trivy

Jan 21st, 2023

Trivy is an open-source security and misconfiguration scanner. It works at every level: it can check the code in a Git repository, examine container images, advise regarding configuration files, look into Kubernetes deployments, and verify Infrastructure as Code (IaC).

installation

brew install trivy

The first time Trivy runs, it downloads the vulnerability database and creates a cache folder for results. You can clean it up with

trivy --reset

scan

Dependency scan. Trivy detects the Gemfile in our project and searches for vulnerabilities.

trivy fs .

Simultaneously run a scan for vulnerabilities and misconfigurations by adding --security-checks vuln,config. The scan will include any Dockerfiles, Kubernetes, and Terraform files in the repo.

trivy fs --security-checks vuln,config .

Scan a repository without cloning it

trivy repo https://github.com/...

Vulnerability testing for base/container images

trivy image my-test-image:version
trivy image --severity HIGH,CRITICAL my-test-image:version
trivy image --severity HIGH,CRITICAL docker_username/my-test-images:version

plugins

kubectl plugin

It scans images running in a Kubernetes pod or deployment:

# install the plugin
trivy plugin install github.com/aquasecurity/trivy-plugin-kubectl
# scan a pod
trivy kubectl pod mypod
# scan a deployment
trivy kubectl trivy deployment mydeployment