我的书签
添加书签
移除书签Git Repository
Scan your remote git repository
$ trivy repo https://github.com/knqyf263/trivy-ci-test
Result
2021-03-09T15:04:19.003+0200 INFO Detecting cargo vulnerabilities...2021-03-09T15:04:19.005+0200 INFO Detecting pipenv vulnerabilities...Cargo.lock==========Total: 7 (UNKNOWN: 7, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)+----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |+----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+| ammonia | RUSTSEC-2019-0001 | UNKNOWN | 1.9.0 | >= 2.1.0 | Uncontrolled recursion leads || | | | | | to abort in HTML serialization || | | | | | -->rustsec.org/advisories/RUSTSEC-2019-0001 |+----------+-------------------+ +-------------------+------------------------------+---------------------------------------------+| openssl | RUSTSEC-2016-0001 | | 0.8.3 | >= 0.9.0 | SSL/TLS MitM vulnerability || | | | | | due to insecure defaults || | | | | | -->rustsec.org/advisories/RUSTSEC-2016-0001 |+----------+-------------------+ +-------------------+------------------------------+---------------------------------------------+| smallvec | RUSTSEC-2018-0018 | | 0.6.9 | >= 0.6.13 | smallvec creates uninitialized || | | | | | value of any type || | | | | | -->rustsec.org/advisories/RUSTSEC-2018-0018 |+ +-------------------+ + +------------------------------+---------------------------------------------+| | RUSTSEC-2019-0009 | | | >= 0.6.10 | Double-free and use-after-free || | | | | | in SmallVec::grow() || | | | | | -->rustsec.org/advisories/RUSTSEC-2019-0009 |+ +-------------------+ + + +---------------------------------------------+| | RUSTSEC-2019-0012 | | | | Memory corruption in SmallVec::grow() || | | | | | -->rustsec.org/advisories/RUSTSEC-2019-0012 |+ +-------------------+ + +------------------------------+---------------------------------------------+| | RUSTSEC-2021-0003 | | | >= 0.6.14, < 1.0.0, >= 1.6.1 | Buffer overflow in SmallVec::insert_many || | | | | | -->rustsec.org/advisories/RUSTSEC-2021-0003 |+----------+-------------------+ +-------------------+------------------------------+---------------------------------------------+| tempdir | RUSTSEC-2018-0017 | | 0.3.7 | | `tempdir` crate has been || | | | | | deprecated; use `tempfile` instead || | | | | | -->rustsec.org/advisories/RUSTSEC-2018-0017 |+----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+Pipfile.lock============Total: 20 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 5, CRITICAL: 5)+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+| django | CVE-2019-19844 | CRITICAL | 2.0.9 | 3.0.1, 2.2.9, 1.11.27 | Django: crafted email address || | | | | | allows account takeover || | | | | | -->avd.aquasec.com/nvd/cve-2019-19844 |+ +------------------+ + +------------------------+---------------------------------------+| | CVE-2020-7471 | | | 3.0.3, 2.2.10, 1.11.28 | django: potential SQL injection || | | | | | via StringAgg(delimiter) || | | | | | -->avd.aquasec.com/nvd/cve-2020-7471 |+ +------------------+----------+ +------------------------+---------------------------------------+| | CVE-2019-6975 | HIGH | | 2.1.6, 2.0.11, 1.11.19 | python-django: memory exhaustion in || | | | | | django.utils.numberformat.format() || | | | | | -->avd.aquasec.com/nvd/cve-2019-6975 |+ +------------------+ + +------------------------+---------------------------------------+| | CVE-2020-9402 | | | 3.0.4, 2.2.11, 1.11.29 | django: potential SQL injection || | | | | | via "tolerance" parameter in || | | | | | GIS functions and aggregates... || | | | | | -->avd.aquasec.com/nvd/cve-2020-9402 |+ +------------------+----------+ +------------------------+---------------------------------------+| | CVE-2019-3498 | MEDIUM | | 2.1.5, 2.0.10, 1.11.18 | python-django: Content spoofing || | | | | | via URL path in default 404 page || | | | | | -->avd.aquasec.com/nvd/cve-2019-3498 |+ +------------------+ + +------------------------+---------------------------------------+| | CVE-2020-13254 | | | 3.0.7, 2.2.13 | django: potential data leakage || | | | | | via malformed memcached keys || | | | | | -->avd.aquasec.com/nvd/cve-2020-13254 |+ +------------------+ + + +---------------------------------------+| | CVE-2020-13596 | | | | django: possible XSS via || | | | | | admin ForeignKeyRawIdWidget || | | | | | -->avd.aquasec.com/nvd/cve-2020-13596 |+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+| django-cors-headers | pyup.io-37132 | UNKNOWN | 2.5.2 | 3.0.0 | In django-cors-headers || | | | | | version 3.0.0, || | | | | | ``CORS_ORIGIN_WHITELIST`` || | | | | | requires URI schemes, and || | | | | | optionally ports. This... |+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+| djangorestframework | CVE-2020-25626 | MEDIUM | 3.9.2 | 3.11.2 | django-rest-framework: XSS || | | | | | Vulnerability in API viewer || | | | | | -->avd.aquasec.com/nvd/cve-2020-25626 |+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+| httplib2 | CVE-2021-21240 | HIGH | 0.12.1 | 0.19.0 | python-httplib2: Regular || | | | | | expression denial of || | | | | | service via malicious header || | | | | | -->avd.aquasec.com/nvd/cve-2021-21240 |+ +------------------+----------+ +------------------------+---------------------------------------+| | CVE-2020-11078 | MEDIUM | | 0.18.0 | python-httplib2: CRLF injection || | | | | | via an attacker controlled || | | | | | unescaped part of uri for... || | | | | | -->avd.aquasec.com/nvd/cve-2020-11078 |+ +------------------+----------+ + +---------------------------------------+| | pyup.io-38303 | UNKNOWN | | | Httplib2 0.18.0 is an || | | | | | important security update to || | | | | | patch a CWE-93 CRLF... |+---------------------+------------------+ +-------------------+------------------------+---------------------------------------+| jinja2 | pyup.io-39525 | | 2.10.1 | 2.11.3 | This affects the package || | | | | | jinja2 from 0.0.0 and before || | | | | | 2.11.3. The ReDOS... |+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+| py | CVE-2020-29651 | HIGH | 1.8.0 | | python-py: ReDoS in the py.path.svnwc || | | | | | component via mailicious input || | | | | | to blame functionality... || | | | | | -->avd.aquasec.com/nvd/cve-2020-29651 |+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+| pyyaml | CVE-2019-20477 | CRITICAL | 5.1 | | PyYAML: command execution || | | | | | through python/object/apply || | | | | | constructor in FullLoader || | | | | | -->avd.aquasec.com/nvd/cve-2019-20477 |+ +------------------+ + +------------------------+---------------------------------------+| | CVE-2020-14343 | | | 5.4 | PyYAML: incomplete || | | | | | fix for CVE-2020-1747 || | | | | | -->avd.aquasec.com/nvd/cve-2020-14343 |+ +------------------+ + +------------------------+---------------------------------------+| | CVE-2020-1747 | | | 5.3.1 | PyYAML: arbitrary command || | | | | | execution through python/object/new || | | | | | when FullLoader is used || | | | | | -->avd.aquasec.com/nvd/cve-2020-1747 |+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+| urllib3 | CVE-2019-11324 | HIGH | 1.24.1 | 1.24.2 | python-urllib3: Certification || | | | | | mishandle when error should be thrown || | | | | | -->avd.aquasec.com/nvd/cve-2019-11324 |+ +------------------+----------+ +------------------------+---------------------------------------+| | CVE-2019-11236 | MEDIUM | | | python-urllib3: CRLF injection || | | | | | due to not encoding the || | | | | | '\r\n' sequence leading to... || | | | | | -->avd.aquasec.com/nvd/cve-2019-11236 |+ +------------------+ + +------------------------+---------------------------------------+| | CVE-2020-26137 | | | 1.25.9 | python-urllib3: CRLF injection || | | | | | via HTTP request method || | | | | | -->avd.aquasec.com/nvd/cve-2020-26137 |+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
Scanning Private Repositories
In order to scan private GitHub or GitLab repositories, the environment variable GITHUB_TOKEN or GITLAB_TOKEN must be set, respectively, with a valid token that has access to the private repository being scanned.
The GITHUB_TOKEN environment variable will take precedence over GITLAB_TOKEN, so if a private GitLab repository will be scanned, then GITHUB_TOKEN must be unset.
For example:
$ export GITHUB_TOKEN="your_private_github_token"$ trivy repo <your private GitHub repo URL>$$ # or$ export GITLAB_TOKEN="your_private_gitlab_token"$ trivy repo <your private GitLab repo URL>
