Trivy : Simple & Comprehensive Vulnerability Scanner

Trivy is a Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI. A software vulnerability is a glitch, flaw, or weakness present in the software or in an Operating System.

It detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn etc.).

It is easy to use. Just install the binary and you’re ready to scan. All you need to do for scanning is to specify an image name of the container.

Features

  • Detect comprehensive vulnerabilities
    • OS packages (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Debian, Ubuntu, Amazon Linux and Distroless)
    • Application dependencies (Bundler, Composer, Pipenv, Poetry, npm, yarn and Cargo)
  • Simple
  • Easy installation
    • apt-get install, yum install and brew install is possible (See Installation)
    • No pre-requisites such as installation of DB, libraries, etc. (The exception is that you need rpm installed to scan images based on RHEL/CentOS. This is automatically included if you use our installers or the tool container image. See Vulnerability Detection for background information.)
  • High accuracy
    • Especially Alpine Linux and RHEL/CentOS
    • Other OSes are also high
  • DevSecOps
    • Suitable for CI such as Travis CI, CircleCI, Jenkins, etc.
    • See CI Example

Also Read – Uptux : Linux Privilege Escalation Checks

Installation

RHEL/CentOS

Add repository setting to /etc/yum.repos.d.

$ sudo vim /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/
gpgcheck=0
enabled=1
$ sudo yum -y update
$ sudo yum -y install trivy

or

$ rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.1.6/trivy_0.1.6_Linux-64bit.rpm

Debian/Ubuntu

Add repository to /etc/apt/sources.list.d.

$ sudo apt-get install wget apt-transport-https gnupg lsb-release
$ wget -qO – https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add –
$ echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
$ sudo apt-get update
$ sudo apt-get install trivy

Or

$ sudo apt-get install rpm
$ wget https://github.com/aquasecurity/trivy/releases/download/v0.1.6/trivy_0.1.6_Linux-64bit.deb
$ sudo dpkg -i trivy_0.1.6_Linux-64bit.deb

Arch Linux

Package trivy-bin can be installed from the Arch User Repository. Examples:

pikaur -Sy trivy-bin

or

yay -Sy trivy-bin

Homebrew

You can use homebrew on macOS.

$ brew install aquasecurity/trivy/trivy

Binary (Including Windows)

Get the latest version from this page, and download the archive file for your operating system/architecture. Unpack the archive, and put the binary somewhere in your $PATH (on UNIX-y systems, /usr/local/bin or the like). Make sure it has execution bits turned on.

You also need to install rpm command for scanning images based on RHEL/CentOS.

From source

$ mkdir -p $GOPATH/src/github.com/aquasecurity
$ cd $GOPATH/src/github.com/aquasecurity
$ git clone https://github.com/aquasecurity/trivy
$ cd trivy/cmd/trivy/
$ export GO111MODULE=on
$ go install

You also need to install rpm command for scanning images based on RHEL/CentOS.

Quick Start

Simply specify an image name (and a tag). The latest tag should be avoided as problems occur with the image cache. See Clear image caches.

Basic

$ trivy [YOUR_IMAGE_NAME]

For example:

$ trivy python:3.4-alpine

Result

Docker

Replace [YOUR_CACHE_DIR] with the cache directory on your machine.

$ docker run –rm -v [YOUR_CACHE_DIR]:/root/.cache/ aquasec/trivy [YOUR_IMAGE_NAME]

Example for macOS:

$ docker run –rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy python:3.4-alpine

If you would like to scan the image on your host machine, you need to mount docker.sock.

$ docker run –rm -v /var/run/docker.sock:/var/run/docker.sock \
-v $HOME/Library/Caches:/root/.cache/ aquasec/trivy python:3.4-alpine

Please re-pull latest aquasec/trivy if an error occurred. Result

Examples

Scan an image

Simply specify an image name (and a tag).

$ trivy knqyf263/vuln-image:1.2.3

Scan an image file

$ docker save ruby:2.3.0-alpine3.9 -o ruby-2.3.0.tar
$ trivy –input ruby-2.3.0.tar

Save the results as JSON

$ trivy -f json -o results.json golang:1.12-alpine

Filter the vulnerabilities by severities

$ trivy –severity HIGH,CRITICAL ruby:2.3.0

Filter the vulnerabilities by type

$ trivy –vuln-type os ruby:2.3.0

Available values:

  • library
  • os

Skip update of vulnerability DB

It always updates its vulnerability database when it starts operating. This is usually fast, as it is a difference update. But if you want to skip even that, use the --skip-update option.

$ trivy –skip-update python:3.4-alpine3.9

Update only specified distributions

By default, it always updates its vulnerability database for all distributions. Use the --only-update option if you want to name specified distributions to update.

$ trivy –only-update alpine,debian python:3.4-alpine3.9
$ trivy –only-update alpine python:3.4-alpine3.9

Only download vulnerability database

You can also ask it to simply retrieve the vulnerability database. This is useful to initialize workers in Continuous Integration systems. In the first run, the --only-update option is silently ignored.

$ trivy –download-db-only
$ trivy –download-db-only –only-update alpine

Ignore unfixed vulnerabilities

By default, it also detects unpatched/unfixed vulnerabilities. This means you can’t fix these vulnerabilities even if you update all packages. If you would like to ignore them, use the --ignore-unfixed option.

$ trivy –ignore-unfixed ruby:2.3.0

Specify exit code

By default, it exits with code 0 even when vulnerabilities are detected. Use the --exit-code option if you want to exit with a non-zero exit code.

$ trivy –exit-code 1 python:3.4-alpine3.9

This option is useful for CI/CD. In the following example, the test will fail only when a critical vulnerability is found.

$ trivy –exit-code 0 –severity MEDIUM,HIGH ruby:2.3.0
$ trivy –exit-code 1 –severity CRITICAL ruby:2.3.0

Ignore the specified vulnerabilities

Use .trivyignore.

$ cat .trivyignore
# Accept the risk
CVE-2018-14618

# No impact in our settings
CVE-2019-1543

$ trivy python:3.4-alpine3.9

Specify cache directory

$ trivy –cache-dir /tmp/trivy/ python:3.4-alpine3.9

Clear image caches

The --clear-cache option removes image caches. This option is useful if the image which has the same tag is updated (such as when using latest tag).

$ trivy –clear-cache python:3.7

Reset

The --reset option removes all caches and database. After this, it takes a long time as the vulnerability database needs to be rebuilt locally.

$ trivy –reset

Screenshot

Download
R K

Share
Published by
R K
Tags: TrivyVulnerability Scanner
7 years ago

Recent Posts

Bash Scripting Best Practices Every Beginner Should Know

Introduction Bash scripting is a powerful way to automate Linux tasks, but writing a script…

1 day ago

How To Create A Self-Signed SSL Certificate Using Bash And OpenSSL

Introduction A self-signed SSL certificate is a certificate that is created and signed by the…

1 day ago

How To Debug Bash Scripts Using bash -x And set Commands

Introduction Debugging is an important part of Bash scripting. When a script does not work…

1 day ago

How To Use Cron Jobs With Bash Scripts For Automation

Introduction Cron jobs are used in Linux to run commands or Bash scripts automatically at…

1 day ago

How To Use Pipes In Bash Scripts For Command Chaining

Introduction Pipes are an important feature in Linux and Bash scripting. A pipe allows you…

1 day ago

How To Use grep, awk, And sed In Bash Scripts

Introduction The grep, awk, and sed commands are powerful text-processing tools in Linux. They are…

2 days ago