Report Formats

Table (Default)

  1. $ trivy image -f table golang:1.12-alpine

JSON

  1. $ trivy image -f json -o results.json golang:1.12-alpine

Result

  1. 2019-05-16T01:46:31.777+0900 INFO Updating vulnerability database...
  2. 2019-05-16T01:47:03.007+0900 INFO Detecting Alpine vulnerabilities...

JSON

  1. [
  2. {
  3. "Target": "php-app/composer.lock",
  4. "Vulnerabilities": null
  5. },
  6. {
  7. "Target": "node-app/package-lock.json",
  8. "Vulnerabilities": [
  9. {
  10. "VulnerabilityID": "CVE-2018-16487",
  11. "PkgName": "lodash",
  12. "InstalledVersion": "4.17.4",
  13. "FixedVersion": "\u003e=4.17.11",
  14. "Title": "lodash: Prototype pollution in utilities function",
  15. "Description": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.",
  16. "Severity": "HIGH",
  17. "References": [
  18. "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487",
  19. ]
  20. }
  21. ]
  22. },
  23. {
  24. "Target": "trivy-ci-test (alpine 3.7.1)",
  25. "Vulnerabilities": [
  26. {
  27. "VulnerabilityID": "CVE-2018-16840",
  28. "PkgName": "curl",
  29. "InstalledVersion": "7.61.0-r0",
  30. "FixedVersion": "7.61.1-r1",
  31. "Title": "curl: Use-after-free when closing \"easy\" handle in Curl_close()",
  32. "Description": "A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. ",
  33. "Severity": "HIGH",
  34. "References": [
  35. "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16840",
  36. ]
  37. },
  38. {
  39. "VulnerabilityID": "CVE-2019-3822",
  40. "PkgName": "curl",
  41. "InstalledVersion": "7.61.0-r0",
  42. "FixedVersion": "7.61.1-r2",
  43. "Title": "curl: NTLMv2 type-3 header stack buffer overflow",
  44. "Description": "libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. ",
  45. "Severity": "HIGH",
  46. "References": [
  47. "https://curl.haxx.se/docs/CVE-2019-3822.html",
  48. "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E"
  49. ]
  50. },
  51. {
  52. "VulnerabilityID": "CVE-2018-16839",
  53. "PkgName": "curl",
  54. "InstalledVersion": "7.61.0-r0",
  55. "FixedVersion": "7.61.1-r1",
  56. "Title": "curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message()",
  57. "Description": "Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.",
  58. "Severity": "HIGH",
  59. "References": [
  60. "https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5",
  61. ]
  62. },
  63. {
  64. "VulnerabilityID": "CVE-2018-19486",
  65. "PkgName": "git",
  66. "InstalledVersion": "2.15.2-r0",
  67. "FixedVersion": "2.15.3-r0",
  68. "Title": "git: Improper handling of PATH allows for commands to be executed from the current directory",
  69. "Description": "Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.",
  70. "Severity": "HIGH",
  71. "References": [
  72. "https://usn.ubuntu.com/3829-1/",
  73. ]
  74. },
  75. {
  76. "VulnerabilityID": "CVE-2018-17456",
  77. "PkgName": "git",
  78. "InstalledVersion": "2.15.2-r0",
  79. "FixedVersion": "2.15.3-r0",
  80. "Title": "git: arbitrary code execution via .gitmodules",
  81. "Description": "Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \"git clone\" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.",
  82. "Severity": "HIGH",
  83. "References": [
  84. "http://www.securitytracker.com/id/1041811",
  85. ]
  86. }
  87. ]
  88. },
  89. {
  90. "Target": "python-app/Pipfile.lock",
  91. "Vulnerabilities": null
  92. },
  93. {
  94. "Target": "ruby-app/Gemfile.lock",
  95. "Vulnerabilities": null
  96. },
  97. {
  98. "Target": "rust-app/Cargo.lock",
  99. "Vulnerabilities": null
  100. }
  101. ]

VulnerabilityID, PkgName, InstalledVersion, and Severity in Vulnerabilities are always filled with values, but other fields might be empty.

Template

Custom Template

  1. $ trivy image --format template --template "{{ range . }} {{ .Target }} {{ end }}" golang:1.12-alpine

Result

  1. 2020-01-02T18:02:32.856+0100 INFO Detecting Alpine vulnerabilities...
  2. golang:1.12-alpine (alpine 3.10.2)

You can compute different figures within the template using sprig functions. As an example you can summarize the different classes of issues:

  1. $ trivy image --format template --template '{{- $critical := 0 }}{{- $high := 0 }}{{- range . }}{{- range .Vulnerabilities }}{{- if eq .Severity "CRITICAL" }}{{- $critical = add $critical 1 }}{{- end }}{{- if eq .Severity "HIGH" }}{{- $high = add $high 1 }}{{- end }}{{- end }}{{- end }}Critical: {{ $critical }}, High: {{ $high }}' golang:1.12-alpine

Result

  1. Critical: 0, High: 2

For other features of sprig, see the official sprig documentation.

Load templates from a file

You can load templates from a file prefixing the template path with an @.

  1. $ trivy image --format template --template "@/path/to/template" golang:1.12-alpine

Default Templates

XML

In the following example using the template junit.tpl XML can be generated.

  1. $ trivy image --format template --template "@contrib/junit.tpl" -o junit-report.xml golang:1.12-alpine

SARIF

In the following example using the template sarif.tpl Sarif can be generated.

  1. $ trivy image --format template --template "@contrib/sarif.tpl" -o report.sarif golang:1.12-alpine

This SARIF format can be uploaded to GitHub code scanning results, and there is a Trivy GitHub Action for automating this process.

Trivy also supports an ASFF template for reporting findings to AWS Security Hub

HTML

  1. $ trivy image --format template --template "@contrib/html.tpl" -o report.html golang:1.12-alpine