Author: Jase Batchelor
Trivy is a modern vulnerability and security scanner.
As per the project documentation, Trivy can scan the following:
Targets (what Trivy can scan):
- Container Image
- Filesystem
- Git Repository (remote)
- Virtual Machine Image
- Kubernetes
- AWS
Scanners (what Trivy can find there):
- OS packages and software dependencies in use (SBOM)
- Known vulnerabilities (CVEs)
- IaC issues and misconfigurations
- Sensitive information and secrets
- Software licenses
See: https://github.com/aquasecurity/trivy
Sections
Installation
As per the previous SDK Install article, we install Trivy as part of our developer environment. Trivy is also used within our GitLab CI pipelines.
MacOS installation using homebrew
brew info trivy
brew install trivy
# Setup auto completion
# https://aquasecurity.github.io/trivy/v0.43/tutorials/shell/shell-completion/
trivy completion zsh > $(brew --prefix)/share/zsh/site-functions/_trivy
. ~/.zshrc
Debian installation using apt
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
Configuration
Specifically with regard to the Trivy CLI we won’t configure anything.
We will setup rust to integrate with Trivy using the cargo-auditable crate in a later article.
See 🦀 Scan Rust binaries 🦀 in this article for details: https://github.com/aquasecurity/trivy/discussions/2716
Basic usage
To see scanning options check the trivy --help command.
Or use tab completion to view a list of available scan options:
Configuration scan
Run trivy config path/to/Dockerfile
Local filesystem (Rust project)
Run trivy fs path/to/rust/project
Local filesystem (Spring project)
Run trivy fs path/to/spring/project
Docker image (Red Hat UBI)
Run trivy image image:tag
Advanced usage
todo ;)