Jan 21st, 2023
Trivy is an open-source security and misconfiguration scanner. It works at every level: it can check the code in a Git repository, examine container images, advise regarding configuration files, look into Kubernetes deployments, and verify Infrastructure as Code (IaC).
brew install trivy
The first time Trivy runs, it downloads the vulnerability database and creates a cache folder for results. You can clean it up with
trivy --reset
Dependency scan. Trivy detects the Gemfile in our project and searches for vulnerabilities.
trivy fs .
Simultaneously run a scan for vulnerabilities and misconfigurations by adding --security-checks vuln,config. The scan will include any Dockerfiles, Kubernetes, and Terraform files in the repo.
trivy fs --security-checks vuln,config .
Scan a repository without cloning it
trivy repo https://github.com/...
Vulnerability testing for base/container images
trivy image my-test-image:version
trivy image --severity HIGH,CRITICAL my-test-image:version
trivy image --severity HIGH,CRITICAL docker_username/my-test-images:version
It scans images running in a Kubernetes pod or deployment:
# install the plugin
trivy plugin install github.com/aquasecurity/trivy-plugin-kubectl
# scan a pod
trivy kubectl pod mypod
# scan a deployment
trivy kubectl trivy deployment mydeployment