2021-03-17 07:19:34 +02:00
<img src="docs/imgs/logo.png" width="150">
2019-05-07 15:41:03 +09:00
2019-08-19 00:01:50 -10:00
2021-03-17 07:19:34 +02:00
[![GitHub Release][release-img]][release]
2019-08-18 22:22:54 -10:00
[](https://goreportcard.com/report/github.com/aquasecurity/trivy)
2021-03-17 07:19:34 +02:00
[][license]
[![GitHub All Releases][github-all-releases-img]][release]
![Docker Pulls][docker-pulls]
2019-05-17 07:12:15 +09:00
2021-03-17 07:19:34 +02:00
[release]: https://github.com/aquasecurity/trivy/releases
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy.svg?logo=github
[github-all-releases-img]: https://img.shields.io/github/downloads/aquasecurity/trivy/total?logo=github
[docker-pulls]: https://img.shields.io/docker/pulls/aquasec/trivy?logo=docker&label=docker%20pulls%20%2F%20trivy
[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
2019-05-16 13:07:43 +09:00
2020-06-08 16:20:44 +03:00
2021-03-17 07:19:34 +02:00
A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI.
2019-05-15 13:20:12 +09:00
2019-05-07 15:41:03 +09:00
# Abstract
2020-06-08 16:20:44 +03:00
`Trivy` (`tri` pronounced like **tri**gger, `vy` pronounced like en**vy ** ) is a simple and comprehensive vulnerability scanner for containers and other artifacts.
2019-10-17 12:41:44 +05:30
A software vulnerability is a glitch, flaw, or weakness present in the software or in an Operating System.
2020-06-08 16:20:44 +03:00
`Trivy` detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.).
`Trivy` is easy to use. Just install the binary and you're ready to scan. All you need to do for scanning is to specify a target such as an image name of the container.
2019-05-08 19:14:48 +09:00
2021-03-17 07:19:34 +02:00
<img src="docs/imgs/overview.png" width="700">
Trivy can be run in two different modes:
- [Standalone ](https://aquasecurity.github.io/trivy/latest/modes/standalone/ )
- [Client/Server ](https://aquasecurity.github.io/trivy/latest/modes/client-server/ )
Trivy can scan three different artifacts:
- [Container Images ](https://aquasecurity.github.io/trivy/latest/scanning/image/ )
- [Filesystem ](https://aquasecurity.github.io/trivy/latest/scanning/filesystem/ )
- [Git Repositories ](https://aquasecurity.github.io/trivy/latest/scanning/git-repository/ )
<img src="docs/imgs/usage.gif" width="700">
<img src="docs/imgs/usage1.png" width="600">
<img src="docs/imgs/usage2.png" width="600">
2020-06-08 16:20:44 +03:00
It is considered to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
2021-03-17 07:19:34 +02:00
See [here ](https://aquasecurity.github.io/trivy/latest/integrations/ ) for details.
2019-05-08 19:14:48 +09:00
2019-05-07 15:41:03 +09:00
# Features
2019-05-15 17:57:44 +09:00
2019-05-08 19:14:48 +09:00
- Detect comprehensive vulnerabilities
2019-12-27 17:30:53 +09:00
- OS packages (Alpine, **Red Hat Universal Base Image ** , Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
2021-04-29 20:53:12 +03:00
- **Application dependencies** (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
2019-05-08 19:14:48 +09:00
- Simple
2020-06-08 16:20:44 +03:00
- Specify only an image name or artifact name
2019-05-16 13:07:43 +09:00
- See [Quick Start ](#quick-start ) and [Examples ](#examples )
2019-11-14 17:26:36 +02:00
- Fast
- The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
2020-10-30 00:54:21 +05:30
- Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
2019-05-08 19:14:48 +09:00
- Easy installation
- `apt-get install` , `yum install` and `brew install` is possible (See [Installation ](#installation ))
2020-12-02 14:24:43 +09:00
- **No pre-requisites** such as installation of DB, libraries, etc.
2019-05-08 19:14:48 +09:00
- High accuracy
2019-08-13 14:16:40 -10:00
- **Especially Alpine Linux and RHEL/CentOS**
2019-05-13 17:24:56 +09:00
- Other OSes are also high
2019-05-16 13:07:43 +09:00
- DevSecOps
2020-06-08 16:20:44 +03:00
- **Suitable for CI** such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
2019-05-08 19:14:48 +09:00
- See [CI Example ](#continuous-integration-ci )
2020-05-03 11:30:49 +03:00
- Support multiple formats
2020-06-08 16:20:44 +03:00
- container image
- A local image in Docker Engine which is running as a daemon
2021-01-28 16:53:08 +02:00
- A local image in Podman (>=2.0) which is exposing a socket
2020-06-08 16:20:44 +03:00
- A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
2021-01-28 16:53:08 +02:00
- A tar archive stored in the `docker save` / `podman save` formatted file
2020-06-08 16:20:44 +03:00
- An image directory compliant with [OCI Image Format ](https://github.com/opencontainers/image-spec )
- local filesystem
- remote git repository
2019-05-08 19:14:48 +09:00
2021-03-17 07:19:34 +02:00
Please see [LICENSE][license] for Trivy licensing information. Note that Trivy uses vulnerability information from a variety of sources, some of which are licensed for non-commercial use only.
2020-06-08 16:20:44 +03:00
2021-03-17 07:19:34 +02:00
# Documentation
The official documentation, which provides detailed installation, configuration, and quick start guides, is available at https://aquasecurity.github.io/trivy/.
2019-05-15 17:57:44 +09:00
2021-03-17 07:19:34 +02:00
# Installation
See [here ](https://aquasecurity.github.io/trivy/latest/installation/ )
2019-05-07 15:41:03 +09:00
2019-05-15 13:20:12 +09:00
# Quick Start
2021-02-25 16:23:11 +02:00
Simply specify an image name (and a tag).
2019-05-15 17:57:44 +09:00
```
2020-05-25 02:06:15 -07:00
$ trivy image [YOUR_IMAGE_NAME]
2019-05-15 17:57:44 +09:00
```
For example:
2019-05-13 17:24:56 +09:00
```
2020-05-25 02:06:15 -07:00
$ trivy image python:3.4-alpine
2019-05-16 13:07:43 +09:00
```
<details>
<summary>Result</summary>
```
2019-05-16T01:20:43.180+0900 INFO Updating vulnerability database...
2019-05-16T01:20:53.029+0900 INFO Detecting Alpine vulnerabilities...
python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |
2019-05-19 09:54:18 +09:00
| | | | | | with long nonces |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
```
</details>
2019-05-15 13:20:12 +09:00
# Examples
2021-03-17 07:19:34 +02:00
See [here ](https://aquasecurity.github.io/trivy/latest/examples/filter/ )
2019-05-15 17:57:44 +09:00
2021-03-17 07:19:34 +02:00
# Continuous Integration (CI)
See [here ](https://aquasecurity.github.io/trivy/latest/integrations/ )
2019-05-15 17:57:44 +09:00
2021-03-17 07:19:34 +02:00
# Vulnerability Detection
See [here ](https://aquasecurity.github.io/trivy/latest/vuln-detection/ )
2019-08-14 17:24:06 -10:00
2019-05-07 15:41:03 +09:00
# Usage
2021-03-17 07:19:34 +02:00
See [here ](https://aquasecurity.github.io/trivy/latest/usage/ )
2019-05-07 15:45:20 +09:00
2019-05-07 15:41:03 +09:00
# Author
2019-05-15 17:57:44 +09:00
2019-11-03 13:27:47 +05:30
[Teppei Fukuda ](https://github.com/knqyf263 ) (knqyf263)
