admin/aquasecurity-trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2026-02-08 17:53:13 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
b2cd35a7262eb4f63c43db6bfa2eeec14be24da4
aquasecurity-trivy/dev/docs/target/container_image/index.html

4849 lines
121 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI">
<link rel="canonical" href="https://aquasecurity.github.io/trivy/dev/docs/target/container_image/">
<link rel="icon" href="../../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.3.0, mkdocs-material-8.3.9">
<title>Container Image - Trivy</title>
<link rel="stylesheet" href="../../../assets/stylesheets/main.1d29e8d0.min.css">
<link rel="stylesheet" href="../../../assets/stylesheets/palette.cbb835fc.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>__md_scope=new URL("../../..",location),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#container-image" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<div data-md-component="outdated" hidden>
<aside class="md-banner md-banner--warning">
<div class="md-banner__inner md-grid md-typeset">
You're not viewing the latest version.
<a href="../../../..">
<strong>Click here to go to latest.</strong>
</a>
</div>
<script>var el=document.querySelector("[data-md-component=outdated]"),outdated=__md_get("__outdated",sessionStorage);!0===outdated&&el&&(el.hidden=!1)</script>
</aside>
</div>
<header class="md-header md-header--lifted" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="../../.." title="Trivy" class="md-header__button md-logo" aria-label="Trivy" data-md-component="logo">
<img src="../../../imgs/logo-white.svg" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Trivy
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Container Image
</span>
</div>
</div>
</div>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/aquasecurity/trivy" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
<nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
<div class="md-tabs__inner md-grid">
<ul class="md-tabs__list">
<li class="md-tabs__item">
<a href="../../.." class="md-tabs__link">
Getting Started
</a>
</li>
<li class="md-tabs__item">
<a href="../../../tutorials/overview/" class="md-tabs__link">
Tutorials
</a>
</li>
<li class="md-tabs__item">
<a href="../../" class="md-tabs__link md-tabs__link--active">
Docs
</a>
</li>
<li class="md-tabs__item">
<a href="../../../ecosystem/" class="md-tabs__link">
Ecosystem
</a>
</li>
<li class="md-tabs__item">
<a href="../../../community/principles/" class="md-tabs__link">
Contributing
</a>
</li>
</ul>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="../../.." title="Trivy" class="md-nav__button md-logo" aria-label="Trivy" data-md-component="logo">
<img src="../../../imgs/logo-white.svg" alt="logo">
</a>
Trivy
</label>
<div class="md-nav__source">
<a href="https://github.com/aquasecurity/trivy" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_1" type="checkbox" id="__nav_1" >
<label class="md-nav__link" for="__nav_1">
Getting Started
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Getting Started" data-md-level="1">
<label class="md-nav__title" for="__nav_1">
<span class="md-nav__icon md-icon"></span>
Getting Started
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../.." class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../../getting-started/installation/" class="md-nav__link">
Installation
</a>
</li>
<li class="md-nav__item">
<a href="../../../getting-started/signature-verification/" class="md-nav__link">
Signature Verification
</a>
</li>
<li class="md-nav__item">
<a href="../../../getting-started/faq/" class="md-nav__link">
FAQ
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" >
<label class="md-nav__link" for="__nav_2">
Tutorials
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Tutorials" data-md-level="1">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Tutorials
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../tutorials/overview/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_2" type="checkbox" id="__nav_2_2" >
<label class="md-nav__link" for="__nav_2_2">
CI/CD
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="CI/CD" data-md-level="2">
<label class="md-nav__title" for="__nav_2_2">
<span class="md-nav__icon md-icon"></span>
CI/CD
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../tutorials/integrations/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/integrations/github-actions/" class="md-nav__link">
GitHub Actions
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/integrations/circleci/" class="md-nav__link">
CircleCI
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/integrations/travis-ci/" class="md-nav__link">
Travis CI
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/integrations/gitlab-ci/" class="md-nav__link">
GitLab CI
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/integrations/bitbucket/" class="md-nav__link">
Bitbucket Pipelines
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/integrations/aws-codepipeline/" class="md-nav__link">
AWS CodePipeline
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/integrations/aws-security-hub/" class="md-nav__link">
AWS Security Hub
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/integrations/azure-devops/" class="md-nav__link">
Azure
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_3" type="checkbox" id="__nav_2_3" >
<label class="md-nav__link" for="__nav_2_3">
Kubernetes
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Kubernetes" data-md-level="2">
<label class="md-nav__title" for="__nav_2_3">
<span class="md-nav__icon md-icon"></span>
Kubernetes
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../tutorials/kubernetes/cluster-scanning/" class="md-nav__link">
Cluster Scanning
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/kubernetes/kyverno/" class="md-nav__link">
Kyverno
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/kubernetes/gitops/" class="md-nav__link">
GitOps
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_4" type="checkbox" id="__nav_2_4" >
<label class="md-nav__link" for="__nav_2_4">
Misconfiguration
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Misconfiguration" data-md-level="2">
<label class="md-nav__title" for="__nav_2_4">
<span class="md-nav__icon md-icon"></span>
Misconfiguration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../tutorials/misconfiguration/terraform/" class="md-nav__link">
Terraform scanning
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/misconfiguration/custom-checks/" class="md-nav__link">
Custom Checks with Rego
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_5" type="checkbox" id="__nav_2_5" >
<label class="md-nav__link" for="__nav_2_5">
Signing
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Signing" data-md-level="2">
<label class="md-nav__title" for="__nav_2_5">
<span class="md-nav__icon md-icon"></span>
Signing
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../tutorials/signing/vuln-attestation/" class="md-nav__link">
Vulnerability Scan Record Attestation
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_6" type="checkbox" id="__nav_2_6" >
<label class="md-nav__link" for="__nav_2_6">
Shell
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Shell" data-md-level="2">
<label class="md-nav__title" for="__nav_2_6">
<span class="md-nav__icon md-icon"></span>
Shell
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../tutorials/shell/shell-completion/" class="md-nav__link">
Completion
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_7" type="checkbox" id="__nav_2_7" >
<label class="md-nav__link" for="__nav_2_7">
Additional Resources
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Additional Resources" data-md-level="2">
<label class="md-nav__title" for="__nav_2_7">
<span class="md-nav__icon md-icon"></span>
Additional Resources
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../tutorials/additional-resources/references/" class="md-nav__link">
Additional Resources
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/additional-resources/community/" class="md-nav__link">
Community References
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/additional-resources/cks/" class="md-nav__link">
CKS Reference
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3" type="checkbox" id="__nav_3" checked>
<label class="md-nav__link" for="__nav_3">
Docs
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Docs" data-md-level="1">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
Docs
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_2" type="checkbox" id="__nav_3_2" checked>
<label class="md-nav__link" for="__nav_3_2">
Target
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Target" data-md-level="2">
<label class="md-nav__title" for="__nav_3_2">
<span class="md-nav__icon md-icon"></span>
Target
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Container Image
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
Container Image
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#files-inside-container-images" class="md-nav__link">
Files inside container images
</a>
<nav class="md-nav" aria-label="Files inside container images">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#vulnerabilities" class="md-nav__link">
Vulnerabilities
</a>
</li>
<li class="md-nav__item">
<a href="#misconfigurations" class="md-nav__link">
Misconfigurations
</a>
</li>
<li class="md-nav__item">
<a href="#secrets" class="md-nav__link">
Secrets
</a>
</li>
<li class="md-nav__item">
<a href="#licenses" class="md-nav__link">
Licenses
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#container-image-metadata" class="md-nav__link">
Container image metadata
</a>
<nav class="md-nav" aria-label="Container image metadata">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#misconfigurations_1" class="md-nav__link">
Misconfigurations
</a>
</li>
<li class="md-nav__item">
<a href="#secrets_1" class="md-nav__link">
Secrets
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#supported" class="md-nav__link">
Supported
</a>
<nav class="md-nav" aria-label="Supported">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#docker-engine" class="md-nav__link">
Docker Engine
</a>
</li>
<li class="md-nav__item">
<a href="#containerd" class="md-nav__link">
containerd
</a>
</li>
<li class="md-nav__item">
<a href="#podman" class="md-nav__link">
Podman
</a>
</li>
<li class="md-nav__item">
<a href="#container-registry" class="md-nav__link">
Container Registry
</a>
</li>
<li class="md-nav__item">
<a href="#tar-files" class="md-nav__link">
Tar Files
</a>
</li>
<li class="md-nav__item">
<a href="#oci-layout" class="md-nav__link">
OCI Layout
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#sbom" class="md-nav__link">
SBOM
</a>
<nav class="md-nav" aria-label="SBOM">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#generation" class="md-nav__link">
Generation
</a>
</li>
<li class="md-nav__item">
<a href="#discovery" class="md-nav__link">
Discovery
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#compliance" class="md-nav__link">
Compliance
</a>
<nav class="md-nav" aria-label="Compliance">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#built-in-reports" class="md-nav__link">
Built in reports
</a>
</li>
<li class="md-nav__item">
<a href="#examples" class="md-nav__link">
Examples
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#authentication" class="md-nav__link">
Authentication
</a>
</li>
<li class="md-nav__item">
<a href="#options" class="md-nav__link">
Options
</a>
<nav class="md-nav" aria-label="Options">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#scan-image-on-a-specific-architecture-and-os" class="md-nav__link">
Scan Image on a specific Architecture and OS
</a>
</li>
<li class="md-nav__item">
<a href="#configure-docker-daemon-socket-to-connect-to" class="md-nav__link">
Configure Docker daemon socket to connect to.
</a>
</li>
<li class="md-nav__item">
<a href="#configure-podman-daemon-socket-to-connect-to" class="md-nav__link">
Configure Podman daemon socket to connect to.
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../filesystem/" class="md-nav__link">
Filesystem
</a>
</li>
<li class="md-nav__item">
<a href="../rootfs/" class="md-nav__link">
Rootfs
</a>
</li>
<li class="md-nav__item">
<a href="../repository/" class="md-nav__link">
Code Repository
</a>
</li>
<li class="md-nav__item">
<a href="../vm/" class="md-nav__link">
Virtual Machine Image
</a>
</li>
<li class="md-nav__item">
<a href="../kubernetes/" class="md-nav__link">
Kubernetes
</a>
</li>
<li class="md-nav__item">
<a href="../aws/" class="md-nav__link">
AWS
</a>
</li>
<li class="md-nav__item">
<a href="../sbom/" class="md-nav__link">
SBOM
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_3" type="checkbox" id="__nav_3_3" >
<label class="md-nav__link" for="__nav_3_3">
Scanner
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Scanner" data-md-level="2">
<label class="md-nav__title" for="__nav_3_3">
<span class="md-nav__icon md-icon"></span>
Scanner
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../scanner/vulnerability/" class="md-nav__link">
Vulnerability
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_3_2" type="checkbox" id="__nav_3_3_2" >
<label class="md-nav__link" for="__nav_3_3_2">
Misconfiguration
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Misconfiguration" data-md-level="3">
<label class="md-nav__title" for="__nav_3_3_2">
<span class="md-nav__icon md-icon"></span>
Misconfiguration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../scanner/misconfiguration/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_3_2_2" type="checkbox" id="__nav_3_3_2_2" >
<label class="md-nav__link" for="__nav_3_3_2_2">
Policy
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Policy" data-md-level="4">
<label class="md-nav__title" for="__nav_3_3_2_2">
<span class="md-nav__icon md-icon"></span>
Policy
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../scanner/misconfiguration/check/builtin/" class="md-nav__link">
Built-in Checks
</a>
</li>
<li class="md-nav__item">
<a href="../../scanner/misconfiguration/check/exceptions/" class="md-nav__link">
Exceptions
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_3_2_3" type="checkbox" id="__nav_3_3_2_3" >
<label class="md-nav__link" for="__nav_3_3_2_3">
Custom Checks
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Custom Checks" data-md-level="4">
<label class="md-nav__title" for="__nav_3_3_2_3">
<span class="md-nav__icon md-icon"></span>
Custom Checks
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../scanner/misconfiguration/custom/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../scanner/misconfiguration/custom/data/" class="md-nav__link">
Data
</a>
</li>
<li class="md-nav__item">
<a href="../../scanner/misconfiguration/custom/combine/" class="md-nav__link">
Combine
</a>
</li>
<li class="md-nav__item">
<a href="../../scanner/misconfiguration/custom/selectors/" class="md-nav__link">
Selectors
</a>
</li>
<li class="md-nav__item">
<a href="../../scanner/misconfiguration/custom/schema/" class="md-nav__link">
Schemas
</a>
</li>
<li class="md-nav__item">
<a href="../../scanner/misconfiguration/custom/testing/" class="md-nav__link">
Testing
</a>
</li>
<li class="md-nav__item">
<a href="../../scanner/misconfiguration/custom/debug/" class="md-nav__link">
Debugging Policies
</a>
</li>
<li class="md-nav__item">
<a href="../../scanner/misconfiguration/custom/contribute-checks/" class="md-nav__link">
Contribute Checks
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../scanner/secret/" class="md-nav__link">
Secret
</a>
</li>
<li class="md-nav__item">
<a href="../../scanner/license/" class="md-nav__link">
License
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_4" type="checkbox" id="__nav_3_4" >
<label class="md-nav__link" for="__nav_3_4">
Coverage
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Coverage" data-md-level="2">
<label class="md-nav__title" for="__nav_3_4">
<span class="md-nav__icon md-icon"></span>
Coverage
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../coverage/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_4_2" type="checkbox" id="__nav_3_4_2" >
<label class="md-nav__link" for="__nav_3_4_2">
OS
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="OS" data-md-level="3">
<label class="md-nav__title" for="__nav_3_4_2">
<span class="md-nav__icon md-icon"></span>
OS
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../coverage/os/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/alma/" class="md-nav__link">
AlmaLinux
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/alpine/" class="md-nav__link">
Alpine Linux
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/amazon/" class="md-nav__link">
Amazon Linux
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/cbl-mariner/" class="md-nav__link">
CBL-Mariner
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/centos/" class="md-nav__link">
CentOS
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/chainguard/" class="md-nav__link">
Chainguard
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/conda/" class="md-nav__link">
Conda
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/debian/" class="md-nav__link">
Debian
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/oracle/" class="md-nav__link">
Oracle Linux
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/photon/" class="md-nav__link">
Photon OS
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/rhel/" class="md-nav__link">
Red Hat
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/rocky/" class="md-nav__link">
Rocky Linux
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/suse/" class="md-nav__link">
SUSE
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/ubuntu/" class="md-nav__link">
Ubuntu
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/wolfi/" class="md-nav__link">
Wolfi
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/google-distroless/" class="md-nav__link">
Google Distroless (Images)
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/bitnami/" class="md-nav__link">
Bitnami (Images)
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_4_3" type="checkbox" id="__nav_3_4_3" >
<label class="md-nav__link" for="__nav_3_4_3">
Language
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Language" data-md-level="3">
<label class="md-nav__title" for="__nav_3_4_3">
<span class="md-nav__icon md-icon"></span>
Language
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../coverage/language/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/c/" class="md-nav__link">
C/C++
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/dart/" class="md-nav__link">
Dart
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/dotnet/" class="md-nav__link">
.NET
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/elixir/" class="md-nav__link">
Elixir
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/golang/" class="md-nav__link">
Go
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/java/" class="md-nav__link">
Java
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/nodejs/" class="md-nav__link">
Node.js
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/php/" class="md-nav__link">
PHP
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/python/" class="md-nav__link">
Python
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/ruby/" class="md-nav__link">
Ruby
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/rust/" class="md-nav__link">
Rust
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/swift/" class="md-nav__link">
Swift
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/julia/" class="md-nav__link">
Julia
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_4_4" type="checkbox" id="__nav_3_4_4" >
<label class="md-nav__link" for="__nav_3_4_4">
IaC
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="IaC" data-md-level="3">
<label class="md-nav__title" for="__nav_3_4_4">
<span class="md-nav__icon md-icon"></span>
IaC
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../coverage/iac/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/iac/azure-arm/" class="md-nav__link">
Azure ARM Template
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/iac/cloudformation/" class="md-nav__link">
CloudFormation
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/iac/docker/" class="md-nav__link">
Docker
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/iac/helm/" class="md-nav__link">
Helm
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/iac/kubernetes/" class="md-nav__link">
Kubernetes
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/iac/terraform/" class="md-nav__link">
Terraform
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../coverage/kubernetes/" class="md-nav__link">
Kubernetes
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_5" type="checkbox" id="__nav_3_5" >
<label class="md-nav__link" for="__nav_3_5">
Configuration
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Configuration" data-md-level="2">
<label class="md-nav__title" for="__nav_3_5">
<span class="md-nav__icon md-icon"></span>
Configuration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../configuration/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../configuration/filtering/" class="md-nav__link">
Filtering
</a>
</li>
<li class="md-nav__item">
<a href="../../configuration/skipping/" class="md-nav__link">
Skipping Files
</a>
</li>
<li class="md-nav__item">
<a href="../../configuration/reporting/" class="md-nav__link">
Reporting
</a>
</li>
<li class="md-nav__item">
<a href="../../configuration/cache/" class="md-nav__link">
Cache
</a>
</li>
<li class="md-nav__item">
<a href="../../configuration/db/" class="md-nav__link">
DB
</a>
</li>
<li class="md-nav__item">
<a href="../../configuration/others/" class="md-nav__link">
Others
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_6" type="checkbox" id="__nav_3_6" >
<label class="md-nav__link" for="__nav_3_6">
Supply Chain
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Supply Chain" data-md-level="2">
<label class="md-nav__title" for="__nav_3_6">
<span class="md-nav__icon md-icon"></span>
Supply Chain
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../supply-chain/sbom/" class="md-nav__link">
SBOM
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_6_2" type="checkbox" id="__nav_3_6_2" >
<label class="md-nav__link" for="__nav_3_6_2">
Attestation
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Attestation" data-md-level="3">
<label class="md-nav__title" for="__nav_3_6_2">
<span class="md-nav__icon md-icon"></span>
Attestation
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../supply-chain/attestation/sbom/" class="md-nav__link">
SBOM
</a>
</li>
<li class="md-nav__item">
<a href="../../supply-chain/attestation/vuln/" class="md-nav__link">
Cosign Vulnerability Scan Record
</a>
</li>
<li class="md-nav__item">
<a href="../../supply-chain/attestation/rekor/" class="md-nav__link">
SBOM Attestation in Rekor
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../supply-chain/vex/" class="md-nav__link">
VEX
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_7" type="checkbox" id="__nav_3_7" >
<label class="md-nav__link" for="__nav_3_7">
Compliance
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Compliance" data-md-level="2">
<label class="md-nav__title" for="__nav_3_7">
<span class="md-nav__icon md-icon"></span>
Compliance
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../compliance/compliance/" class="md-nav__link">
Built-in Compliance
</a>
</li>
<li class="md-nav__item">
<a href="../../compliance/contrib-compliance/" class="md-nav__link">
Custom Compliance
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_8" type="checkbox" id="__nav_3_8" >
<label class="md-nav__link" for="__nav_3_8">
Plugins
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Plugins" data-md-level="2">
<label class="md-nav__title" for="__nav_3_8">
<span class="md-nav__icon md-icon"></span>
Plugins
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../plugin/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../plugin/user-guide/" class="md-nav__link">
User guide
</a>
</li>
<li class="md-nav__item">
<a href="../../plugin/developer-guide/" class="md-nav__link">
Developer guide
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_9" type="checkbox" id="__nav_3_9" >
<label class="md-nav__link" for="__nav_3_9">
Advanced
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Advanced" data-md-level="2">
<label class="md-nav__title" for="__nav_3_9">
<span class="md-nav__icon md-icon"></span>
Advanced
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../advanced/modules/" class="md-nav__link">
Modules
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/air-gap/" class="md-nav__link">
Air-Gapped Environment
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_9_3" type="checkbox" id="__nav_3_9_3" >
<label class="md-nav__link" for="__nav_3_9_3">
Container Image
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Container Image" data-md-level="3">
<label class="md-nav__title" for="__nav_3_9_3">
<span class="md-nav__icon md-icon"></span>
Container Image
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../advanced/container/embed-in-dockerfile/" class="md-nav__link">
Embed in Dockerfile
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/container/unpacked-filesystem/" class="md-nav__link">
Unpacked container image filesystem
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_9_3_3" type="checkbox" id="__nav_3_9_3_3" >
<label class="md-nav__link" for="__nav_3_9_3_3">
Private Docker Registries
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Private Docker Registries" data-md-level="4">
<label class="md-nav__title" for="__nav_3_9_3_3">
<span class="md-nav__icon md-icon"></span>
Private Docker Registries
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../advanced/private-registries/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/private-registries/docker-hub/" class="md-nav__link">
Docker Hub
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/private-registries/ecr/" class="md-nav__link">
AWS ECR (Elastic Container Registry)
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/private-registries/gcr/" class="md-nav__link">
GCR (Google Container Registry)
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/private-registries/acr/" class="md-nav__link">
ACR (Azure Container Registry)
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/private-registries/self/" class="md-nav__link">
Self-Hosted
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_10" type="checkbox" id="__nav_3_10" >
<label class="md-nav__link" for="__nav_3_10">
References
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="References" data-md-level="2">
<label class="md-nav__title" for="__nav_3_10">
<span class="md-nav__icon md-icon"></span>
References
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_10_1" type="checkbox" id="__nav_3_10_1" >
<label class="md-nav__link" for="__nav_3_10_1">
Configuration
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Configuration" data-md-level="3">
<label class="md-nav__title" for="__nav_3_10_1">
<span class="md-nav__icon md-icon"></span>
Configuration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_10_1_1" type="checkbox" id="__nav_3_10_1_1" >
<label class="md-nav__link" for="__nav_3_10_1_1">
CLI
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="CLI" data-md-level="4">
<label class="md-nav__title" for="__nav_3_10_1_1">
<span class="md-nav__icon md-icon"></span>
CLI
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_aws/" class="md-nav__link">
AWS
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_config/" class="md-nav__link">
Config
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_convert/" class="md-nav__link">
Convert
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_filesystem/" class="md-nav__link">
Filesystem
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_image/" class="md-nav__link">
Image
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_kubernetes/" class="md-nav__link">
Kubernetes
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_10_1_1_8" type="checkbox" id="__nav_3_10_1_1_8" >
<label class="md-nav__link" for="__nav_3_10_1_1_8">
Module
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Module" data-md-level="5">
<label class="md-nav__title" for="__nav_3_10_1_1_8">
<span class="md-nav__icon md-icon"></span>
Module
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_module/" class="md-nav__link">
Module
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_module_install/" class="md-nav__link">
Module Install
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_module_uninstall/" class="md-nav__link">
Module Uninstall
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_10_1_1_9" type="checkbox" id="__nav_3_10_1_1_9" >
<label class="md-nav__link" for="__nav_3_10_1_1_9">
Plugin
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Plugin" data-md-level="5">
<label class="md-nav__title" for="__nav_3_10_1_1_9">
<span class="md-nav__icon md-icon"></span>
Plugin
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_plugin/" class="md-nav__link">
Plugin
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_plugin_info/" class="md-nav__link">
Plugin Info
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_plugin_install/" class="md-nav__link">
Plugin Install
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_plugin_list/" class="md-nav__link">
Plugin List
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_plugin_run/" class="md-nav__link">
Plugin Run
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_plugin_uninstall/" class="md-nav__link">
Plugin Uninstall
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_plugin_update/" class="md-nav__link">
Plugin Update
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_plugin_upgrade/" class="md-nav__link">
Plugin Upgrade
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_plugin_search/" class="md-nav__link">
Plugin Search
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_repository/" class="md-nav__link">
Repository
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_rootfs/" class="md-nav__link">
Rootfs
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_sbom/" class="md-nav__link">
SBOM
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_server/" class="md-nav__link">
Server
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_version/" class="md-nav__link">
Version
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_vm/" class="md-nav__link">
VM
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/config-file/" class="md-nav__link">
Config file
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_10_2" type="checkbox" id="__nav_3_10_2" >
<label class="md-nav__link" for="__nav_3_10_2">
Modes
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Modes" data-md-level="3">
<label class="md-nav__title" for="__nav_3_10_2">
<span class="md-nav__icon md-icon"></span>
Modes
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../references/modes/standalone/" class="md-nav__link">
Standalone
</a>
</li>
<li class="md-nav__item">
<a href="../../references/modes/client-server/" class="md-nav__link">
Client/Server
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../references/troubleshooting/" class="md-nav__link">
Troubleshooting
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4">
Ecosystem
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Ecosystem" data-md-level="1">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Ecosystem
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../ecosystem/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../../ecosystem/cicd/" class="md-nav__link">
CI/CD
</a>
</li>
<li class="md-nav__item">
<a href="../../../ecosystem/ide/" class="md-nav__link">
IDE and Dev tools
</a>
</li>
<li class="md-nav__item">
<a href="../../../ecosystem/prod/" class="md-nav__link">
Production and Clouds
</a>
</li>
<li class="md-nav__item">
<a href="../../../ecosystem/reporting/" class="md-nav__link">
Reporting
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5" type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5">
Contributing
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Contributing" data-md-level="1">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Contributing
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../community/principles/" class="md-nav__link">
Principles
</a>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_2" type="checkbox" id="__nav_5_2" >
<label class="md-nav__link" for="__nav_5_2">
How to contribute
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="How to contribute" data-md-level="2">
<label class="md-nav__title" for="__nav_5_2">
<span class="md-nav__icon md-icon"></span>
How to contribute
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../community/contribute/issue/" class="md-nav__link">
Issues
</a>
</li>
<li class="md-nav__item">
<a href="../../../community/contribute/discussion/" class="md-nav__link">
Discussions
</a>
</li>
<li class="md-nav__item">
<a href="../../../community/contribute/pr/" class="md-nav__link">
Pull Requests
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_3" type="checkbox" id="__nav_5_3" >
<label class="md-nav__link" for="__nav_5_3">
Contribute Rego Checks
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Contribute Rego Checks" data-md-level="2">
<label class="md-nav__title" for="__nav_5_3">
<span class="md-nav__icon md-icon"></span>
Contribute Rego Checks
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../community/contribute/checks/overview/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../../community/contribute/checks/service-support/" class="md-nav__link">
Add Service Support
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_4" type="checkbox" id="__nav_5_4" >
<label class="md-nav__link" for="__nav_5_4">
Maintainer
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Maintainer" data-md-level="2">
<label class="md-nav__title" for="__nav_5_4">
<span class="md-nav__icon md-icon"></span>
Maintainer
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../community/maintainer/release-flow/" class="md-nav__link">
Release Flow
</a>
</li>
<li class="md-nav__item">
<a href="../../../community/maintainer/backporting/" class="md-nav__link">
Backporting
</a>
</li>
<li class="md-nav__item">
<a href="../../../community/maintainer/help-wanted/" class="md-nav__link">
Help Wanted
</a>
</li>
<li class="md-nav__item">
<a href="../../../community/maintainer/triage/" class="md-nav__link">
Triage
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#files-inside-container-images" class="md-nav__link">
Files inside container images
</a>
<nav class="md-nav" aria-label="Files inside container images">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#vulnerabilities" class="md-nav__link">
Vulnerabilities
</a>
</li>
<li class="md-nav__item">
<a href="#misconfigurations" class="md-nav__link">
Misconfigurations
</a>
</li>
<li class="md-nav__item">
<a href="#secrets" class="md-nav__link">
Secrets
</a>
</li>
<li class="md-nav__item">
<a href="#licenses" class="md-nav__link">
Licenses
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#container-image-metadata" class="md-nav__link">
Container image metadata
</a>
<nav class="md-nav" aria-label="Container image metadata">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#misconfigurations_1" class="md-nav__link">
Misconfigurations
</a>
</li>
<li class="md-nav__item">
<a href="#secrets_1" class="md-nav__link">
Secrets
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#supported" class="md-nav__link">
Supported
</a>
<nav class="md-nav" aria-label="Supported">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#docker-engine" class="md-nav__link">
Docker Engine
</a>
</li>
<li class="md-nav__item">
<a href="#containerd" class="md-nav__link">
containerd
</a>
</li>
<li class="md-nav__item">
<a href="#podman" class="md-nav__link">
Podman
</a>
</li>
<li class="md-nav__item">
<a href="#container-registry" class="md-nav__link">
Container Registry
</a>
</li>
<li class="md-nav__item">
<a href="#tar-files" class="md-nav__link">
Tar Files
</a>
</li>
<li class="md-nav__item">
<a href="#oci-layout" class="md-nav__link">
OCI Layout
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#sbom" class="md-nav__link">
SBOM
</a>
<nav class="md-nav" aria-label="SBOM">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#generation" class="md-nav__link">
Generation
</a>
</li>
<li class="md-nav__item">
<a href="#discovery" class="md-nav__link">
Discovery
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#compliance" class="md-nav__link">
Compliance
</a>
<nav class="md-nav" aria-label="Compliance">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#built-in-reports" class="md-nav__link">
Built in reports
</a>
</li>
<li class="md-nav__item">
<a href="#examples" class="md-nav__link">
Examples
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#authentication" class="md-nav__link">
Authentication
</a>
</li>
<li class="md-nav__item">
<a href="#options" class="md-nav__link">
Options
</a>
<nav class="md-nav" aria-label="Options">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#scan-image-on-a-specific-architecture-and-os" class="md-nav__link">
Scan Image on a specific Architecture and OS
</a>
</li>
<li class="md-nav__item">
<a href="#configure-docker-daemon-socket-to-connect-to" class="md-nav__link">
Configure Docker daemon socket to connect to.
</a>
</li>
<li class="md-nav__item">
<a href="#configure-podman-daemon-socket-to-connect-to" class="md-nav__link">
Configure Podman daemon socket to connect to.
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/aquasecurity/trivy/blob/main/docs/docs/target/container_image.md" title="Edit this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20.71 7.04c.39-.39.39-1.04 0-1.41l-2.34-2.34c-.37-.39-1.02-.39-1.41 0l-1.84 1.83 3.75 3.75M3 17.25V21h3.75L17.81 9.93l-3.75-3.75L3 17.25Z"/></svg>
</a>
<h1 id="container-image">Container Image</h1>
<p>Trivy supports two targets for container images.</p>
<ul>
<li>Files inside container images</li>
<li>Container image metadata</li>
</ul>
<h2 id="files-inside-container-images">Files inside container images</h2>
<p>Container images consist of files.
For instance, new files will be installed if you install a package.</p>
<p>Trivy scans the files inside container images for</p>
<ul>
<li>Vulnerabilities</li>
<li>Misconfigurations</li>
<li>Secrets</li>
<li>Licenses</li>
</ul>
<p>By default, vulnerability and secret scanning are enabled, and you can configure that with <code>--scanners</code>.</p>
<h3 id="vulnerabilities">Vulnerabilities</h3>
<p>It is enabled by default.
You can simply specify your image name (and a tag).
It detects known vulnerabilities in your container image.
See <a href="../../scanner/vulnerability/">here</a> for the detail.</p>
<div class="highlight"><pre><span></span><code>$ trivy image [YOUR_IMAGE_NAME]
</code></pre></div>
<p>For example:</p>
<div class="highlight"><pre><span></span><code>$ trivy image python:3.4-alpine
</code></pre></div>
<details>
<summary>Result</summary>
<div class="highlight"><pre><span></span><code>2019-05-16T01:20:43.180+0900 INFO Updating vulnerability database...
2019-05-16T01:20:53.029+0900 INFO Detecting Alpine vulnerabilities...
python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |
| | | | | | with long nonces |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
</code></pre></div>
</details>
<p>To enable only vulnerability scanning, you can specify <code>--scanners vuln</code>.</p>
<div class="highlight"><pre><span></span><code>$ trivy image --scanners vuln <span class="o">[</span>YOUR_IMAGE_NAME<span class="o">]</span>
</code></pre></div>
<h3 id="misconfigurations">Misconfigurations</h3>
<p>It is supported, but it is not useful in most cases.
As mentioned <a href="../../scanner/misconfiguration/">here</a>, Trivy mainly supports Infrastructure as Code (IaC) files for misconfigurations.
If your container image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with <code>--scanners misconfig</code>.</p>
<div class="highlight"><pre><span></span><code>$ trivy image --scanners misconfig [YOUR_IMAGE_NAME]
</code></pre></div>
<h3 id="secrets">Secrets</h3>
<p>It is enabled by default.
See <a href="../../scanner/secret/">here</a> for the detail.</p>
<div class="highlight"><pre><span></span><code>$ trivy image <span class="o">[</span>YOUR_IMAGE_NAME<span class="o">]</span>
</code></pre></div>
<h3 id="licenses">Licenses</h3>
<p>It is disabled by default.
See <a href="../../scanner/license/">here</a> for the detail.</p>
<div class="highlight"><pre><span></span><code>$ trivy image --scanners license <span class="o">[</span>YOUR_IMAGE_NAME<span class="o">]</span>
</code></pre></div>
<h2 id="container-image-metadata">Container image metadata</h2>
<p>Container images have <a href="https://github.com/opencontainers/image-spec/blob/2fb996805b3734779bf9a3a84dc9a9691ad7efdd/config.md">configuration</a>.
<code>docker inspect</code> and <code>docker history</code> show the information according to the configuration.</p>
<p>Trivy scans the configuration of container images for</p>
<ul>
<li>Misconfigurations</li>
<li>Secrets</li>
</ul>
<p>They are disabled by default.
You can enable them with <code>--image-config-scanners</code>.</p>
<div class="admonition tips">
<p class="admonition-title">Tips</p>
<p>The configuration can be exported as the JSON file by <code>docker save</code>.</p>
</div>
<h3 id="misconfigurations_1">Misconfigurations</h3>
<p>Trivy detects misconfigurations on the configuration of container images.
The image config is converted into Dockerfile and Trivy handles it as Dockerfile.
See <a href="../../scanner/misconfiguration/">here</a> for the detail of Dockerfile scanning.</p>
<p>It is disabled by default.
You can enable it with <code>--image-config-scanners misconfig</code>.</p>
<div class="highlight"><pre><span></span><code>$ trivy image --image-config-scanners misconfig [YOUR_IMAGE_NAME]
</code></pre></div>
<details>
<summary>Result</summary>
<div class="highlight"><pre><span></span><code>alpine:3.17 (dockerfile)
========================
Tests: 24 (SUCCESSES: 21, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Running containers with &#39;root&#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a &#39;USER&#39; statement to the Dockerfile.
See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
LOW: Consider using &#39;COPY file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /&#39; command instead of &#39;ADD file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /&#39;
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.
See https://avd.aquasec.com/misconfig/ds005
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
alpine:3.17:1
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 [ ADD file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
LOW: Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.
See https://avd.aquasec.com/misconfig/ds026
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
</code></pre></div>
</details>
<div class="admonition tip">
<p class="admonition-title">Tip</p>
<p>You can see how each layer is created with <code>docker history</code>.</p>
</div>
<h3 id="secrets_1">Secrets</h3>
<p>Trivy detects secrets on the configuration of container images.
The image config is converted into JSON and Trivy scans the file for secrets.
It is especially useful for environment variables that are likely to have credentials by accident.
See <a href="../../scanner/secret/">here</a> for the detail.</p>
<div class="highlight"><pre><span></span><code>$ trivy image --image-config-scanners secret <span class="o">[</span>YOUR_IMAGE_NAME<span class="o">]</span>
</code></pre></div>
<details>
<summary>Result</summary>
<div class="highlight"><pre><span></span><code>vuln-image (alpine 3.17.1)
==========================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
vuln-image (secrets)
====================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
CRITICAL: GitHub (github-pat)
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
GitHub Personal Access Token
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
test:16
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
14 {
15 &quot;created&quot;: &quot;2023-01-09T17:05:20Z&quot;,
16 [ &quot;created_by&quot;: &quot;ENV secret=****************************************&quot;,
17 &quot;comment&quot;: &quot;buildkit.dockerfile.v0&quot;,
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
CRITICAL: GitHub (github-pat)
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
GitHub Personal Access Token
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
test:34
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
32 &quot;Env&quot;: [
33 &quot;PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin&quot;,
34 [ &quot;secret=****************************************&quot;
35 ]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
</code></pre></div>
</details>
<div class="admonition tip">
<p class="admonition-title">Tip</p>
<p>You can see environment variables with <code>docker inspect</code>.</p>
</div>
<h2 id="supported">Supported</h2>
<p>Trivy will look for the specified image in a series of locations. By default, it
will first look in the local Docker Engine, then Containerd, Podman, and
finally container registry.</p>
<p>This behavior can be modified with the <code>--image-src</code> flag. For example, the
command</p>
<div class="highlight"><pre><span></span><code>trivy image --image-src podman,containerd alpine:3.7.3
</code></pre></div>
<p>Will first search in Podman. If the image is found there, it will be scanned
and the results returned. If the image is not found in Podman, then Trivy will
search in Containerd. If the image is not found there either, the scan will
fail and no more image sources will be searched.</p>
<h3 id="docker-engine">Docker Engine</h3>
<p>Trivy tries to looks for the specified image in your local Docker Engine.
It will be skipped if Docker Engine is not running locally.</p>
<p>If your docker socket is not the default path, you can override it via <code>DOCKER_HOST</code>.</p>
<h3 id="containerd">containerd</h3>
<div class="admonition warning">
<p class="admonition-title">EXPERIMENTAL</p>
<p>This feature might change without preserving backwards compatibility.</p>
</div>
<p>Trivy tries to looks for the specified image in your local <a href="https://containerd.io/">containerd</a>.
It will be skipped if containerd is not running locally.</p>
<p>Specify your image name in containerd running locally.</p>
<div class="highlight"><pre><span></span><code>$ nerdctl images
REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE
aquasec/nginx latest 2bcabc23b454 <span class="m">3</span> hours ago linux/amd64 <span class="m">149</span>.1 MiB <span class="m">54</span>.1 MiB
$ trivy image aquasec/nginx
</code></pre></div>
<p>If your containerd socket is not the default path (<code>//run/containerd/containerd.sock</code>), you can override it via <code>CONTAINERD_ADDRESS</code>.</p>
<div class="highlight"><pre><span></span><code>$ <span class="nb">export</span> <span class="nv">CONTAINERD_ADDRESS</span><span class="o">=</span>/run/k3s/containerd/containerd.sock
$ trivy image aquasec/nginx
</code></pre></div>
<p>If your scan targets are images in a namespace other than containerd's default namespace (<code>default</code>), you can override it via <code>CONTAINERD_NAMESPACE</code>.</p>
<div class="highlight"><pre><span></span><code>$ <span class="nb">export</span> <span class="nv">CONTAINERD_NAMESPACE</span><span class="o">=</span>k8s.io
$ trivy image aquasec/nginx
</code></pre></div>
<h3 id="podman">Podman</h3>
<div class="admonition warning">
<p class="admonition-title">EXPERIMENTAL</p>
<p>This feature might change without preserving backwards compatibility.</p>
</div>
<p>Scan your image in Podman (&gt;=2.0) running locally. The remote Podman is not supported.
Before performing Trivy commands, you must enable the podman.sock systemd service on your machine.
For more details, see <a href="https://github.com/containers/podman/blob/master/docs/tutorials/remote_client.md#enable-the-podman-service-on-the-server-machine">here</a>.</p>
<div class="highlight"><pre><span></span><code>$ systemctl --user <span class="nb">enable</span> --now podman.socket
</code></pre></div>
<p>Then, you can scan your image in Podman.</p>
<div class="highlight"><pre><span></span><code>$ cat Dockerfile
FROM alpine:3.12
RUN apk add --no-cache bash
$ podman build -t <span class="nb">test</span> .
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/test latest efc372d4e0de About a minute ago <span class="m">7</span>.94 MB
$ trivy image <span class="nb">test</span>
</code></pre></div>
<h3 id="container-registry">Container Registry</h3>
<p>Trivy supports registries that comply with the following specifications.</p>
<ul>
<li><a href="https://docs.docker.com/registry/spec/api/">Docker Registry HTTP API V2</a></li>
<li><a href="https://github.com/opencontainers/distribution-spec">OCI Distribution Specification</a></li>
</ul>
<p>You can configure credentials with <code>docker login</code>.
See <a href="../../advanced/private-registries/">here</a> for the detail.</p>
<h3 id="tar-files">Tar Files</h3>
<p>Trivy supports image tar files generated by the following tools.</p>
<ul>
<li><a href="https://github.com/moby/moby/tree/master/image/spec">Docker Image Specification</a><ul>
<li><a href="https://github.com/moby/moby/">Moby Project</a></li>
<li><a href="https://github.com/containers/buildah">Buildah</a></li>
<li><a href="https://github.com/containers/podman">Podman</a></li>
<li><a href="https://github.com/genuinetools/img">img</a></li>
</ul>
</li>
<li><a href="https://github.com/GoogleContainerTools/kaniko">Kaniko</a></li>
</ul>
<div class="highlight"><pre><span></span><code>$ docker pull ruby:3.1-alpine3.15
$ docker save ruby:3.1-alpine3.15 -o ruby-3.1.tar
$ trivy image --input ruby-3.1.tar
</code></pre></div>
<details>
<summary>Result</summary>
<div class="highlight"><pre><span></span><code>2022-02-03T10:08:19.127Z INFO Detected OS: alpine
2022-02-03T10:08:19.127Z WARN This OS version is not on the EOL list: alpine 3.15
2022-02-03T10:08:19.127Z INFO Detecting Alpine vulnerabilities...
2022-02-03T10:08:19.127Z INFO Number of language-specific files: 2
2022-02-03T10:08:19.127Z INFO Detecting gemspec vulnerabilities...
2022-02-03T10:08:19.128Z INFO Detecting node-pkg vulnerabilities...
2022-02-03T10:08:19.128Z WARN This OS version is no longer supported by the distribution: alpine 3.15.0
2022-02-03T10:08:19.128Z WARN The vulnerability detection may be insufficient because security updates are not provided
ruby-3.1.tar (alpine 3.15.0)
============================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0)
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| gmp | CVE-2021-43618 | HIGH | 6.2.1-r0 | 6.2.1-r1 | gmp: Integer overflow and resultant |
| | | | | | buffer overflow via crafted input |
| | | | | | --&gt;avd.aquasec.com/nvd/cve-2021-43618 |
+----------+ + + + + +
| gmp-dev | | | | | |
| | | | | | |
| | | | | | |
+----------+ + + + + +
| libgmpxx | | | | | |
| | | | | | |
| | | | | | |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
Node.js (node-pkg)
==================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Ruby (gemspec)
==============
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
</code></pre></div>
</details>
<h3 id="oci-layout">OCI Layout</h3>
<p>Trivy supports image directories compliant with <a href="https://github.com/opencontainers/image-spec/blob/master/spec.md">Open Container Image Layout Specification</a>.</p>
<p>Buildah:</p>
<div class="highlight"><pre><span></span><code>$ buildah push docker.io/library/alpine:3.11 oci:/path/to/alpine
$ trivy image --input /path/to/alpine
</code></pre></div>
<p>Skopeo:</p>
<div class="highlight"><pre><span></span><code>$ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine
$ trivy image --input /path/to/alpine
</code></pre></div>
<p>Referencing specific images can be done by their tag or by their manifest digest:
<div class="highlight"><pre><span></span><code># Referenced by tag
$ trivy image --input /path/to/alpine:3.15
# Referenced by digest
$ trivy image --input /path/to/alpine@sha256:82389ea44e50c696aba18393b168a833929506f5b29b9d75eb817acceb6d54ba
</code></pre></div></p>
<h2 id="sbom">SBOM</h2>
<p>Trivy supports the generation of Software Bill of Materials (SBOM) for container images and the search for SBOMs during vulnerability scanning.</p>
<h3 id="generation">Generation</h3>
<p>Trivy can generate SBOM for container images.
See <a href="../../supply-chain/sbom/">here</a> for the detail.</p>
<h3 id="discovery">Discovery</h3>
<p>Trivy can search for Software Bill of Materials (SBOMs) that reference container images.
If an SBOM is found, the vulnerability scan is performed using the SBOM instead of the container image.
By using the SBOM, you can perform a vulnerability scan more quickly, as it allows you to skip pulling the container image and analyzing its layers.</p>
<p>To enable this functionality, you need to specify the <code>--sbom-sources</code> flag.
The following two sources are supported:</p>
<ul>
<li>OCI Registry (<code>oci</code>)</li>
<li>Rekor (<code>rekor</code>)</li>
</ul>
<p>Example:</p>
<div class="highlight"><pre><span></span><code>$ trivy image --sbom-sources oci ghcr.io/knqyf263/oci-referrers
<span class="m">2023</span>-03-05T17:36:55.278+0200 INFO Vulnerability scanning is enabled
<span class="m">2023</span>-03-05T17:36:58.103+0200 INFO Detected SBOM format: cyclonedx-json
<span class="m">2023</span>-03-05T17:36:58.129+0200 INFO Found SBOM <span class="o">(</span>cyclonedx<span class="o">)</span> <span class="k">in</span> the OCI referrers
...
ghcr.io/knqyf263/oci-referrers <span class="o">(</span>alpine <span class="m">3</span>.16.2<span class="o">)</span>
<span class="o">==============================================</span>
Total: <span class="m">17</span> <span class="o">(</span>UNKNOWN: <span class="m">0</span>, LOW: <span class="m">0</span>, MEDIUM: <span class="m">5</span>, HIGH: <span class="m">9</span>, CRITICAL: <span class="m">3</span><span class="o">)</span>
</code></pre></div>
<p>The OCI Registry utilizes the <a href="https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers">Referrers API</a>.
For more information about Rekor, please refer to <a href="../../supply-chain/attestation/rekor/">its documentation</a>.</p>
<h2 id="compliance">Compliance</h2>
<div class="admonition warning">
<p class="admonition-title">EXPERIMENTAL</p>
<p>This feature might change without preserving backwards compatibility.</p>
</div>
<p>This section describes container image specific compliance reports.
For an overview of Trivy's Compliance feature, including working with custom compliance, check out the <a href="../../compliance/compliance/">Compliance documentation</a>.</p>
<h3 id="built-in-reports">Built in reports</h3>
<p>The following reports are available out of the box:</p>
<table>
<thead>
<tr>
<th>Compliance</th>
<th>Version</th>
<th>Name for command</th>
<th>More info</th>
</tr>
</thead>
<tbody>
<tr>
<td>CIS Docker Community Edition Benchmark</td>
<td>1.1.0</td>
<td><code>docker-cis</code></td>
<td><a href="https://www.aquasec.com/cloud-native-academy/docker-container/docker-cis-benchmark/">Link</a></td>
</tr>
</tbody>
</table>
<h3 id="examples">Examples</h3>
<p>Scan a container image configuration and generate a compliance summary report:</p>
<div class="highlight"><pre><span></span><code>$ trivy image --compliance docker-cis [YOUR_IMAGE_NAME]
</code></pre></div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>The <code>Issues</code> column represent the total number of failed checks for this control.</p>
</div>
<h2 id="authentication">Authentication</h2>
<p>Please reference <a href="../../advanced/private-registries/">this page</a>.</p>
<h2 id="options">Options</h2>
<h3 id="scan-image-on-a-specific-architecture-and-os">Scan Image on a specific Architecture and OS</h3>
<p>By default, Trivy loads an image on a "linux/amd64" machine.
To customise this, pass a <code>--platform</code> argument in the format OS/Architecture for the image:</p>
<div class="highlight"><pre><span></span><code>$ trivy image --platform=os/architecture [YOUR_IMAGE_NAME]
</code></pre></div>
<p>For example:</p>
<div class="highlight"><pre><span></span><code>$ trivy image --platform=linux/arm alpine:3.16.1
</code></pre></div>
<details>
<summary>Result</summary>
<div class="highlight"><pre><span></span><code>2022-10-25T21:00:50.972+0300 INFO Vulnerability scanning is enabled
2022-10-25T21:00:50.972+0300 INFO Secret scanning is enabled
2022-10-25T21:00:50.972+0300 INFO If your scanning is slow, please try &#39;--scanners vuln&#39; to disable secret scanning
2022-10-25T21:00:50.972+0300 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-10-25T21:00:56.190+0300 INFO Detected OS: alpine
2022-10-25T21:00:56.190+0300 INFO Detecting Alpine vulnerabilities...
2022-10-25T21:00:56.191+0300 INFO Number of language-specific files: 0
alpine:3.16.1 (alpine 3.16.1)
=============================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ zlib │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1 │ 1.2.12-r2 │ zlib: heap-based buffer over-read and overflow in inflate() │
│ │ │ │ │ │ in inflate.c via a... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-37434 │
└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
</code></pre></div>
</details>
<h3 id="configure-docker-daemon-socket-to-connect-to">Configure Docker daemon socket to connect to.</h3>
<p>You can configure Docker daemon socket with <code>DOCKER_HOST</code> or <code>--docker-host</code>.</p>
<div class="highlight"><pre><span></span><code>$ trivy image --docker-host tcp://127.0.0.1:2375 YOUR_IMAGE
</code></pre></div>
<h3 id="configure-podman-daemon-socket-to-connect-to">Configure Podman daemon socket to connect to.</h3>
<p>You can configure Podman daemon socket with <code>--podman-host</code>.</p>
<div class="highlight"><pre><span></span><code>$ trivy image --podman-host /run/user/1000/podman/podman.sock YOUR_IMAGE
</code></pre></div>
</article>
<script>var tabs=__md_get("__tabs");if(Array.isArray(tabs))e:for(var set of document.querySelectorAll(".tabbed-set")){var tab,labels=set.querySelector(".tabbed-labels");for(tab of tabs)for(var label of labels.getElementsByTagName("label"))if(label.innerText.trim()===tab){var input=document.getElementById(label.htmlFor);input.checked=!0;continue e}}</script>
</div>
</div>
</main>
<footer class="md-footer">
<nav class="md-footer__inner md-grid" aria-label="Footer" >
<a href="../../" class="md-footer__link md-footer__link--prev" aria-label="Previous: Overview" rel="prev">
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
</div>
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Previous
</span>
Overview
</div>
</div>
</a>
<a href="../filesystem/" class="md-footer__link md-footer__link--next" aria-label="Next: Filesystem" rel="next">
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Next
</span>
Filesystem
</div>
</div>
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4Z"/></svg>
</div>
</a>
</nav>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
</div>
<div class="md-social">
<a href="https://twitter.com/AquaTrivy" target="_blank" rel="noopener" title="twitter.com" class="md-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"/></svg>
</a>
<a href="https://github.com/aquasecurity/trivy" target="_blank" rel="noopener" title="github.com" class="md-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z"/></svg>
</a>
<a href="https://github.com/aquasecurity/trivy" target="_blank" rel="noopener" title="github.com" class="md-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M94.12 315.1c0 25.9-21.16 47.06-47.06 47.06S0 341 0 315.1c0-25.9 21.16-47.06 47.06-47.06h47.06v47.06zm23.72 0c0-25.9 21.16-47.06 47.06-47.06s47.06 21.16 47.06 47.06v117.84c0 25.9-21.16 47.06-47.06 47.06s-47.06-21.16-47.06-47.06V315.1zm47.06-188.98c-25.9 0-47.06-21.16-47.06-47.06S139 32 164.9 32s47.06 21.16 47.06 47.06v47.06H164.9zm0 23.72c25.9 0 47.06 21.16 47.06 47.06s-21.16 47.06-47.06 47.06H47.06C21.16 243.96 0 222.8 0 196.9s21.16-47.06 47.06-47.06H164.9zm188.98 47.06c0-25.9 21.16-47.06 47.06-47.06 25.9 0 47.06 21.16 47.06 47.06s-21.16 47.06-47.06 47.06h-47.06V196.9zm-23.72 0c0 25.9-21.16 47.06-47.06 47.06-25.9 0-47.06-21.16-47.06-47.06V79.06c0-25.9 21.16-47.06 47.06-47.06 25.9 0 47.06 21.16 47.06 47.06V196.9zM283.1 385.88c25.9 0 47.06 21.16 47.06 47.06 0 25.9-21.16 47.06-47.06 47.06-25.9 0-47.06-21.16-47.06-47.06v-47.06h47.06zm0-23.72c-25.9 0-47.06-21.16-47.06-47.06 0-25.9 21.16-47.06 47.06-47.06h117.84c25.9 0 47.06 21.16 47.06 47.06 0 25.9-21.16 47.06-47.06 47.06H283.1z"/></svg>
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "../../..", "features": ["navigation.tabs", "navigation.tabs.sticky", "navigation.sections", "navigation.footer", "content.action.edit", "content.tabs.link", "content.code.annotate", "content.code.copy"], "search": "../../../assets/javascripts/workers/search.b97dbffb.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "version": {"default": "latest", "method": "mike", "provider": "mike"}}</script>
<script src="../../../assets/javascripts/bundle.6c7ad80a.min.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink