Jan 21st, 2023
Trivy is an open-source security and misconfiguration scanner. It works at every level: it can check the code in a Git repository, examine container images, advise regarding configuration files, look into Kubernetes deployments, and verify Infrastructure as Code (IaC).
brew install trivy
The first time Trivy runs, it downloads the vulnerability database and creates a cache folder for results. You can clean it up with
Dependency scan. Trivy detects the Gemfile in our project and searches for vulnerabilities.
trivy fs .
Simultaneously run a scan for vulnerabilities and misconfigurations by adding
--security-checks vuln,config. The scan will include any Dockerfiles, Kubernetes, and Terraform files in the repo.
trivy fs --security-checks vuln,config .
Scan a repository without cloning it
trivy repo https://github.com/...
Vulnerability testing for base/container images
trivy image my-test-image:version trivy image --severity HIGH,CRITICAL my-test-image:version trivy image --severity HIGH,CRITICAL docker_username/my-test-images:version
It scans images running in a Kubernetes pod or deployment:
# install the plugin trivy plugin install github.com/aquasecurity/trivy-plugin-kubectl # scan a pod trivy kubectl pod mypod # scan a deployment trivy kubectl trivy deployment mydeployment