gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-23 07:29:00 -08:00
Code Issues Packages Projects Releases Wiki Activity

docs: add config file and update CLI references (#2489)

Browse Source
This commit is contained in:
Teppei Fukuda
2022-07-10 19:41:42 +03:00
committed by GitHub
parent 736e3f11f7
commit e98bde3396
18 changed files with 924 additions and 292 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
docs/docs/references/cli/client.md
View File

@@ -1,32 +1,69 @@
# Client # Client
```bash ```bash
NAME: Usage:
trivy client - DEPRECATED client mode, use `trivy image` with `--server` option for remote scans now. [DEPRECATED] trivy client [flags] IMAGE_NAME
USAGE: Aliases:
trivy image --server value client, c
trivy client [deprecated command options] image_name Scan Flags
--offline-scan do not issue API requests to identify dependencies
--security-checks string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
--skip-dirs string specify the directories where the traversal is skipped
--skip-files string specify the file paths to skip traversal
DEPRECATED OPTIONS: Report Flags
--template value, -t value output template [$TRIVY_TEMPLATE] --dependency-tree show dependency origin tree (EXPERIMENTAL)
--format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT] --exit-code int specify exit code when any security issues are found
--input value, -i value input file path instead of image name [$TRIVY_INPUT] -f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY] --ignore-policy string specify the Rego file path to evaluate each vulnerability
--output value, -o value output file name [$TRIVY_OUTPUT] --ignorefile string specify .trivyignore file (default ".trivyignore")
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE] --list-all-pkgs enabling the option will output all packages regardless of vulnerability
--ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED] -o, --output string output file name
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS] --report string specify a report format for the output. (all,summary) (default "all")
--vuln-type value comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE] -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE] -t, --template string output template
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT]
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY] Cache Flags
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS] --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN] --cache-ttl duration cache TTL when using redis as cache backend
--token value for authentication [$TRIVY_TOKEN] --clear-cache clear image caches without scanning
--token-header value specify a header name for token (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER] --redis-ca string redis ca file location, if using redis as cache backend
--remote value server address (default: "http://localhost:4954") [$TRIVY_REMOTE] --redis-cert string redis certificate file location, if using redis as cache backend
--custom-headers value custom headers [$TRIVY_CUSTOM_HEADERS] --redis-key string redis key file location, if using redis as cache backend
--help, -h show help (default: false)
DB Flags
--db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
Vulnerability Flags
--ignore-unfixed display only fixed vulnerabilities
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
Misconfiguration Flags
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--file-patterns strings specify config file patterns, available with '--security-checks config'
--include-non-failures include successes and exceptions, available with '--security-checks config'
--policy-namespaces strings Rego namespaces
--trace enable more verbose trace output for custom queries
Client/Server Flags
--custom-headers strings custom headers in client mode
--remote string server address (default "http://localhost:4954")
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
``` ```

69
docs/docs/references/cli/config.md
View File

@@ -1,29 +1,52 @@
# Config # Config
``` bash ``` bash
NAME: Scan config files for misconfigurations
trivy config - scan config files
USAGE: Usage:
trivy config [command options] dir trivy config [flags] DIR
Aliases:
config, conf
Scan Flags
--skip-dirs string specify the directories where the traversal is skipped
--skip-files string specify the file paths to skip traversal
Report Flags
--dependency-tree show dependency origin tree (EXPERIMENTAL)
--exit-code int specify exit code when any security issues are found
-f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
-o, --output string output file name
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-t, --template string output template
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
Misconfiguration Flags
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--file-patterns strings specify config file patterns, available with '--security-checks config'
--include-non-failures include successes and exceptions, available with '--security-checks config'
--policy-namespaces strings Rego namespaces
--trace enable more verbose trace output for custom queries
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--output value, -o value output file name [$TRIVY_OUTPUT]
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
--skip-policy-update skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
--reset remove all caches and database (default: false) [$TRIVY_RESET]
--clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT]
--skip-files value specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
--skip-dirs value specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
--policy value, --config-policy value specify paths to the Rego policy files directory, applying config files [$TRIVY_POLICY]
--data value, --config-data value specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_DATA]
--policy-namespaces value, --namespaces value Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES]
--file-patterns value specify file patterns [$TRIVY_FILE_PATTERNS]
--include-successes include successes of misconfigurations (default: false) [$TRIVY_INCLUDE_SUCCESSES]
--help, -h show help (default: false)
``` ```

110
docs/docs/references/cli/fs.md
View File

@@ -1,42 +1,80 @@
# Filesystem # Filesystem
```bash ```bash
NAME: Scan local filesystem
trivy filesystem - scan local filesystem for language-specific dependencies and config files
USAGE: Usage:
trivy filesystem [command options] path trivy filesystem [flags] PATH
OPTIONS: Aliases:
--template value, -t value output template [$TRIVY_TEMPLATE] filesystem, fs
--format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY] Examples:
--output value, -o value output file name [$TRIVY_OUTPUT] # Scan a local project including language-specific files
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE] $ trivy fs /path/to/your_project
--skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
--skip-policy-update skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE] # Scan a single file
--insecure allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE] $ trivy fs ./trivy-ci-test/Pipfile.lock
--clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
--ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED] Scan Flags
--vuln-type value comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE] --offline-scan do not issue API requests to identify dependencies
--security-checks value comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS] --security-checks string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE] --skip-dirs string specify the directories where the traversal is skipped
--cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND] --skip-files string specify the file paths to skip traversal
--cache-ttl value cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT] Report Flags
--no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS] --dependency-tree show dependency origin tree (EXPERIMENTAL)
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY] --exit-code int specify exit code when any security issues are found
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS] -f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
--offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN] --ignore-policy string specify the Rego file path to evaluate each vulnerability
--db-repository value OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY] --ignorefile string specify .trivyignore file (default ".trivyignore")
--skip-files value specify the file paths to skip traversal (accepts multiple inputs) [$TRIVY_SKIP_FILES] --list-all-pkgs enabling the option will output all packages regardless of vulnerability
--skip-dirs value specify the directories where the traversal is skipped (accepts multiple inputs) [$TRIVY_SKIP_DIRS] -o, --output string output file name
--config-policy value specify paths to the Rego policy files directory, applying config files (accepts multiple inputs) [$TRIVY_CONFIG_POLICY] -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
--config-data value specify paths from which data for the Rego policies will be recursively loaded (accepts multiple inputs) [$TRIVY_CONFIG_DATA] -t, --template string output template
--policy-namespaces value, --namespaces value Rego namespaces (default: "users") (accepts multiple inputs) [$TRIVY_POLICY_NAMESPACES]
--server value server address [$TRIVY_SERVER] Cache Flags
--token value for authentication in client/server mode [$TRIVY_TOKEN] --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--token-header value specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER] --cache-ttl duration cache TTL when using redis as cache backend
--custom-headers value custom headers in client/server mode (accepts multiple inputs) [$TRIVY_CUSTOM_HEADERS] --clear-cache clear image caches without scanning
--help, -h show help (default: false) --redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
Vulnerability Flags
--ignore-unfixed display only fixed vulnerabilities
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
Misconfiguration Flags
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--file-patterns strings specify config file patterns, available with '--security-checks config'
--include-non-failures include successes and exceptions, available with '--security-checks config'
--policy-namespaces strings Rego namespaces
--trace enable more verbose trace output for custom queries
Secret Flags
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
Client/Server Flags
--custom-headers strings custom headers in client mode
--server string server address in client mode
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
``` ```

130
docs/docs/references/cli/image.md
View File

@@ -1,43 +1,99 @@
# Image # Image
```bash ```bash
NAME: Scan a container image
trivy image - scan an image
USAGE: Usage:
trivy image [command options] image_name trivy image [flags] IMAGE_NAME
OPTIONS: Aliases:
--template value, -t value output template [$TRIVY_TEMPLATE] image, i
--format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
--input value, -i value input file path instead of image name [$TRIVY_INPUT] Examples:
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY] # Scan a container image
--output value, -o value output file name [$TRIVY_OUTPUT] $ trivy image python:3.4-alpine
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
--skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE] # Scan a container image from a tar archive
--download-db-only download/update vulnerability database but don't run a scan (default: false) [$TRIVY_DOWNLOAD_DB_ONLY] $ trivy image --input ruby-3.1.tar
--reset remove all caches and database (default: false) [$TRIVY_RESET]
--clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE] # Filter by severities
--no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS] $ trivy image --severity HIGH,CRITICAL alpine:3.15
--ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS] # Ignore unfixed/unpatched vulnerabilities
--vuln-type value comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE] $ trivy image --ignore-unfixed alpine:3.15
--security-checks value comma-separated list of what security issues to detect (vuln,config,secret) (default: "vuln,secret") [$TRIVY_SECURITY_CHECKS]
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE] # Scan a container image in client mode
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT] $ trivy image --server http://127.0.0.1:4954 alpine:latest
--light deprecated (default: false) [$TRIVY_LIGHT]
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY] # Generate json result
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS] $ trivy image --format json --output result.json alpine:3.15
--cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
--cache-ttl value cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL] # Generate a report in the CycloneDX format
--offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN] $ trivy image --format cyclonedx --output result.cdx alpine:3.15
--insecure allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
--db-repository value OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY] Scan Flags
--skip-files value specify the file paths to skip traversal (accepts multiple inputs) [$TRIVY_SKIP_FILES] --offline-scan do not issue API requests to identify dependencies
--skip-dirs value specify the directories where the traversal is skipped (accepts multiple inputs) [$TRIVY_SKIP_DIRS] --security-checks string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
--server value server address [$TRIVY_SERVER] --skip-dirs string specify the directories where the traversal is skipped
--token value for authentication in client/server mode [$TRIVY_TOKEN] --skip-files string specify the file paths to skip traversal
--token-header value specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
--custom-headers value custom headers in client/server mode (accepts multiple inputs) [$TRIVY_CUSTOM_HEADERS] Report Flags
--help, -h show help (default: false) --dependency-tree show dependency origin tree (EXPERIMENTAL)
--exit-code int specify exit code when any security issues are found
-f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
-o, --output string output file name
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-t, --template string output template
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
Image Flags
--input string input file path instead of image name
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine)
Vulnerability Flags
--ignore-unfixed display only fixed vulnerabilities
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
Misconfiguration Flags
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--file-patterns strings specify config file patterns, available with '--security-checks config'
--include-non-failures include successes and exceptions, available with '--security-checks config'
--policy-namespaces strings Rego namespaces
--trace enable more verbose trace output for custom queries
Secret Flags
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
Client/Server Flags
--custom-headers strings custom headers in client mode
--server string server address in client mode
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
``` ```

65
docs/docs/references/cli/index.md
View File

@@ -1,32 +1,49 @@
Trivy has several sub commands, image, fs, repo, client and server. Trivy has several sub commands, image, fs, repo, client and server.
``` bash ``` bash
NAME: Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
trivy - Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
USAGE: Usage:
trivy [global options] command [command options] target trivy [command]
VERSION: Examples:
dev # Scan a container image
$ trivy image python:3.4-alpine
COMMANDS: # Scan a container image from a tar archive
image, i scan an image $ trivy image --input ruby-3.1.tar
filesystem, fs scan local filesystem for language-specific dependencies and config files
rootfs scan rootfs
repository, repo scan remote repository
server, s server mode
config, conf scan config files
plugin, p manage plugins
kubernetes, k8s scan kubernetes vulnerabilities and misconfigurations
sbom generate SBOM for an artifact
version print the version
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS: # Scan local filesystem
--quiet, -q suppress progress bar and log output (default: false) [$TRIVY_QUIET] $ trivy fs .
--debug, -d debug mode (default: false) [$TRIVY_DEBUG]
--cache-dir value cache directory (default: "/Users/teppei/Library/Caches/trivy") [$TRIVY_CACHE_DIR] # Run in server mode
--help, -h show help (default: false) $ trivy server
--version, -v print the version (default: false)
Available Commands:
config Scan config files for misconfigurations
filesystem Scan local filesystem
help Help about any command
image Scan a container image
kubectl scan kubectl resources
kubernetes scan kubernetes cluster
module Manage modules
plugin Manage plugins
repository Scan a remote repository
rootfs Scan rootfs
sbom Scan SBOM for vulnerabilities
server Server mode
version Print the version
Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
-f, --format string version format (json)
-h, --help help for trivy
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
Use "trivy [command] --help" for more information about a command.
``` ```

30
docs/docs/references/cli/module.md
View File

@@ -1,17 +1,27 @@
# Module # Module
```bash ```bash
NAME: Manage modules
trivy module - manage modules
USAGE: Usage:
trivy module command [command options] [arguments...] trivy module [command]
COMMANDS: Aliases:
install, i install a module module, m
uninstall, u uninstall a module
help, h Shows a list of commands or help for one command
OPTIONS: Available Commands:
--help, -h show help (default: false) install Install a module
uninstall Uninstall a module
Flags:
-h, --help help for module
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
``` ```

38
docs/docs/references/cli/plugin.md
View File

@@ -1,21 +1,31 @@
# Plugin # Plugin
```bash ```bash
NAME: Manage plugins
trivy plugin - manage plugins
USAGE: Usage:
trivy plugin command [command options] plugin_uri trivy plugin [command]
COMMANDS: Aliases:
install, i install a plugin plugin, p
uninstall, u uninstall a plugin
list, l list installed plugin
info information about a plugin
run, r run a plugin on the fly
update update an existing plugin
help, h Shows a list of commands or help for one command
OPTIONS: Available Commands:
--help, -h show help (default: false) Uninstall uninstall a plugin
info Show information about the specified plugin
install Install a plugin
list List installed plugin
run Run a plugin on the fly
update Update an existing plugin
Flags:
-h, --help help for plugin
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
``` ```

103
docs/docs/references/cli/repo.md
View File

@@ -1,38 +1,77 @@
# Repository # Repository
```bash ```bash
NAME: Scan a remote repository
trivy repository - scan remote repository
USAGE: Usage:
trivy repository [command options] repo_url trivy repository [flags] REPO_URL
OPTIONS: Aliases:
--template value, -t value output template [$TRIVY_TEMPLATE] repository, repo
--format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
--input value, -i value input file path instead of image name [$TRIVY_INPUT] Examples:
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY] # Scan your remote git repository
--output value, -o value output file name [$TRIVY_OUTPUT] $ trivy repo https://github.com/knqyf263/trivy-ci-test
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
--skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE] Scan Flags
--skip-policy-update skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE] --offline-scan do not issue API requests to identify dependencies
--clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE] --security-checks string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
--ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED] --skip-dirs string specify the directories where the traversal is skipped
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS] --skip-files string specify the file paths to skip traversal
--vuln-type value comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
--security-checks value comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS] Report Flags
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE] --dependency-tree show dependency origin tree (EXPERIMENTAL)
--cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND] --exit-code int specify exit code when any security issues are found
--cache-ttl value cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL] -f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT] --ignore-policy string specify the Rego file path to evaluate each vulnerability
--no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS] --ignorefile string specify .trivyignore file (default ".trivyignore")
--quiet, -q suppress progress bar and log output (default: false) [$TRIVY_QUIET] --list-all-pkgs enabling the option will output all packages regardless of vulnerability
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY] -o, --output string output file name
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS] -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
--offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN] -t, --template string output template
--insecure allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
--db-repository value OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY] Cache Flags
--skip-files value specify the file paths to skip traversal (accepts multiple inputs) [$TRIVY_SKIP_FILES] --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--skip-dirs value specify the directories where the traversal is skipped (accepts multiple inputs) [$TRIVY_SKIP_DIRS] --cache-ttl duration cache TTL when using redis as cache backend
--help, -h show help (default: false) --clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
Vulnerability Flags
--ignore-unfixed display only fixed vulnerabilities
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
Misconfiguration Flags
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--file-patterns strings specify config file patterns, available with '--security-checks config'
--include-non-failures include successes and exceptions, available with '--security-checks config'
--policy-namespaces strings Rego namespaces
--trace enable more verbose trace output for custom queries
Secret Flags
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
Client/Server Flags
--custom-headers strings custom headers in client mode
--server string server address in client mode
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
``` ```

98
docs/docs/references/cli/rootfs.md
View File

@@ -1,36 +1,74 @@
# Rootfs # Rootfs
```bash ```bash
NAME: Scan rootfs
trivy rootfs - scan rootfs
USAGE: Usage:
trivy rootfs [command options] dir trivy rootfs [flags] ROOTDIR
OPTIONS: Examples:
--template value, -t value output template [$TRIVY_TEMPLATE] # Scan unpacked filesystem
--format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT] $ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY] $ trivy rootfs /tmp/rootfs
--output value, -o value output file name [$TRIVY_OUTPUT]
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE] # Scan from inside a container
--skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE] $ docker run --rm -it alpine:3.11
--insecure allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE] / # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
--skip-policy-update skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE] / # trivy rootfs /
--clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
--ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED] Scan Flags
--vuln-type value comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE] --offline-scan do not issue API requests to identify dependencies
--security-checks value comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS] --security-checks string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE] --skip-dirs string specify the directories where the traversal is skipped
--cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND] --skip-files string specify the file paths to skip traversal
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT]
--no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS] Report Flags
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY] --dependency-tree show dependency origin tree (EXPERIMENTAL)
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS] --exit-code int specify exit code when any security issues are found
--offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN] -f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
--skip-files value specify the file paths to skip traversal [$TRIVY_SKIP_FILES] --ignore-policy string specify the Rego file path to evaluate each vulnerability
--skip-dirs value specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS] --ignorefile string specify .trivyignore file (default ".trivyignore")
--config-policy value specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY] --list-all-pkgs enabling the option will output all packages regardless of vulnerability
--config-data value specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_CONFIG_DATA] -o, --output string output file name
--policy-namespaces value, --namespaces value Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES] -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
--help, -h show help (default: false) -t, --template string output template
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
Vulnerability Flags
--ignore-unfixed display only fixed vulnerabilities
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
Misconfiguration Flags
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--file-patterns strings specify config file patterns, available with '--security-checks config'
--include-non-failures include successes and exceptions, available with '--security-checks config'
--policy-namespaces strings Rego namespaces
--trace enable more verbose trace output for custom queries
Secret Flags
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
``` ```

97
docs/docs/references/cli/sbom.md
View File

@@ -1,46 +1,67 @@
# SBOM # SBOM
```bash ```bash
NAME: Scan SBOM for vulnerabilities
trivy sbom - scan SBOM for vulnerabilities
USAGE: Usage:
trivy sbom [command options] SBOM trivy sbom [flags] SBOM_PATH
OPTIONS: Examples:
--cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND] # Scan CycloneDX and show the result in tables
--cache-ttl value cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL] $ trivy sbom /path/to/report.cdx
--clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
--custom-headers value custom headers in client/server mode (accepts multiple inputs) [$TRIVY_CUSTOM_HEADERS]
--db-repository value OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
--download-db-only download/update vulnerability database but don't run a scan (default: false) [$TRIVY_DOWNLOAD_DB_ONLY]
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
--format value, -f value format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default: "table") [$TRIVY_FORMAT]
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
--ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
--input value, -i value input file path instead of image name [$TRIVY_INPUT]
--insecure allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
--no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
--offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
--output value, -o value output file name [$TRIVY_OUTPUT]
--reset remove all caches and database (default: false) [$TRIVY_RESET]
--security-checks value comma-separated list of what security issues to detect (vuln,config,secret) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
--server value server address [$TRIVY_SERVER]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
--skip-dirs value specify the directories where the traversal is skipped (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
--skip-files value specify the file paths to skip traversal (accepts multiple inputs) [$TRIVY_SKIP_FILES]
--template value, -t value output template [$TRIVY_TEMPLATE]
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT]
--token value for authentication in client/server mode [$TRIVY_TOKEN]
--token-header value specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
EXAMPLES: # Scan CycloneDX and generate a CycloneDX report
- Scan CycloneDX and show the result in tables: $ trivy sbom --format cyclonedx /path/to/report.cdx
$ trivy sbom /path/to/report.cdx
- Scan CycloneDX and generate a CycloneDX report:
$ trivy sbom --format cyclonedx /path/to/report.cdx Scan Flags
--offline-scan do not issue API requests to identify dependencies
--security-checks string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
--skip-dirs string specify the directories where the traversal is skipped
--skip-files string specify the file paths to skip traversal
Report Flags
--dependency-tree show dependency origin tree (EXPERIMENTAL)
--exit-code int specify exit code when any security issues are found
-f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
-o, --output string output file name
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-t, --template string output template
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
Vulnerability Flags
--ignore-unfixed display only fixed vulnerabilities
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
Client/Server Flags
--custom-headers strings custom headers in client mode
--server string server address in client mode
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
``` ```

58
docs/docs/references/cli/server.md
View File

@@ -1,22 +1,48 @@
# Server # Server
```bash ```bash
NAME: Server mode
trivy server - server mode
USAGE: Usage:
trivy server [command options] [arguments...] trivy server [flags]
OPTIONS: Aliases:
--skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE] server, s
--download-db-only download/update vulnerability database but don't run a scan (default: false) [$TRIVY_DOWNLOAD_DB_ONLY]
--insecure allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE] Examples:
--reset remove all caches and database (default: false) [$TRIVY_RESET] # Run a server
--cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND] $ trivy server
--cache-ttl value cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
--db-repository value OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY] # Listen on 0.0.0.0:10000
--token value for authentication in client/server mode [$TRIVY_TOKEN] $ trivy server --listen 0.0.0.0:10000
--token-header value specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
--listen value listen address (default: "localhost:4954") [$TRIVY_LISTEN]
--help, -h show help (default: false) Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
Client/Server Flags
--listen string listen address in server mode (default "localhost:4954")
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
``` ```

271
docs/docs/references/customization/config-file.md Normal file
View File

@@ -0,0 +1,271 @@
# Config file
Trivy can be customized by tweaking a `trivy.yaml` file. The config path can be overridden by the `--config` flag.
An example is [here][example].
## Global Options
```
# Same as '--quiet'
# Default is false
quiet: false
# Same as '--debug'
# Default is false
debug: false
# Same as '--insecure'
# Default is false
insecure: false
# Same as '--timeout'
# Default is '5m'
timeout: 10m
# Same as '--cache-dir'
# Default is your system cache dir
cache-dir: $HOME/.cache/trivy
```
## Report Options
```
# Same as '--format'
# Default is 'table'
format: table
# Same as '--report' (available with 'trivy k8s')
# Default is all
report: all
# Same as '--template'
# Default is empty
template:
# Same as '--dependency-tree'
# Default is false
dependency-tree: false
# Same as '--list-all-pkgs'
# Default is false
list-all-pkgs: false
# Same as '--ignorefile'
# Default is '.trivyignore'
ignorefile: .trivyignore
# Same as '--ignore-policy'
# Default is empty
ignore-policy:
# Same as '--exit-code'
# Default is 0
exit-code: 0
# Same as '--output'
# Default is empty (stdout)
output:
# Same as '--severity'
# Default is all severities
severity:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
```
## Scan Options
Available in client/server mode
```
scan:
# Same as '--skip-dirs'
# Default is empty
skip-dirs:
- usr/local/
- etc/
# Same as '--skip-files'
# Default is empty
skip-files:
- package-dev.json
# Same as '--offline-scan'
# Default is false
offline-scan: false
# Same as '--security-checks'
# Default depends on subcommand
security-checks:
- vuln
- config
- secret
```
## Cache Options
```
cache:
# Same as '--cache-backend'
# Default is 'fs'
backend: 'fs'
# Same as '--cache-ttl'
# Default is 0 (no ttl)
ttl: 0
# Redis options
redis:
# Same as '--redis-ca'
# Default is empty
ca:
# Same as '--redis-cert'
# Default is empty
cert:
# Same as '--redis-key'
# Default is empty
key:
```
## DB Options
```
db:
# Same as '--skip-db-update'
# Default is false
skip-update: false
# Same as '--no-progress'
# Default is false
no-progress: false
# Same as '--db-repository'
# Default is 'github.com/aquasecurity-trivy-repo'
repository: github.com/aquasecurity-trivy-repo
```
## Image Options
Available with container image scanning
```
image:
# Same as '--input' (available with 'trivy image')
# Default is empty
input:
# Same as '--removed-pkgs'
# Default is false
removed-pkgs: false
```
## Vulnerability Options
Available with vulnerability scanning
```
vulnerability:
# Same as '--vuln-type'
# Default is 'os,library'
type:
- os
- library
# Same as '--ignore-unfixed'
# Default is false
ignore-unfixed: false
```
## Secret Options
Available with secret scanning
```
secret:
# Same as '--secret-config'
# Default is 'trivy-secret.yaml'
config: config/trivy/secret.yaml
```
## Misconfiguration Options
Available with misconfiguration scanning
```
misconfiguration:
# Same as '--file-patterns'
# Default is empty
file-patterns:
-
# Same as '--include-non-failures'
# Default is false
include-non-failures: false
# Same as '--trace'
# Default is false
trace: false
# Same as '--config-policy'
# Default is empty
policy:
- policy/repository
- policy/custom
# Same as '--config-data'
# Default is empty
data:
- data/
# Same as '--policy-namespaces'
# Default is empty
namespaces:
- opa.examples
- users
```
## Kubernetes Options
Available with Kubernetes scanning
```
kubernetes:
# Same as '--context'
# Default is empty
context:
# Same as '--namespace'
# Default is empty
namespace:
```
## Client/Server Options
Available in client/server mode
```
server:
# Same as '--server' (available in client mode)
# Default is empty
addr: http://localhost:4954
# Same as '--token'
# Default is empty
token: "something-secret"
# Same as '--token-header'
# Default is 'Trivy-Token'
token-header: 'My-Token-Header'
# Same as '--custom-headers'
# Default is empty
custom-headers:
- scanner: trivy
- x-api-token: xxx
# Same as '--listen' (available in server mode)
# Default is 'localhost:4954'
listen: 0.0.0.0:10000
```
[example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml

17
docs/docs/references/customization/envs.md Normal file
View File

@@ -0,0 +1,17 @@
# Environment variables
Trivy can be customized by environment variables.
The environment variable key is the flag name converted by the following procedure.
- Add `TRIVY_` prefix
- Make it all uppercase
- Replace `-` with `_`
For example,
- `--debug` => `TRIVY_DEBUG`
- `--cache-dir` => `TRIVY_CACHE_DIR`
```
$ TRIVY_DEBUG=true TRIVY_SEVERITY=CRITICAL trivy image alpine:3.15
```

24
examples/trivy-conf/trivy.yaml Normal file
View File

@@ -0,0 +1,24 @@
timeout: 10m
format: json
dependency-tree: true
list-all-pkgs: true
exit-code: 1
output: result.json
severity:
- HIGH
- CRITICAL
scan:
skip-dirs:
- /lib64
- /lib
- /usr/lib
- /usr/include
security-checks:
- vuln
- secret
vulnerability:
type:
- os
- library
ignore-unfixed: true

3
mkdocs.yml
View File

@@ -97,6 +97,9 @@ nav:
- ACR (Azure Container Registry): docs/advanced/private-registries/acr.md - ACR (Azure Container Registry): docs/advanced/private-registries/acr.md
- Self-Hosted: docs/advanced/private-registries/self.md - Self-Hosted: docs/advanced/private-registries/self.md
- References: - References:
- Customization:
- Environment variables: docs/references/customization/envs.md
- Config file: docs/references/customization/config-file.md
- CLI: - CLI:
- Overview: docs/references/cli/index.md - Overview: docs/references/cli/index.md
- Image: docs/references/cli/image.md - Image: docs/references/cli/image.md

5
pkg/commands/app.go
View File

@@ -528,7 +528,10 @@ func NewServerCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
func NewConfigCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { func NewConfigCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
reportFlagGroup := flag.NewReportFlagGroup() reportFlagGroup := flag.NewReportFlagGroup()
reportFlagGroup.ReportFormat = nil // TODO: support --format summary reportFlagGroup.DependencyTree = nil // disable '--dependency-tree'
reportFlagGroup.IgnorePolicy = nil // disable '--ignore-policy'
reportFlagGroup.ListAllPkgs = nil // disable '--list-all-pkgs'
reportFlagGroup.ReportFormat = nil // TODO: support --format summary
scanFlags := &flag.ScanFlagGroup{ scanFlags := &flag.ScanFlagGroup{
// Enable only '--skip-dirs' and '--skip-files' and disable other flags // Enable only '--skip-dirs' and '--skip-files' and disable other flags

3
pkg/flag/global_flags.go
View File

@@ -4,7 +4,6 @@ import (
"time" "time"
"github.com/spf13/cobra" "github.com/spf13/cobra"
"github.com/spf13/viper"
"github.com/aquasecurity/trivy/pkg/utils" "github.com/aquasecurity/trivy/pkg/utils"
) )
@@ -125,7 +124,7 @@ func (f *GlobalFlagGroup) ToOptions() GlobalOptions {
Quiet: getBool(f.Quiet), Quiet: getBool(f.Quiet),
Debug: getBool(f.Debug), Debug: getBool(f.Debug),
Insecure: getBool(f.Insecure), Insecure: getBool(f.Insecure),
Timeout: viper.GetDuration(f.Timeout.ConfigName), Timeout: getDuration(f.Timeout),
CacheDir: getString(f.CacheDir), CacheDir: getString(f.CacheDir),
} }
} }

6
pkg/flag/misconf_flags.go
View File

@@ -37,19 +37,19 @@ var (
} }
ConfigPolicyFlag = Flag{ ConfigPolicyFlag = Flag{
Name: "config-policy", Name: "config-policy",
ConfigName: "misconfiguration.config-policy", ConfigName: "misconfiguration.policy",
Value: []string{}, Value: []string{},
Usage: "specify paths to the Rego policy files directory, applying config files", Usage: "specify paths to the Rego policy files directory, applying config files",
} }
ConfigDataFlag = Flag{ ConfigDataFlag = Flag{
Name: "config-data", Name: "config-data",
ConfigName: "misconfiguration.config-data", ConfigName: "misconfiguration.data",
Value: []string{}, Value: []string{},
Usage: "specify paths from which data for the Rego policies will be recursively loaded", Usage: "specify paths from which data for the Rego policies will be recursively loaded",
} }
PolicyNamespaceFlag = Flag{ PolicyNamespaceFlag = Flag{
Name: "policy-namespaces", Name: "policy-namespaces",
ConfigName: "misconfiguration.policy-namespaces", ConfigName: "misconfiguration.namespaces",
Value: []string{}, Value: []string{},
Usage: "Rego namespaces", Usage: "Rego namespaces",
} }