trivy

Abstract

Scan containers

Features

Installation

RHEL/CentOS

Add repository setting to /etc/yum.repos.d.

$ sudo vim /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://knqyf263.github.io/trivy-repo/rpm/releases/$releasever/$basearch/
gpgcheck=0
enabled=1
$ sudo yum -y update
$ sudo yum -y install trivy

Debian/Ubuntu

Replace [CODE_NAME] with your code name

CODE_NAME: wheezy, jessie, stretch, buster, trusty, xenial, bionic

$ sudo apt-get install apt-transport-https gnupg
$ wget -qO - https://knqyf263.github.io/trivy-repo/deb/public.key | sudo apt-key add -
$ echo deb https://knqyf263.github.io/trivy-repo/deb [CODE_NAME] main | sudo tee -a /etc/apt/sources.list
$ sudo apt-get update
$ sudo apt-get install trivy

Mac OS X / Homebrew

You can use homebrew on OS X.

$ brew tap knqyf263/trivy
$ brew install knqyf263/trivy/trivy

Binary (Including Windows)

Go to the releases page, find the version you want, and download the zip file. Unpack the zip file, and put the binary to somewhere you want (on UNIX-y systems, /usr/local/bin or the like). Make sure it has execution bits turned on.

From source

$ go get -u github.com/knqyf263/trivy

Examples

Usage

$ trivy -h
NAME:
  trivy - A simple and comprehensive vulnerability scanner for containers
USAGE:
  main [options] image_name
VERSION:
  0.0.1
OPTIONS:
  --format value, -f value    format (table, json) (default: "table")
  --input value, -i value     input file path instead of image name
  --severity value, -s value  severities of vulnerabilities to be displayed (comma separated) (default: "CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN")
  --output value, -o value    output file name
  --skip-update               skip db update
  --clean, -c                 clean all cache
  --debug, -d                 debug mode
  --help, -h                  show help
  --version, -v               print the version

Q&A

Homebrew

Error: Your macOS keychain GitHub credentials do not have sufficient scope!

$ brew tap knqyf263/trivy
Error: Your macOS keychain GitHub credentials do not have sufficient scope!
Scopes they need: none
Scopes they have:
Create a personal access token:
  https://github.com/settings/tokens/new?scopes=gist,public_repo&description=Homebrew
echo 'export HOMEBREW_GITHUB_API_TOKEN=your_token_here' >> ~/.zshrc

Try:

$ printf "protocol=https\nhost=github.com\n" | git credential-osxkeychain erase 

Error: knqyf263/trivy/trivy 64 already installed

$ brew upgrade
...
Error: knqyf263/trivy/trivy 64 already installed

Try:

$ brew unlink trivy && brew uninstall trivy
($ rm -rf /usr/local/Cellar/trivy/64)
$ brew install knqyf263/trivy/trivy

Contribute

1. fork a repository: github.com/knqyf263/trivy to github.com/you/repo
2. get original code: go get github.com/knqyf263/trivy
3. work on original code
4. add remote to your repo: git remote add myfork https://github.com/you/repo.git
5. push your changes: git push myfork
6. create a new Pull Request

• see GitHub and Go: forking, pull requests, and go-getting

---

License

MIT

Author

Teppei Fukuda (knqyf263)