Trivy is an open-source security and misconfiguration scanner. It works at every level: it can check the code in a Git repository, examine container images, advise regarding configuration files, look into Kubernetes deployments, and verify Infrastructure as Code (IaC).

installation

1

brew install trivy

The first time Trivy runs, it downloads the vulnerability database and creates a cache folder for results. You can clean it up with

1

trivy --reset

scan

Dependency scan. Trivy detects the Gemfile in our project and searches for vulnerabilities.

1

trivy fs .

Simultaneously run a scan for vulnerabilities and misconfigurations by adding --security-checks vuln,config. The scan will include any Dockerfiles, Kubernetes, and Terraform files in the repo.

1

trivy fs --security-checks vuln,config .

Scan a repository without cloning it

1

trivy repo https://github.com/...

Vulnerability testing for base/container images

1
2
3

trivy image my-test-image:version
trivy image --severity HIGH,CRITICAL my-test-image:version
trivy image --severity HIGH,CRITICAL docker_username/my-test-images:version

plugins

kubectl plugin

It scans images running in a Kubernetes pod or deployment:

1
2
3
4
5
6

# install the plugin
trivy plugin install github.com/aquasecurity/trivy-plugin-kubectl
# scan a pod
trivy kubectl pod mypod
# scan a deployment
trivy kubectl trivy deployment mydeployment