Skip to content

Latest commit

 

History

History
96 lines (60 loc) · 2.09 KB

trivy.md

File metadata and controls

96 lines (60 loc) · 2.09 KB

Trivy

https://github.com/aquasecurity/trivy

Security scanning CLI tool for vulnerabilities, leaked secrets and misconfigurations.

Scans:

  • Files for secrets and configuration errors
  • Docker images for CVE package vulnerabilities

Install

On Mac, using Homebrew:

brew install trivy

On Debian / Ubuntu:

apt install trivy

Or download the latest binary from GitHub or any specific version using DevOps-Bash-tools script:

install_trivy.sh  # "$version"

which installs to /usr/local/bin/trivy, or $HOME/bin/trivy if you don't have write permission to /usr/local/bin.

Run

Add the --no-progress switch in CI/CD to minimize noise in the CI/CD logs.

Filesystem Scan

Filesystem scan and exit with code 1 for any HIGH OR CRITICAL level issues:

trivy fs "$dir" --exit-code 1 --severity HIGH,CRITICAL

Docker Image Scan

Scan container images:

trivy image "$docker_image"

Scan the docker image for a given running container:

trivy image "$(docker inspect --format='{{.Image}}' "$container_id_or_name">)"

Jenkins CI/CD

Jenkins CI/CD functions for running Trivy are available here:

HariSekhon/Jenkins - vars/trivy.groovy

HariSekhon/Jenkins - vars/trivyFS.groovy

HariSekhon/Jenkins - vars/trivyImages.groovy

Ignoring False Positives

Can only put the id in .trivyignore but this ignores all instances:

.trivyignore:

gcp-service-account

Inline ignores in source files don't work:

# false positive - trivy:ignore:gcp-service-account doesn't work
# trivy:ignore:gcp-service-account