gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-22 07:10:41 -08:00
Code Issues Packages Projects Releases Wiki Activity

docs: combine trivy.dev into trivy docs (#7884)

Browse Source 
Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>
This commit is contained in:
Itay Shakury
2024-11-17 23:34:48 -07:00
committed by GitHub
parent 0d3d934f76
commit 94791f8343
22 changed files with 1357 additions and 331 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
docs/getting-started/index.md Normal file
View File

@@ -0,0 +1,74 @@
# First steps with Trivy
## Get Trivy
Trivy is available in most common distribution channels. The complete list of installation options is available in the [Installation](./installation.md) page. Here are a few popular examples:
- macOS: `brew install trivy`
- Docker: `docker run aquasec/trivy`
- Download binary from [GitHub Release](https://github.com/aquasecurity/trivy/releases/latest/)
- See [Installation](./installation.md) for more
Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the [Ecosystem](../ecosystem/index.md) page. Here are a few popular options examples:
- [GitHub Actions](https://github.com/aquasecurity/trivy-action)
- [Kubernetes operator](https://github.com/aquasecurity/trivy-operator)
- [VS Code plugin](https://github.com/aquasecurity/trivy-vscode-extension)
- See [Ecosystem](../ecosystem/index.md) for more
## General usage
Trivy's Command Line Interface pattern follows its major concepts: targets (what you want to scan), and scanners (what you want to scan for):
```bash
trivy <target> [--scanners <scanner1,scanner2>] <subject>
```
### Examples
Scan a container image from registry, with the default scanner which is Vulnerabilities scanner:
```bash
trivy image python:3.4-alpine
```
<video width="1000" muted controls>
<source src="https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-aaf5-d6aec687db0e.mov" type="video/mp4" />
</video>
Scan a local code repository, for vulnerabilities, exposed secrets and misconfigurations:
```bash
trivy fs --scanners vuln,secret,misconfig /path/to/myproject
```
<video width="1000" muted controls>
<source src="https://user-images.githubusercontent.com/1161307/171013917-b1f37810-f434-465c-b01a-22de036bd9b3.mov" type="video/mp4" />
</video>
Scan a Kubernetes cluster, with all available scanners, and show a summary report:
```bash
trivy k8s --report summary cluster
```
<img src="../imgs/trivy-k8s.png" width="1000" alt="trivy-k8s"/>
For a more complete introduction, check out the basic Trivy Demo: <https://github.com/itaysk/trivy-demo>
## Learn more
Now that you up and ready, here are some resources to help you deepen your knowledge:
- Learn more about Trivy's capabilities by exploring the complete [documentation](../docs/index.md).
- Explore community questions and under [GitHub Discussions](https://github.com/aquasecurity/trivy/discussions).
- Stay up to date by watching for [New Releases & Announcements](https://github.com/aquasecurity/trivy/discussions/categories/announcements).
- Follow Trivy on Twitter/X: [@aquatrivy](https://x.com/aquatrivy)
- Explore and subscribe to our YouTube channel [@AquaSecOSS](http://youtube.com/@aquasecoss)
# Want more? Check out Aqua
If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.
You can find a high level comparison table specific to Trivy users [here](https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md).
In addition, check out the <https://aquasec.com> website for more information about our products and services.
If you'd like to contact Aqua or request a demo, please use this form: <https://www.aquasec.com/demo>

116
docs/getting-started/installation.md
View File

@@ -1,10 +1,47 @@
# Installing Trivy
In this section you will find an aggregation of the different ways to install Trivy. installations are listed as either "official" or "community". Official integrations are developed by the core Trivy team and supported by it. Community integrations are integrations developed by the community, and collected here for your convenience. For support or questions about community integrations, please contact the original developers.
In this section you will find an aggregation of the different ways to install Trivy. Installation options are labeled as either "Official" or "Community". Official installations are developed by the Trivy team and supported by it. Community installations could be developed by anyone from the Trivy community, and collected here for your convenience. For support or questions about community installations, please contact the original developers.
## Install using Package Manager
!!! note
If you are looking to integrate Trivy into another system, such as CI/CD, IDE, Kubernetes, etc, please see [Ecosystem section](../ecosystem/index.md) to explore integrations of Trivy with other tools.
### RHEL/CentOS (Official)
## Container image (Official)
Use one of the official Trivy images:
| Registry | Repository | Link |
| --- | --- | --- |
| Docker Hub | `docker.io/aquasec/trivy` | https://hub.docker.com/r/aquasec/trivy |
| GitHub Container Registry (GHCR) | `ghcr.io/aquasecurity/trivy` | https://github.com/orgs/aquasecurity/packages/container/package/trivy |
| AWS Elastic Container Registry (ECR) | `public.ecr.aws/aquasecurity/trivy` | https://gallery.ecr.aws/aquasecurity/trivy |
!!! Tip
It is advisable to mount a persistent [cache dir](../docs/configuration/cache.md) on the host into the Trivy container.
!!! Tip
For scanning container images with Trivy, mount the container engine socket from the host into the Trivy container.
Example:
``` bash
docker run -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} image python:3.4-alpine
```
## GitHub Release (Official)
1. Download the file for your operating system/architecture from [GitHub Release assets](https://github.com/aquasecurity/trivy/releases/tag/{{ git.tag }}).
2. Unpack the downloaded archive (`tar -xzf ./trivy.tar.gz`).
3. Make sure the binary has execution bit turned on (`chmod +x ./trivy`).
## Install Script (Official)
For convenience, you can use the install script to download and install Trivy from GitHub Release.
```bash
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin {{ git.tag }}
```
## RHEL/CentOS (Official)
=== "Repository"
Add repository setting to `/etc/yum.repos.d`.
@@ -28,7 +65,7 @@ In this section you will find an aggregation of the different ways to install Tr
rpm -ivh https://github.com/aquasecurity/trivy/releases/download/{{ git.tag }}/trivy_{{ git.tag[1:] }}_Linux-64bit.rpm
```
### Debian/Ubuntu (Official)
## Debian/Ubuntu (Official)
=== "Repository"
Add repository setting to `/etc/apt/sources.list.d`.
@@ -48,22 +85,20 @@ In this section you will find an aggregation of the different ways to install Tr
sudo dpkg -i trivy_{{ git.tag[1:] }}_Linux-64bit.deb
```
### Homebrew (Official)
## Homebrew (Official)
Homebrew for MacOS and Linux.
Homebrew for macOS and Linux.
```bash
brew install trivy
```
### Windows (Official)
## Windows (Official)
1. Download trivy_x.xx.x_windows-64bit.zip file from [releases page](https://github.com/aquasecurity/trivy/releases/).
2. Unzip file and copy to any folder.
3. Ensure PATH environment variable is configured to folder trivy installed.
### Arch Linux (Community)
## Arch Linux (Community)
Arch Linux Package Repository.
@@ -76,9 +111,9 @@ References:
- <https://gitlab.archlinux.org/archlinux/packaging/packages/trivy/-/blob/main/PKGBUILD>
### MacPorts (Community)
## MacPorts (Community)
[MacPorts](https://www.macports.org) for MacOS.
[MacPorts](https://www.macports.org) for macOS.
```bash
sudo port install trivy
@@ -87,9 +122,9 @@ sudo port install trivy
References:
- <https://ports.macports.org/port/trivy/details/>
### Nix/NixOS (Community)
## Nix/NixOS (Community)
Nix package manager for Linux and MacOS.
Nix package manager for Linux and macOS.
=== "Command line"
`nix-env --install -A nixpkgs.trivy`
@@ -116,15 +151,15 @@ References:
- https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/admin/trivy/default.nix
### FreeBSD (Official)
## FreeBSD (Official)
[Pkg](https://freebsd.org) for FreeBSD.
Pkg package manager for FreeBSD.
```bash
pkg install trivy
```
### asdf/mise (Community)
## asdf/mise (Community)
[asdf](https://github.com/asdf-vm/asdf) and [mise](https://github.com/jdx/mise) are quite similar tools you can use to install trivy.
See their respective documentation for more information of how to install them and use them:
@@ -165,50 +200,3 @@ The plugin used by both tools is developped [here](https://github.com/zufardhiya
# Now trivy commands are available
trivy --version
```
## Install from GitHub Release (Official)
### Download Binary
1. Download the file for your operating system/architecture from [GitHub Release assets](https://github.com/aquasecurity/trivy/releases/tag/{{ git.tag }}).
2. Unpack the downloaded archive (`tar -xzf ./trivy.tar.gz`).
3. Make sure the binary has execution bit turned on (`chmod +x ./trivy`).
4. Put the binary somewhere in your `$PATH` (e.g `sudo mv ./trivy /usr/local/bin/`).
### Install Script
The process above can be automated by the following script:
```bash
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin {{ git.tag }}
```
### Install from source
```bash
git clone --depth 1 --branch {{ git.tag }} https://github.com/aquasecurity/trivy
cd trivy
go install ./cmd/trivy
```
## Use container image
1. Pull Trivy image (`docker pull aquasec/trivy:{{ git.tag[1:] }}`)
2. It is advisable to mount a consistent [cache dir](../docs/configuration/cache.md) on the host into the Trivy container.
3. For scanning container images with Trivy, mount `docker.sock` from the host into the Trivy container.
Example:
``` bash
docker run -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} image python:3.4-alpine
```
| Registry | Repository | Link | Supportability |
|--------------------------------------|-------------------------------------|-----------------------------------------------------------------------|----------------|
| Docker Hub | `docker.io/aquasec/trivy` | https://hub.docker.com/r/aquasec/trivy | Official |
| GitHub Container Registry (GHCR) | `ghcr.io/aquasecurity/trivy` | https://github.com/orgs/aquasecurity/packages/container/package/trivy | Official |
| AWS Elastic Container Registry (ECR) | `public.ecr.aws/aquasecurity/trivy` | https://gallery.ecr.aws/aquasecurity/trivy | Official |
## Other Tools to use and deploy Trivy
For additional tools and ways to install and use Trivy in different environments such as in IDE, Kubernetes or CI/CD, see [Ecosystem section](../ecosystem/index.md).

145
docs/getting-started/signature-verification.md
View File

@@ -1,60 +1,47 @@
# Signature Verification
## Verifying a Cosign signature
All binaries and container images are signed by [Cosign](https://github.com/sigstore/cosign).
You need the following tool:
## Verifying container image
- [Cosign](https://docs.sigstore.dev/cosign/installation/)
### Verifying signed container images
1. Use the following command for keyless [verification](https://docs.sigstore.dev/cosign/verify/):
```shell
cosign verify aquasec/trivy:<version> \
--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
```
2. You should get the following output
```shell
Verification for index.docker.io/aquasec/trivy:latest --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
....
```
### Verifying signed binaries
1. Download the required tarball, associated signature and certificate files
2. Use the following command for keyless verification:
```shell
cosign verify-blob <path to binray> \
--certificate <path to cert> \
--signature <path to sig> \
--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
```
3. You should get the following output
```
Verified OK
```
For example:
Use the following command for keyless [verification](https://docs.sigstore.dev/cosign/verify/):
```shell
$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz"
$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.pem"
$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.sig"
$ cosign verify-blob trivy_0.45.0_Linux-32bit.tar.gz \
--certificate trivy_0.45.0_Linux-32bit.tar.gz.pem \
--signature trivy_0.45.0_Linux-32bit.tar.gz.sig \
--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
Vetified OK
cosign verify aquasec/trivy:<version> \
--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
```
You should get the following output
```
Verification for index.docker.io/aquasec/trivy:latest --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
....
```
## Verifying binary
Download the required tarball, associated signature and certificate files from the [GitHub Release](https://github.com/aquasecurity/trivy/releases).
Use the following command for keyless verification:
```shell
cosign verify-blob <path to binray> \
--certificate <path to cert> \
--signature <path to sig> \
--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
```
You should get the following output
```
Verified OK
```
## Verifying a GPG signature
@@ -63,37 +50,33 @@ RPM and Deb packages are also signed by GPG.
### Verifying RPM
The public key downloaded [here](https://aquasecurity.github.io/trivy-repo/rpm/public.key).
The public key is available at <https://aquasecurity.github.io/trivy-repo/rpm/public.key>.
1. Download the public key
```shell
curl https://aquasecurity.github.io/trivy-repo/rpm/public.key \
--output pub.key
```
2. Import the key
```shell
rpm --import pub.key
```
3. Verify that the key has been imported
```shell
rpm -q --queryformat "%{SUMMARY}\n" $(rpm -q gpg-pubkey)
```
You should get the following output
```shell
gpg(trivy)
```
First, download and import the key:
```shell
curl https://aquasecurity.github.io/trivy-repo/rpm/public.key \
--output pub.key
rpm --import pub.key
rpm -q --queryformat "%{SUMMARY}\n" $(rpm -q gpg-pubkey)
```
You should get the following output:
```
gpg(trivy)
```
4. Download the required binary
```shell
curl -L https://github.com/aquasecurity/trivy/releases/download/<version>/<file name>.rpm \
--output trivy.rpm
```
5. Check the binary with the following command
```shell
rpm -K trivy.rpm
```
You should get the following output
```shell
trivy.rpm: digests signatures OK
```
Then you can verify the signature:
```shell
curl -L https://github.com/aquasecurity/trivy/releases/download/<version>/<file name>.rpm \
--output trivy.rpm
rpm -K trivy.rpm
```
You should get the following output
```
trivy.rpm: digests signatures OK
```