Others

Skip Files

Trivy traversals directories and looks for all lock files by default. If your image contains lock files which are not maintained by you, you can skip the file.

  1. $ trivy image --skip-files "/Gemfile.lock" --skip-files "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0/Gemfile.lock" quay.io/fluentd_elasticsearch/fluentd:v2.9.0

Skip Directories

Trivy traversals directories and look for all lock files by default. If your image contains lock files which are not maintained by you, you can skip traversal in the specific directory.

  1. $ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0

Exit Code

By default, Trivy exits with code 0 even when vulnerabilities are detected. Use the --exit-code option if you want to exit with a non-zero exit code.

  1. $ trivy image --exit-code 1 python:3.4-alpine3.9

Result

  1. 2019-05-16T12:51:43.500+0900 INFO Updating vulnerability database...
  2. 2019-05-16T12:52:00.387+0900 INFO Detecting Alpine vulnerabilities...
  3. python:3.4-alpine3.9 (alpine 3.9.2)
  4. ===================================
  5. Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
  6. +---------+------------------+----------+-------------------+---------------+--------------------------------+
  7. | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
  8. +---------+------------------+----------+-------------------+---------------+--------------------------------+
  9. | openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |
  10. | | | | | | with long nonces |
  11. +---------+------------------+----------+-------------------+---------------+--------------------------------+

This option is useful for CI/CD. In the following example, the test will fail only when a critical vulnerability is found.

  1. $ trivy image --exit-code 0 --severity MEDIUM,HIGH ruby:2.4.0
  2. $ trivy image --exit-code 1 --severity CRITICAL ruby:2.4.0

Reset

The --reset option removes all caches and database. After this, it takes a long time as the vulnerability database needs to be rebuilt locally.

  1. $ trivy image --reset

Result

  1. 2019-05-16T13:05:31.935+0900 INFO Resetting...