Installation

RHEL/CentOS

Add repository setting to /etc/yum.repos.d.

  1. $ sudo vim /etc/yum.repos.d/trivy.repo
  2. [trivy]
  3. name=Trivy repository
  4. baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/
  5. gpgcheck=0
  6. enabled=1
  7. $ sudo yum -y update
  8. $ sudo yum -y install trivy

or

  1. rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.16.0/trivy_0.16.0_Linux-64bit.rpm

Debian/Ubuntu

Add repository to /etc/apt/sources.list.d.

  1. $ sudo apt-get install wget apt-transport-https gnupg lsb-release
  2. $ wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
  3. $ echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
  4. $ sudo apt-get update
  5. $ sudo apt-get install trivy

or

  1. wget https://github.com/aquasecurity/trivy/releases/download/v0.16.0/trivy_0.16.0_Linux-64bit.deb
  2. sudo dpkg -i trivy_0.16.0_Linux-64bit.deb

Arch Linux

Package trivy-bin can be installed from the Arch User Repository. Examples:

  1. pikaur -Sy trivy-bin

or

  1. yay -Sy trivy-bin

Homebrew

You can use homebrew on macOS and Linux.

  1. $ brew install aquasecurity/trivy/trivy

Nix/NixOS

You can use nix on Linux or macOS and on others unofficially.

Note that trivy is currently only in the unstable channels.

  1. $ nix-env --install trivy

Or through your configuration on NixOS or with home-manager as usual

Install Script

This script downloads Trivy binary based on your OS and architecture.

  1. curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.16.0

Binary

Download the archive file for your operating system/architecture from here. Unpack the archive, and put the binary somewhere in your $PATH (on UNIX-y systems, /usr/local/bin or the like). Make sure it has execution bits turned on.

From source

  1. $ mkdir -p $GOPATH/src/github.com/aquasecurity
  2. $ cd $GOPATH/src/github.com/aquasecurity
  3. $ git clone --depth 1 --branch v0.16.0 https://github.com/aquasecurity/trivy
  4. $ cd trivy/cmd/trivy/
  5. $ export GO111MODULE=on
  6. $ go install

Docker

Docker Hub

Replace [YOUR_CACHE_DIR] with the cache directory on your machine.

  1. docker pull aquasec/trivy:0.16.0

Example for Linux:

  1. docker run --rm -v [YOUR_CACHE_DIR]:/root/.cache/ aquasec/trivy:0.16.0 [YOUR_IMAGE_NAME]

Example for macOS:

  1. docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.16.0 python:3.4-alpine

If you would like to scan the image on your host machine, you need to mount docker.sock.

  1. docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
  2.     -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.16.0 python:3.4-alpine

Please re-pull latest aquasec/trivy if an error occurred.

Result

  1. 2019-05-16T01:20:43.180+0900    INFO    Updating vulnerability database...
  2. 2019-05-16T01:20:53.029+0900    INFO    Detecting Alpine vulnerabilities...
  4. python:3.4-alpine3.9 (alpine 3.9.2)
  5. ===================================
  6. Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
  8. +---------+------------------+----------+-------------------+---------------+--------------------------------+
  9. | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
  10. +---------+------------------+----------+-------------------+---------------+--------------------------------+
  11. | openssl | CVE-2019-1543    | MEDIUM   | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305     |
  12. |         |                  |          |                   |               | with long nonces               |
  13. +---------+------------------+----------+-------------------+---------------+--------------------------------+

GitHub Container Registry

The same image is hosted on GitHub Container Registry as well.

  1. docker pull ghcr.io/aquasecurity/trivy:0.16.0