If you would like to scan the image on your host machine, you need to mount docker.sock. $ docker run -rm -v :/root/.cache/ aquasec/trivy Įxample for macOS: $ docker run -rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy python:3.4-alpine Replace with the cache directory on your machine. | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0) T01:20:53.029+0900 INFO Detecting Alpine vulnerabilities. Result T01:20:43.180+0900 INFO Updating vulnerability database. Basic $ trivy image įor example: $ trivy image python:3.4-alpine Simply specify an image name (and a tag). Make sure it has execution bits turned on. Unpack the archive, and put the binary somewhere in your $PATH (on UNIX-y systems, /usr/local/bin or the like).
Get the latest version from this page, and download the archive file for your operating system/architecture. This script downloads Trivy binary based on your OS and architecture.
Or through your configuration on NixOS or with home-manager as usual Install Script Note that trivy is currently only in the unstable channels. You can use nix on Linux or macOS and on others unofficially. Package trivy-bin can be installed from the Arch User Repository. Note that Trivy uses vulnerability information from a variety of sources, some of which are licensed for non-commercial use only.
Please see LICENSE for Trivy licensing information. An image directory compliant with OCI Image Format.A tar archive stored in the docker save / podman save formatted file.A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR.A local image in Podman (>=2.0) which is exposing a socket.A local image in Docker Engine which is running as a daemon.Suitable for CI such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.Especially Alpine Linux and RHEL/CentOS.No pre-requisites such as installation of DB, libraries, etc.apt-get install, yum install and brew install is possible (See Installation).Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.Consequent scans will finish in single seconds. The first scan will finish within 10 seconds (depending on your network).Specify only an image name or artifact name.Application dependencies (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, and Maven).OS packages (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless).Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily. All you need to do for scanning is to specify a target such as an image name of the container. Just install the binary and you're ready to scan. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.).
A software vulnerability is a glitch, flaw, or weakness present in the software or in an Operating System. Trivy ( tri pronounced like trigger, vy pronounced like en vy) is a simple and comprehensive vulnerability scanner for containers and other artifacts.