Trivy Usage Guide¶

Trivy is a comprehensive and versatile security scanner. It has scanners that look for security issues and targets where it can find those issues. This guide will walk you through the installation, configuration, and usage of Trivy for scanning folders and Docker images.

Table of Contents¶

1. Introduction
2. Installation
   • Ubuntu
   • Docker
3. Trivy Scanners
4. Trivy Targets
5. Usage
   • Folder Scan
   • Docker Image Scan
   • Remote Git Repository Scan
   • Kubernetes Cluster Scan
   • Configuration
6. Important Flags
7. References

Introduction¶

Trivy is a powerful vulnerability scanner for containers and filesystems. It supports most popular programming languages, operating systems, and platforms. For a complete list, see the Scanning Coverage page.

Installation¶

Ubuntu¶

1. Install Prerequisites:

   sudo apt-get install wget gnupg
   

2. Add Trivy Repository:

   wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
   echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
   

3. Install Trivy:

   sudo apt-get update
   sudo apt-get install trivy
   

Docker¶

1. Run Trivy Docker Image:

   docker run aquasec/trivy image python:3.4-alpine
   

Trivy has scanners that look for security issues, and targets where it can find those issues.

Trivy Scanners¶

Trivy can find the following security issues:

• OS packages and software dependencies in use (SBOM)
• Known vulnerabilities (CVEs)
• IaC issues and misconfigurations
• Sensitive information and secrets
• Software licenses

Trivy Targets¶

Trivy can scan the following targets:

• Container Image
• Filesystem
• Git Repository (remote)
• Virtual Machine Image
• Kubernetes

Usage¶

Folder Scan¶

Usage:
  trivy filesystem [flags] PATH

Aliases:
  filesystem, fs

trivy fs path/to/scan

To save the scan result in HTML format, use the --format and -o options:

trivy fs --format html -o result.html /path/to/scan

You can also specify the types of security checks to perform using the --security-checks option:

trivy fs --format html -o result.html --security-checks vuln,config path_to_scan

Docker Image Scan¶

Usage:
  trivy image [flags] IMAGE_NAME

Aliases:
  image, i

Examples:
  # Scan a container image
  $ trivy image python:3.4-alpine

  # Scan a container image from a tar archive
  $ trivy image --input ruby-3.1.tar

  # Filter by severities
  $ trivy image --severity HIGH,CRITICAL alpine:3.15

  # Ignore unfixed/unpatched vulnerabilities
  $ trivy image --ignore-unfixed alpine:3.15

  # Scan a container image in client mode
  $ trivy image --server http://127.0.0.1:4954 alpine:latest

  # Generate json result
  $ trivy image --format json --output result.json alpine:3.15

  # Generate a report in the CycloneDX format
  $ trivy image --format cyclonedx --output result.cdx alpine:3.15

To scan a Docker image for vulnerabilities, use the following command:

trivy image my_image:latest

To save the scan result in HTML format, use the -f and -o options:

trivy image -f html -o results.html my_image:latest

You can specify the severity levels of vulnerabilities to include in the report using the --severity option:

trivy image -f html -o results.html --severity HIGH,CRITICAL my_image:latest

Remote Git Repository Scan¶

Usage:
  trivy repository [flags] (REPO_PATH | REPO_URL)

Aliases:
  repository, repo

trivy repo https://github.com/ibtisam-iq/3TierFullStackApp-Flask-Postgres.git

Kubernetes Cluster Scan¶

To scan a Kubernetes cluster for vulnerabilities, use the following command:

trivy cluster --namespace default --image my_image:latest

Configuration File¶

You can specify a configuration file using the -c option. The configuration file should contain the following format:

trivy: 
security-checks:
    - vuln
    - config

Important Flags¶

-f, --format string              format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
-o, --output string              output file name
--security-checks strings        security checks to perform (vuln,config,license,secret,osv) (default "vuln")
-s, --severity strings           severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--config-file string             path to the configuration file
-c, --config string             config path (default "trivy.yaml")
-d, --debug                     debug mode

References¶

• Installation
• GitHub
• Docker Hub
• Docs

This guide provides a comprehensive overview of Trivy, its installation, and usage for scanning folders and Docker images. For more detailed instructions, refer to the official Trivy documentation.