Quick Start

Scan image for vulnerabilities

Simply specify an image name (and a tag).

  1. $ trivy image [YOUR_IMAGE_NAME]

For example:

  1. $ trivy image python:3.4-alpine

Result

  1. 2019-05-16T01:20:43.180+0900    INFO    Updating vulnerability database...
  2. 2019-05-16T01:20:53.029+0900    INFO    Detecting Alpine vulnerabilities...
  4. python:3.4-alpine3.9 (alpine 3.9.2)
  5. ===================================
  6. Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
  8. +---------+------------------+----------+-------------------+---------------+--------------------------------+
  9. | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
  10. +---------+------------------+----------+-------------------+---------------+--------------------------------+
  11. | openssl | CVE-2019-1543    | MEDIUM   | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305     |
  12. |         |                  |          |                   |               | with long nonces               |
  13. +---------+------------------+----------+-------------------+---------------+--------------------------------+

For more details, see here.

Scan directory for misconfigurations

Simply specify a directory containing IaC files such as Terraform and Dockerfile.

  1. $ trivy config [YOUR_IAC_DIR]

For example:

  1. $ ls build/
  2. Dockerfile
  3. $ trivy config ./build

Result

  1. 2021-07-09T10:06:29.188+0300    INFO    Need to update the built-in policies
  2. 2021-07-09T10:06:29.188+0300    INFO    Downloading the built-in policies...
  3. 2021-07-09T10:06:30.520+0300    INFO    Detected config files: 1
  5. Dockerfile (dockerfile)
  6. =======================
  7. Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
  8. Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
  10. +---------------------------+------------+----------------------+----------+------------------------------------------+
  11. |           TYPE            | MISCONF ID |        CHECK         | SEVERITY |                 MESSAGE                  |
  12. +---------------------------+------------+----------------------+----------+------------------------------------------+
  13. | Dockerfile Security Check |   DS002    | Image user is 'root' |   HIGH   | Last USER command in                     |
  14. |                           |            |                      |          | Dockerfile should not be 'root'          |
  15. |                           |            |                      |          | -->avd.aquasec.com/appshield/ds002       |
  16. +---------------------------+------------+----------------------+----------+------------------------------------------+

For more details, see here.