gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-22 23:26:39 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
9da33b5aed1269f5fdcfc5b34ba3df59ca86e51b
trivy/docs/guide/coverage/others/rpm.md
Owen Rumney 9da33b5aed docs: restructure docs for new hosting (#9799)
2025-11-18 15:45:49 +00:00

43 lines
1.3 KiB
Markdown
Raw Blame History

# RPM Archives
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
Trivy supports the following scanners for RPM archives.
| Scanner | Supported |
|:-------------:|:---------:|
| SBOM | ✓ |
| Vulnerability | ✓[^1] |
| License | ✓ |
The table below outlines the features offered by Trivy.
## SBOM
Trivy analyzes RPM archives matching `*.rpm`.
This feature is currently disabled by default but can be enabled with an environment variable, `TRIVY_EXPERIMENTAL_RPM_ARCHIVE`.
```shell
TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true trivy fs ./rpms --format cyclonedx --output rpms.cdx.json
```
!!! note
Currently, it works with `--format cyclonedx`, `--format spdx` or `--format spdx-json`.
## Vulnerability
Since RPM files don't have OS information, you need to generate SBOM, fill in the OS information manually and then scan the SBOM for vulnerabilities.
For example:
```shell
$ TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true trivy fs ./rpms -f cyclonedx -o rpms.cdx.json
$ jq '(.components[] | select(.type == "operating-system")) |= (.name = "redhat" | .version = "7.9")' rpms.cdx.json > rpms-res.cdx.json
$ trivy sbom ./rpms-res.cdx.json
```
## License
If licenses are included in the RPM archive, Trivy extracts it.
[^1]: Need to generate SBOM first and add OS information to that SBOM
Reference in New Issue View Git Blame Copy Permalink