:\n - export TRIVY_VERSION=$(wget -qO - \"https://api.github.com/repos/aquasecurity/trivy/releases/latest\" | grep '\"tag_name\":' | sed -E 's/.*\"v([^\"]+)\".*/\\1/')\n - echo $TRIVY_VERSION\n - wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -\n allow_failure: true\n script:\n # Build image\n - docker build -t $IMAGE .\n # Build report\n - ./trivy image --exit-code 0 --format template --template \"@/contrib/gitlab.tpl\" -o gl-container-scanning-report.json $IMAGE\n # Print report\n - ./trivy image --exit-code 0 --severity HIGH $IMAGE\n # Fail on severe vulnerabilities\n - ./trivy image --exit-code 1 --severity CRITICAL $IMAGE\n cache:\n paths:\n - .trivycache/\n # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab Ultimate)\n artifacts:\n reports:\n container_scanning: gl-container-scanning-report.json\n
Example Repository
"},{"location":"tutorials/integrations/gitlab-ci/#gitlab-ci-using-trivy-container","title":"GitLab CI using Trivy container","text":"To scan a previously built image that has already been pushed into the GitLab container registry the following CI job manifest can be used. Note that entrypoint needs to be unset for the script section to work. In case of a non-public GitLab project Trivy additionally needs to authenticate to the registry to be able to pull your application image. Finally, it is not necessary to clone the project repo as we only work with the container image.
container_scanning:\n image:\n name: docker.io/aquasec/trivy:latest\n entrypoint: [\"\"]\n variables:\n # No need to clone the repo, we exclusively work on artifacts. See\n # https://docs.gitlab.com/ee/ci/runners/configure_runners.html#git-strategy\n GIT_STRATEGY: none\n TRIVY_USERNAME: \"$CI_REGISTRY_USER\"\n TRIVY_PASSWORD: \"$CI_REGISTRY_PASSWORD\"\n TRIVY_AUTH_URL: \"$CI_REGISTRY\"\n TRIVY_NO_PROGRESS: \"true\"\n TRIVY_CACHE_DIR: \".trivycache/\"\n FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG\n script:\n - trivy --version\n # update vulnerabilities db\n - time trivy image --download-db-only\n # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there\n - time trivy image --exit-code 0 --format template --template \"@/contrib/gitlab.tpl\"\n --output \"$CI_PROJECT_DIR/gl-container-scanning-report.json\" \"$FULL_IMAGE_NAME\"\n # Prints full report\n - time trivy image --exit-code 0 \"$FULL_IMAGE_NAME\"\n # Fail on critical vulnerabilities\n - time trivy image --exit-code 1 --severity CRITICAL \"$FULL_IMAGE_NAME\"\n cache:\n paths:\n - .trivycache/\n # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)\n artifacts:\n when: always\n reports:\n container_scanning: gl-container-scanning-report.json\n tags:\n - docker-runner\n
"},{"location":"tutorials/integrations/gitlab-ci/#gitlab-ci-alternative-template","title":"GitLab CI alternative template","text":"Depending on the edition of gitlab you have or your desired workflow, the container scanning template may not meet your needs. As an addition to the above container scanning template, a template for code climate has been included. The key things to update from the above examples are the template and report type. An updated example is below.
stages:\n - test\n\ntrivy:\n stage: test\n image: docker:stable\n services:\n - name: docker:dind\n entrypoint: [\"env\", \"-u\", \"DOCKER_HOST\"]\n command: [\"dockerd-entrypoint.sh\"]\n variables:\n DOCKER_HOST: tcp://docker:2375/\n DOCKER_DRIVER: overlay2\n # See https://github.com/docker-library/docker/pull/166\n DOCKER_TLS_CERTDIR: \"\"\n IMAGE: trivy-ci-test:$CI_COMMIT_SHA\n TRIVY_NO_PROGRESS: \"true\"\n TRIVY_CACHE_DIR: \".trivycache/\"\n before_script:\n - export TRIVY_VERSION=$(wget -qO - \"https://api.github.com/repos/aquasecurity/trivy/releases/latest\" | grep '\"tag_name\":' | sed -E 's/.*\"v([^\"]+)\".*/\\1/')\n - echo $TRIVY_VERSION\n - wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -\n allow_failure: true\n script:\n # Build image\n - docker build -t $IMAGE .\n # Image report\n - ./trivy image --exit-code 0 --format template --template \"@/contrib/gitlab-codequality.tpl\" -o gl-codeclimate-image.json $IMAGE\n # Filesystem report\n - ./trivy filesystem --scanners misconfig,vuln --exit-code 0 --format template --template \"@/contrib/gitlab-codequality.tpl\" -o gl-codeclimate-fs.json .\n # Combine report\n - apk update && apk add jq\n - jq -s 'add' gl-codeclimate-image.json gl-codeclimate-fs.json > gl-codeclimate.json\n cache:\n paths:\n - .trivycache/\n # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)\n artifacts:\n paths:\n - gl-codeclimate.json\n reports:\n codequality: gl-codeclimate.json\n
Currently gitlab only supports a single code quality report. There is an open feature request to support multiple reports. Until this has been implemented, if you already have a code quality report in your pipeline, you can use jq to combine reports. Depending on how you name your artifacts, it may be necessary to rename the artifact if you want to reuse the name. To then combine the previous artifact with the output of trivy, the following jq command can be used, jq -s 'add' prev-codeclimate.json trivy-codeclimate.json > gl-codeclimate.json.
"},{"location":"tutorials/integrations/gitlab-ci/#gitlab-ci-alternative-template-example-report","title":"GitLab CI alternative template example report","text":"You'll be able to see a full report in the GitLab pipeline code quality UI, where filesystem vulnerabilities and misconfigurations include links to the flagged files and image vulnerabilities report the image/os or runtime/library that the vulnerability originates from instead.
"},{"location":"tutorials/integrations/travis-ci/","title":"Travis CI","text":"$ cat .travis.yml\nservices:\n - docker\n\nenv:\n global:\n - COMMIT=${TRAVIS_COMMIT::8}\n\nbefore_install:\n - docker build -t trivy-ci-test:${COMMIT} .\n - export VERSION=$(curl --silent \"https://api.github.com/repos/aquasecurity/trivy/releases/latest\" | grep '\"tag_name\":' | sed -E 's/.*\"v([^\"]+)\".*/\\1/')\n - wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz\n - tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz\nscript:\n - ./trivy image --exit-code 0 --severity HIGH --no-progress trivy-ci-test:${COMMIT}\n - ./trivy image --exit-code 1 --severity CRITICAL --no-progress trivy-ci-test:${COMMIT}\ncache:\n directories:\n - $HOME/.cache/trivy\n
Example Repository
"},{"location":"tutorials/kubernetes/cluster-scanning/","title":"Kubernetes Scanning Tutorial","text":""},{"location":"tutorials/kubernetes/cluster-scanning/#prerequisites","title":"Prerequisites","text":"To test the following commands yourself, make sure that you\u2019re connected to a Kubernetes cluster. A simple kind, a Docker-Desktop or microk8s cluster will do. In our case, we\u2019ll use a one-node kind cluster. Pro tip: The output of the commands will be even more interesting if you have some workloads running in your cluster.
"},{"location":"tutorials/kubernetes/cluster-scanning/#cluster-scanning","title":"Cluster Scanning","text":"Trivy K8s is great to get an overview of all the vulnerabilities and misconfiguration issues or to scan specific workloads that are running in your cluster. You would want to use the Trivy K8s command either on your own local cluster or in your CI/CD pipeline post deployments.
The trivy k8s command is part of the Trivy CLI.
With the following command, we can scan our entire Kubernetes cluster for vulnerabilities and get a summary of the scan:
trivy k8s --report=summary\n
To get detailed information for all your resources, just replace \u2018summary\u2019 with \u2018all\u2019:
trivy k8s --report=all\n
However, we recommend displaying all information only in case you scan a specific namespace or resource since you can get overwhelmed with additional details.
Furthermore, we can specify the namespace that Trivy is supposed to scan to focus on specific resources in the scan result:
trivy k8s --include-namespaces kube-system --report summary\n
Again, if you\u2019d like to receive additional details, use the \u2018--report=all\u2019 flag:
trivy k8s --include-namespaces kube-system --report all\n
Like with scanning for vulnerabilities, we can also filter in-cluster security issues by severity of the vulnerabilities:
trivy k8s --severity=CRITICAL --report=summary\n
Note that you can use any of the Trivy flags on the Trivy K8s command.
"},{"location":"tutorials/kubernetes/cluster-scanning/#trivy-operator","title":"Trivy Operator","text":"The Trivy K8s command is an imperative model to scan resources. We wouldn\u2019t want to manually scan each resource across different environments. The larger the cluster and the more workloads are running in it, the more error-prone this process would become. With the Trivy Operator, we can automate the scanning process after the deployment.
The Trivy Operator follows the Kubernetes Operator Model. Operators automate human actions, and the result of the task is saved as custom resource definitions (CRDs) within your cluster.
This has several benefits:
-
Trivy Operator is installed CRDs in our cluster. As a result, all our resources, including our security scanner and its scan results, are Kubernetes resources. This makes it much easier to integrate the Trivy Operator directly into our existing processes, such as connecting Trivy with Prometheus, a monitoring system.
-
The Trivy Operator will automatically scan your resources every six hours. You can set up automatic alerting in case new critical security issues are discovered.
-
The CRDs can be both machine and human-readable depending on which applications consume the CRDs. This allows for more versatile applications of the Trivy operator.
There are several ways that you can install the Trivy Operator in your cluster. In this guide, we\u2019re going to use the Helm installation.
Please follow the Trivy Operator documentation for further information on:
- Installation of the Trivy Operator
- Getting started guide
"},{"location":"tutorials/kubernetes/gitops/","title":"Installing the Trivy-Operator through GitOps","text":"This tutorial shows you how to install the Trivy Operator through GitOps platforms, namely ArgoCD and FluxCD.
"},{"location":"tutorials/kubernetes/gitops/#argocd","title":"ArgoCD","text":"Make sure to have ArgoCD installed and running in your Kubernetes cluster.
You can either deploy the Trivy Operator through the argocd CLI or by applying a Kubernetes manifest.
ArgoCD command:
> kubectl create ns trivy-system\n> argocd app create trivy-operator --repo https://github.com/aquasecurity/trivy-operator --path deploy/helm --dest-server https://kubernetes.default.svc --dest-namespace trivy-system\n
Note that this installation is directly related to our official Helm Chart. If you want to change any of the value, we'd suggest you to create a separate values.yaml file. Kubernetes manifest trivy-operator.yaml:
apiVersion: argoproj.io/v1alpha1\nkind: Application\nmetadata:\n name: trivy-operator\n namespace: argocd\nspec:\n project: default\n source:\n chart: trivy-operator\n repoURL: https://aquasecurity.github.io/helm-charts/\n targetRevision: 0.0.3\n helm:\n values: |\n trivy:\n ignoreUnfixed: true\n destination:\n server: https://kubernetes.default.svc\n namespace: trivy-system\n syncPolicy:\n automated:\n prune: true\n selfHeal: true\n
To apply the Kubernetes manifest, if you have the manifest locally, you can use the following command through kubectl:
> kubectl apply -f trivy-operator.yaml\n\napplication.argoproj.io/trivy-operator created\n
If you have the manifest in a Git repository, you can apply it to your cluster through the following command:
> kubectl apply -n argocd -f https://raw.githubusercontent.com/AnaisUrlichs/argocd-starboard/main/starboard/argocd-starboard.yaml\n
The latter command would allow you to make changes to the YAML manifest that ArgoCD would register automatically. Once deployed, you want to tell ArgoCD to sync the application from the actual state to the desired state:
argocd app sync trivy-operator\n
Now you can see the deployment in the ArgoCD UI. Have a look at the ArgoCD documentation to know how to access the UI.
Note that ArgoCD is unable to show the Trivy CRDs as synced.
"},{"location":"tutorials/kubernetes/gitops/#fluxcd","title":"FluxCD","text":"Make sure to have FluxCD installed and running in your Kubernetes cluster.
You can either deploy the Trivy Operator through the Flux CLI or by applying a Kubernetes manifest.
Flux command:
> kubectl create ns trivy-system\n> flux create source helm trivy-operator --url https://aquasecurity.github.io/helm-charts --namespace trivy-system\n> flux create helmrelease trivy-operator --chart trivy-operator\n --source HelmRepository/trivy-operator\n --chart-version 0.0.3\n --namespace trivy-system\n
Kubernetes manifest trivy-operator.yaml:
apiVersion: source.toolkit.fluxcd.io/v1beta2\nkind: HelmRepository\nmetadata:\n name: trivy-operator\n namespace: flux-system\nspec:\n interval: 60m\n url: https://aquasecurity.github.io/helm-charts/\n\n---\napiVersion: helm.toolkit.fluxcd.io/v2beta1\nkind: HelmRelease\nmetadata:\n name: trivy-operator\n namespace: trivy-system\nspec:\n chart:\n spec:\n chart: trivy-operator\n sourceRef:\n kind: HelmRepository\n name: trivy-operator\n namespace: flux-system\n version: 0.10.1\n interval: 60m\n values:\n trivy:\n ignoreUnfixed: true\n install:\n crds: CreateReplace\n createNamespace: true\n
You can then apply the file to your Kubernetes cluster:
kubectl apply -f trivy-operator.yaml\n
"},{"location":"tutorials/kubernetes/gitops/#after-the-installation","title":"After the installation","text":"After the install, you want to check that the Trivy operator is running in the trivy-system namespace:
kubectl get deployment -n trivy-system\n
"},{"location":"tutorials/kubernetes/kyverno/","title":"Attesting Image Scans With Kyverno","text":"This tutorial is based on the following blog post by Chip Zoller: Attesting Image Scans With Kyverno
This tutorial details
- Verify the container image has an attestation with Kyverno
"},{"location":"tutorials/kubernetes/kyverno/#prerequisites","title":"Prerequisites","text":" - A running Kubernetes cluster that kubectl is connected to
- A Container image signed with Cosign and an attestation generated for a Trivy Vulnerability scan. Follow this tutorial for more information.
"},{"location":"tutorials/kubernetes/kyverno/#kyverno-policy-to-check-attestation","title":"Kyverno Policy to check attestation","text":"The following policy ensures that the attestation is no older than 168h:
vuln-attestation.yaml
apiVersion: kyverno.io/v1\nkind: ClusterPolicy\nmetadata:\n name: check-vulnerabilities\nspec:\n validationFailureAction: Enforce\n background: false\n webhookTimeoutSeconds: 30\n failurePolicy: Fail\n rules:\n - name: checking-vulnerability-scan-not-older-than-one-hour\n match:\n any:\n - resources:\n kinds:\n - Pod\n verifyImages:\n - imageReferences:\n - \"*\"\n attestations:\n - type: https://cosign.sigstore.dev/attestation/vuln/v1\n conditions:\n - all:\n - key: \"{{ time_since('','{{ metadata.scanFinishedOn }}', '') }}\"\n operator: LessThanOrEquals\n value: \"1h\"\n attestors:\n - count: 1\n entries:\n - keys:\n publicKeys: |-\n -----BEGIN PUBLIC KEY-----\n abc\n xyz\n -----END PUBLIC KEY-----\n
"},{"location":"tutorials/kubernetes/kyverno/#apply-the-policy-to-your-kubernetes-cluster","title":"Apply the policy to your Kubernetes cluster","text":"Ensure that you have Kyverno already deployed and running on your cluster -- for instance through he Kyverno Helm Chart.
Next, apply the above policy:
kubectl apply -f vuln-attestation.yaml\n
To ensure that the policy worked, we can deploy an example Kubernetes Pod with our container image:
kubectl run app-signed --image= docker.io/anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd\u00a0\n
Note that the image is based on the signing tutorial. Once we apply the deployment, it should pass since our attestation is available:
kubectl apply -f deployment.yaml -n app\ndeployment.apps/cns-website created\n
However, if we try to deploy any other container image, our deployment will fail. We can verify this by replacing the image referenced in the deployment with docker.io/anaisurlichs/cns-website:0.0.5 and applying the deployment:
kubectl run app-unsigned --image=docker.io/anaisurlichs/cns-website:0.1.1\u00a0\n\nResource: \"apps/v1, Resource=deployments\", GroupVersionKind: \"apps/v1, Kind=Deployment\"\nName: \"cns-website\", Namespace: \"app\"\nfor: \"deployment-two.yaml\": admission webhook \"mutate.kyverno.svc-fail\" denied the request: \n\nresource Deployment/app/cns-website was blocked due to the following policies\n\ncheck-image:\n autogen-check-image: |\n failed to verify signature for docker.io/anaisurlichs/cns-website:0.0.5: .attestors[0].entries[0].keys: no matching signatures:\n
"},{"location":"tutorials/misconfiguration/custom-checks/","title":"Custom Checks with Rego","text":"Trivy can scan configuration files for common security issues (a.k.a IaC misconfiguration scanning). In addition to a comprehensive built in database of checks, you can add your own custom checks. Checks are written in Rego language and the full documentation for checks and customizing them is available here.
This tutorial will walk you through writing a custom check in Rego that checks for an issue in a Dockerfile.
When you are writing a check, it's important to understand the input to the check. This will be the IaC file that you are scanning; for example, a Kubernetes YAML resource definition, or an AWS JSON CloudFormation, or in our case a Dockerfile.
Since Rego is primarily tailored to query JSON objects, all incoming configuration files needs to be first converted to structured objects, which is available to the Rego code as the input variable. This is nothing that users have to do manually in Trivy. Instead, Rego makes it possible to pass in custom Schemas that detail how files are converted. Once Rego has access to a custom Schema, it will know in which format to access configuration files such as a Dockerfile.
Here you can find the schemas that define how different configuration files are converted to JSON by Trivy. This tutorial will make use of the dockerfile.json schema. The schema will need to be parsed into your custom check.
Users can also use the Schema Explorer to view the structure of the data provided to Rego.
"},{"location":"tutorials/misconfiguration/custom-checks/#create-a-rego-file-and-specify-trivy-metadata","title":"Create a Rego file and Specify Trivy metadata","text":"First, create a new .rego file e.g. a docker-check.rego file:
touch docker-check.rego\n
Next, we need to specify metadata about the check. This is information that helps Trivy load and process the check.
# METADATA\n# title: Verify Image\n# description: Verify Image is allowed to be used and in the right format\n# schemas:\n# - input: schema[\"dockerfile\"]\n# custom:\n# id: ID001\n# severity: MEDIUM\n# input:\n# selector: \n# - type: dockerfile\n
Important: The METADATA has to be defined on top of the file.
More information on the different fields in the metadata can be found in the Trivy documentation.
"},{"location":"tutorials/misconfiguration/custom-checks/#package-and-imports","title":"Package and imports","text":"package custom.dockerfile.ID001\n\nimport future.keywords.in\n
Every Rego check has a package name. In our case, we will call it custom.dockerfile.ID001 to avoid confusion between custom checks and built-in checks. The group name dockerfile has no effect on the package name. Note that each package has to contain only one check. However, we can pass multiple checks into our Trivy scan. The first keyword of the package, in this case custom, will be reused in the trivy command as the --namespace.
"},{"location":"tutorials/misconfiguration/custom-checks/#allowed-data","title":"Allowed data","text":"The check that we are setting up compares the container images used in the Dockerfile with a list of white-listed container images. Thus, we need to add the images that are allowed to be used in the Dockerfile to our check. In our case, we will store them in an array of arrays:
allowed_images := {\n [\"node:21-alpine3.19\", \"as\", \"build-deps\"],\n [\"nginx:1.2\"]\n}\n
"},{"location":"tutorials/misconfiguration/custom-checks/#select-the-images-that-are-used-in-the-dockerfile","title":"Select the images that are used in the Dockerfile","text":"Next, we need to iterate over the different commands in our Dockerfile and identify the commands that provide the base container images:
deny[msg] {\n input.Stages[m].Commands[l].Cmd == \"from\"\n val := input.Stages[m].Commands[l].Value\n not val in allowed_images\n msg := sprintf(\"The container image '%s' used in the Dockerfile is not allowed\", val)\n}\n
Let's look at the check line by line:
- The rule should always be
deny in the Trivy Rego checks input.Stages[m].Commands[l].Cmd input allows us to access the different commands in the Dockerfile. We need to access the commands that use \"FROM\". Every command will be converted to lowercase.val := input.Stages[m].Commands[l].Value accesses the value of the FROM command and stores it in valnot val in allowed_images checks whether val is not part of our allowed images list; this part of the check relies on the import statement- In case our check fails, the
msg will be printed with the image name used in val
Note that Rego
- uses
AND automatically to combine conditions in this check - automatically iterates through the array of commands in the Dockerfile and allowed images
"},{"location":"tutorials/misconfiguration/custom-checks/#run-the-check-in-a-trivy-misconfiguration-scan","title":"Run the check in a Trivy misconfiguration scan","text":"Ensure that you have Trivy installed and run the following command:
trivy fs --scanners misconf --config-check ./docker-check.rego --namespaces custom ./Dockerfile\n
Please replace:
./docker-check.rego with the file path to your checkcustom should be replaced with your package name if different./Dockerfile is the path to the Dockerfile that should be scanned
Note: If you define custom packages, you have to specify the package prefix via --namespaces option. In our case, we called the custom package custom.
"},{"location":"tutorials/misconfiguration/custom-checks/#resources","title":"Resources","text":" - Rego provides a long list of courses that can be useful in writing more complex checks
- The Rego documentation provides detailed information on the different types, iterations etc.
- Have a look at the built-in checks for Trivy for inspiration on how to write custom checks.
"},{"location":"tutorials/misconfiguration/terraform/","title":"Scanning Terraform files with Trivy","text":"This tutorial is focused on ways Trivy can scan Terraform IaC configuration files.
A video tutorial on Terraform Misconfiguration scans can be found on the Aqua Open Source YouTube account.
A note to tfsec users We have been consolidating all of our scanning-related efforts in one place, and that is Trivy. You can read more on the decision in the tfsec discussions.
"},{"location":"tutorials/misconfiguration/terraform/#trivy-config-command","title":"Trivy Config Command","text":"Terraform configuration scanning is available as part of the trivy config command. This command scans all configuration files for misconfiguration issues. You can find the details within misconfiguration scans in the Trivy documentation.
Command structure:
trivy config <any flags you want to use> <file or directory that you would like to scan> \n
The trivy config command can scan Terraform configuration, CloudFormation, Dockerfile, Kubernetes manifests, and Helm Charts for misconfiguration. Trivy will compare the configuration found in the file with a set of best practices.
- If the configuration is following best practices, the check will pass,
- If the configuration does not define the resource of some configuration, Trivy will assume the default configuration for the resource creation is used. In this case, the check might fail.
- If the configuration that has been defined does not follow best practices, the check will fail.
"},{"location":"tutorials/misconfiguration/terraform/#prerequisites","title":"Prerequisites","text":"Install Trivy on your local machines. The documentation provides several different installation options. This tutorial will use this example Terraform tutorial for terraform misconfiguration scanning with Trivy.
Git clone the tutorial and cd into the directory:
git clone git@github.com:Cloud-Native-Security/trivy-demo.git\ncd bad_iac/terraform\n
In this case, the folder only contains Terraform configuration files. However, you could scan a directory that contains several different configurations e.g. Kubernetes YAML manifests, Dockerfile, and Terraform. Trivy will then detect the different configuration files and apply the right rules automatically. "},{"location":"tutorials/misconfiguration/terraform/#different-types-of-trivy-config-scans","title":"Different types of trivy config scans","text":"Below are several examples of how the trivy config scan can be used.
General Terraform scan with trivy:
trivy config <specify the directory> \n
So if we are already in the directory that we want to scan:
trivy config ./ \n
"},{"location":"tutorials/misconfiguration/terraform/#specify-the-scan-format","title":"Specify the scan format","text":"The --format flag changes the way that Trivy displays the scan result:
JSON:
trivy config -f json terraform-infra \n
Sarif:
trivy config -f sarif terraform-infra \n
"},{"location":"tutorials/misconfiguration/terraform/#specifying-the-output-location","title":"Specifying the output location","text":"The --output flag specifies the file location in which the scan result should be saved:
JSON:
trivy config -f json -o example.json terraform-infra \n
Sarif:
trivy config -f sarif -o example.sarif terraform-infra \n
"},{"location":"tutorials/misconfiguration/terraform/#filtering-by-severity","title":"Filtering by severity","text":"If you are presented with lots and lots of misconfiguration across different files, you might want to filter or the misconfiguration with the highest severity:
trivy config --severity CRITICAL, MEDIUM terraform-infra \n
"},{"location":"tutorials/misconfiguration/terraform/#passing-tftfvars-files-into-trivy-config-scans","title":"Passing tf.tfvars files into trivy config scans","text":"You can pass terraform values to Trivy to override default values found in the Terraform HCL code. More information are provided in the documentation.
trivy config --tf-vars terraform.tfvars ./\n
"},{"location":"tutorials/misconfiguration/terraform/#custom-checks","title":"Custom Checks","text":"We have lots of examples in the documentation on how you can write and pass custom Rego checks into terraform misconfiguration scans.
"},{"location":"tutorials/misconfiguration/terraform/#secret-and-vulnerability-scans","title":"Secret and vulnerability scans","text":"The trivy config command does not perform secret and vulnerability checks out of the box. However, you can specify as part of your trivy fs scan that you would like to scan you terraform files for exposed secrets and misconfiguraction through the following flags:
trivy fs --scanners secret,misconfig ./\n
The trivy config command is a sub-command of the trivy fs command. You can learn more about this command in the documentation.
"},{"location":"tutorials/misconfiguration/terraform/#scanning-terraform-plan-files","title":"Scanning Terraform Plan files","text":"Instead of scanning your different Terraform resources individually, you could also scan your Terraform Plan file before it is deployed for misconfiguration. This will give you insights into any misconfiguration of your resources as they would become deployed. Here is the link to the documentation.
Note that you need to be able to create a terraform init and plan without any errors.
"},{"location":"tutorials/misconfiguration/terraform/#using-trivy-in-your-cicd-pipeline","title":"Using Trivy in your CI/CD pipeline","text":"Similar to tfsec, Trivy can be used either on local developer machines or integrated into your CI/CD pipeline. There are several steps available for different pipelines, including GitHub Actions, Circle CI, GitLab, Travis and more in the tutorials section of the documentation: https://trivy.dev/docs/latest/tutorials/integrations/
"},{"location":"tutorials/shell/shell-completion/","title":"Enable shell completion","text":"Below is example steps to enable shell completion feature for trivy cli:
"},{"location":"tutorials/shell/shell-completion/#1-know-your-current-shell","title":"1. Know your current shell","text":"$ echo $SHELL\n/bin/zsh # For this example it is zsh, but will be vary depend on your $SHELL, maybe /bin/bash or /bin/fish\n
"},{"location":"tutorials/shell/shell-completion/#2-run-completion-command-to-get-sub-commands","title":"2. Run completion command to get sub-commands","text":"$ trivy completion zsh -h\nGenerate the autocompletion script for the zsh shell.\n\nIf shell completion is not already enabled in your environment you will need\nto enable it. You can execute the following once:\n\n echo \"autoload -U compinit; compinit\" >> ~/.zshrc\n\nTo load completions in your current shell session:\n\n source <(trivy completion zsh); compdef _trivy trivy\n\nTo load completions for every new session, execute once:\n\n#### Linux:\n\n trivy completion zsh > \"${fpath[1]}/_trivy\"\n\n#### macOS:\n\n trivy completion zsh > $(brew --prefix)/share/zsh/site-functions/_trivy\n\nYou will need to start a new shell for this setup to take effect.\n
"},{"location":"tutorials/shell/shell-completion/#3-run-the-sub-commands-following-the-instruction","title":"3. Run the sub-commands following the instruction","text":"echo \"autoload -U compinit; compinit\" >> ~/.zshrc\nsource <(trivy completion zsh); compdef _trivy trivy\ntrivy completion zsh > \"${fpath[1]}/_trivy\"\n
"},{"location":"tutorials/shell/shell-completion/#4-start-a-new-shell-and-you-can-see-the-shell-completion","title":"4. Start a new shell and you can see the shell completion","text":"$ trivy [tab]\ncompletion -- Generate the autocompletion script for the specified shell\nconfig -- Scan config files for misconfigurations\nfilesystem -- Scan local filesystem\nhelp -- Help about any command\nimage -- Scan a container image\nkubernetes -- scan kubernetes cluster\nmodule -- Manage modules\nplugin -- Manage plugins\nrepository -- Scan a repository\nrootfs -- Scan rootfs\nsbom -- Scan SBOM for vulnerabilities\nserver -- Server mode\nversion -- Print the version\n
"},{"location":"tutorials/signing/vuln-attestation/","title":"Vulnerability Scan Record Attestation","text":"This tutorial details how to
- Scan container images for vulnerabilities
- Generate an attestation, using Cosign, with and without generating a separate key pair
"},{"location":"tutorials/signing/vuln-attestation/#prerequisites","title":"Prerequisites","text":" - Trivy CLI installed
- Cosign CLI installed
- Ensure that you have access to a container image in a remote container registry that you own/within your account. In this tutorial, we will use DockerHub.
"},{"location":"tutorials/signing/vuln-attestation/#scan-container-image-for-vulnerabilities","title":"Scan Container Image for vulnerabilities","text":"Scan your container image for vulnerabilities and save the scan result to a scan.json file:
trivy image --ignore-unfixed --format cosign-vuln --output scan.json DockerHubID/imagename:imagetag\n
For example:
trivy image --ignore-unfixed --format cosign-vuln --output scan.json anaisurlichs/signed-example:0.1\n
--ignore-unfixed: Ensures only the vulnerabilities, which have a already a fix available, are displayed--output scan.json: The scan output is saved to a scan.json file instead of being displayed in the terminal.
Note: Replace the container image with the container image that you want to scan.
"},{"location":"tutorials/signing/vuln-attestation/#option-1-signing-and-generating-an-attestation-without-new-key-pair","title":"Option 1: Signing and Generating an attestation without new key pair","text":""},{"location":"tutorials/signing/vuln-attestation/#signing","title":"Signing","text":"Sign the container image:
cosign sign DockerHubID/imagename@imageSHA\n
The imageSHA can be obtained through the following docker command:
docker image ls --digests\n
The SHA will be displayed next to the image name and tag. Note that it is better practice to sign the image SHA rather than the tag as the SHA will remain the same for the particular image that we have signed.
For example:
cosign sign docker.io/anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd\n
"},{"location":"tutorials/signing/vuln-attestation/#attestation","title":"Attestation","text":"The following command generates an attestation for the vulnerability scan and uploads it to the container image used:
cosign attest --predicate scan.json --type vuln docker.io/DockerHubID/imagename:imageSHA\n
For example:
cosign attest --predicate scan.json --type vuln docker.io/anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd\n
Note: Replace the container image with the container image that you would like to scan.
Next, Sigstore will ask you to verify with an account -- Microsoft, GitHub, or Google.
Once done, the user will be provided with a certificate in the terminal where they ran the command. Example certificate:
-----BEGIN CERTIFICATE-----\nMIIC1TCCAlygAwIBAgIUfSXI7xTWSLq4nuygd8YPuhPZlEswCgYIKoZIzj0EAwMw\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\ncm1lZGlhdGUwHhcNMjQwMTExMTMzODUzWhcNMjQwMTExMTM0ODUzWjAAMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAETcUNnK76mfo9G3j1c7NN6Vcn6yQPDX5rd3QB\nunkHs1Uk59CWv3qm6sUyRNYaATs9zdHAZqLck8G4P/Pj7+GzCKOCAXswggF3MA4G\n........\n-----END CERTIFICATE-----\n
"},{"location":"tutorials/signing/vuln-attestation/#option-2-signing-and-generating-an-attestation-with-a-new-cosign-key-pair","title":"Option 2: Signing and Generating an attestation with a new Cosign key pair","text":"To generate an attestation for the container image with a separate key pair, we can use Cosign to generate a new key pair:
cosign generate-key-pair\u00a0\n
This will generate a cosign.key and a cosign.pub file. The cosign.key file is your private key that should be kept confidential as it is used to sign artefacts. However, the cosign.pub file contains the information of the corresponding public key. This key can be used by third parties to verify the attestation -- basically that this person who claims to have signed the attestation actually is the one who signed it.
"},{"location":"tutorials/signing/vuln-attestation/#signing_1","title":"Signing","text":"Sign the container image:
cosign sign --key cosign.key docker.io/anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd\n
"},{"location":"tutorials/signing/vuln-attestation/#attestation_1","title":"Attestation","text":"To generate the attestation with the specific key pairs, run the following command:
cosign attest --key cosign.key --type vuln --predicate scan.json docker.io/anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd\u00a0\n
"},{"location":"tutorials/signing/vuln-attestation/#verify-the-attestation","title":"Verify the attestation","text":""},{"location":"tutorials/signing/vuln-attestation/#option-1-no-separate-key-pair","title":"Option 1 -- No separate key pair","text":"If you have not generated a key pair but received a certificate after the container image was signed, use the following command to verify the attestation:
cosign verify-attestation --type vuln --certificate-identity Email-used-to-sign --certificate-oidc-issuer='the-issuer-used' docker.io/DockerHubID/imagename:imageSHA\n
For example, the command could be like this:
cosign verify-attestation --type vuln --certificate-identity urlichsanais@gmail.com --certificate-oidc-issuer='https://github.com/login/oauth' anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd\n
"},{"location":"tutorials/signing/vuln-attestation/#option-2-separate-key-pair","title":"Option 2 -- Separate key pair","text":"If you have used a new cosign key pair, the attestation can be verified through the following command:
cosign verify-attestation --key cosign.pub --type vuln anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd\u00a0\n
Output The output should look similar to the following: Verification for anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd --\nThe following checks were performed on each of these signatures:\n - The cosign claims were validated\n - Existence of the claims in the transparency log was verified offline\n - The signatures were verified against the specified public key\n{\"payloadType\":\"application/vnd.in-toto+json\",\"payload\":\n
"},{"location":"tutorials/signing/vuln-attestation/#more-information","title":"More information","text":"See here for more details.
"}]}
\ No newline at end of file
diff --git a/v0.68/sitemap.xml b/v0.68/sitemap.xml
index c4a1124850..c517e2743f 100644
--- a/v0.68/sitemap.xml
+++ b/v0.68/sitemap.xml
@@ -2,758 +2,758 @@
https://trivy.dev/v0.68/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/commercial/compare/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/commercial/contact/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/community/principles/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/community/contribute/discussion/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/community/contribute/issue/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/community/contribute/pr/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/community/contribute/checks/overview/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/community/contribute/checks/service-support/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/community/contribute/vulnerability-database/add-vulnerability-source/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/community/contribute/vulnerability-database/overview/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/community/maintainer/backporting/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/community/maintainer/help-wanted/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/community/maintainer/pr-review/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/community/maintainer/release-flow/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/community/maintainer/triage/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/ecosystem/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/ecosystem/cicd/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/ecosystem/ide/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/ecosystem/prod/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/ecosystem/reporting/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/getting-started/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/getting-started/faq/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/getting-started/installation/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/getting-started/signature-verification/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/advanced/air-gap/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/advanced/modules/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/advanced/self-hosting/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/advanced/telemetry-flags/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/advanced/telemetry/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/advanced/container/embed-in-dockerfile/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/advanced/container/unpacked-filesystem/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/advanced/private-registries/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/advanced/private-registries/acr/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/advanced/private-registries/docker-hub/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/advanced/private-registries/ecr/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/advanced/private-registries/gcr/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/advanced/private-registries/self/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/compliance/compliance/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/compliance/contrib-compliance/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/configuration/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/configuration/cache/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/configuration/db/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/configuration/filtering/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/configuration/others/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/configuration/reporting/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/configuration/skipping/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/kubernetes/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/iac/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/iac/azure-arm/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/iac/cloudformation/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/iac/docker/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/iac/helm/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/iac/kubernetes/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/iac/terraform/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/language/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/language/c/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/language/dart/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/language/dotnet/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/language/elixir/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/language/golang/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/language/java/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/language/julia/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/language/nodejs/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/language/php/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/language/python/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/language/ruby/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/language/rust/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/language/swift/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/os/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/os/alma/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/os/alpine/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/os/amazon/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/os/azure/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/os/bottlerocket/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/os/centos/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/os/chainguard/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/os/coreos/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/os/debian/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/os/echo/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/os/google-distroless/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/os/minimos/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/os/oracle/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/os/photon/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/os/rhel/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/os/rocky/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/os/suse/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/os/ubuntu/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/os/wolfi/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/others/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/others/bitnami/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/others/conda/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/others/rootio/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/others/rpm/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/coverage/others/seal/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/plugin/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/plugin/developer-guide/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/plugin/user-guide/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/abbreviations/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/terminology/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/troubleshooting/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/config-file/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_clean/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_config/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_convert/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_filesystem/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_image/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_kubernetes/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_module/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_module_install/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_module_uninstall/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_plugin/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_plugin_info/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_plugin_install/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_plugin_list/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_plugin_run/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_plugin_search/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_plugin_uninstall/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_plugin_update/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_plugin_upgrade/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_registry/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_registry_login/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_registry_logout/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_repository/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_rootfs/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_sbom/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_server/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_version/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_vex/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_vex_repo/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_vex_repo_download/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_vex_repo_init/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_vex_repo_list/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/configuration/cli/trivy_vm/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/modes/client-server/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/references/modes/standalone/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/scanner/license/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/scanner/secret/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/scanner/vulnerability/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/scanner/misconfiguration/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/scanner/misconfiguration/check/builtin/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/scanner/misconfiguration/config/config/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/scanner/misconfiguration/custom/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/scanner/misconfiguration/custom/combine/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/scanner/misconfiguration/custom/contribute-checks/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/scanner/misconfiguration/custom/data/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/scanner/misconfiguration/custom/debug/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/scanner/misconfiguration/custom/schema/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/scanner/misconfiguration/custom/selectors/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/scanner/misconfiguration/custom/testing/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/supply-chain/sbom/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/supply-chain/attestation/rekor/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/supply-chain/attestation/sbom/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/supply-chain/attestation/vuln/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/supply-chain/vex/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/supply-chain/vex/file/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/supply-chain/vex/oci/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/supply-chain/vex/repo/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/supply-chain/vex/sbom-ref/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/target/container_image/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/target/filesystem/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/target/kubernetes/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/target/repository/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/target/rootfs/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/target/sbom/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/guide/target/vm/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/tutorials/overview/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/tutorials/additional-resources/cks/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/tutorials/additional-resources/community/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/tutorials/additional-resources/references/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/tutorials/integrations/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/tutorials/integrations/aws-codepipeline/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/tutorials/integrations/aws-security-hub/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/tutorials/integrations/azure-devops/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/tutorials/integrations/bitbucket/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/tutorials/integrations/circleci/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/tutorials/integrations/github-actions/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/tutorials/integrations/gitlab-ci/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/tutorials/integrations/travis-ci/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/tutorials/kubernetes/cluster-scanning/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/tutorials/kubernetes/gitops/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/tutorials/kubernetes/kyverno/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/tutorials/misconfiguration/custom-checks/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/tutorials/misconfiguration/terraform/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/tutorials/shell/shell-completion/
- 2025-12-02
+ 2025-12-03
https://trivy.dev/v0.68/tutorials/signing/vuln-attestation/
- 2025-12-02
+ 2025-12-03
\ No newline at end of file
diff --git a/v0.68/sitemap.xml.gz b/v0.68/sitemap.xml.gz
index 2f35a18ff3..23b7b9384d 100644
Binary files a/v0.68/sitemap.xml.gz and b/v0.68/sitemap.xml.gz differ
diff --git a/versions.json b/versions.json
index 6e8b09c727..13e3b3e603 100644
--- a/versions.json
+++ b/versions.json
@@ -204,10 +204,10 @@
"version": "v0.30.4",
"title": "v0.30",
"aliases": [
- "v0.30.0",
- "v0.30.1",
"v0.30.2",
- "v0.30.3"
+ "v0.30.3",
+ "v0.30.0",
+ "v0.30.1"
]
},
{
@@ -241,19 +241,19 @@
"version": "v0.25.4",
"title": "v0.25",
"aliases": [
- "v0.25.2",
- "v0.25.3",
"v0.25.1",
- "v0.25.0"
+ "v0.25.2",
+ "v0.25.0",
+ "v0.25.3"
]
},
{
"version": "v0.24.4",
"title": "v0.24",
"aliases": [
- "v0.24.2",
"v0.24.1",
"v0.24.3",
+ "v0.24.2",
"v0.24.0"
]
},
@@ -271,9 +271,9 @@
"version": "v0.21.3",
"title": "v0.21",
"aliases": [
- "v0.21.0",
+ "v0.21.1",
"v0.21.2",
- "v0.21.1"
+ "v0.21.0"
]
},
{
@@ -288,17 +288,17 @@
"version": "v0.19.2",
"title": "v0.19",
"aliases": [
- "v0.19.1",
- "v0.19.0"
+ "v0.19.0",
+ "v0.19.1"
]
},
{
"version": "v0.18.3",
"title": "v0.18",
"aliases": [
- "v0.18.2",
+ "v0.18.1",
"v0.18.0",
- "v0.18.1"
+ "v0.18.2"
]
},
{