Examples of tinkering with Trivy vulnerability scanner
Always consult the latest Trivy documentation. These notes are meant to be a general guide, but may be out of date with the latest Trivy. At the time of writing, 0.22.0 was the latest.
Trivy can be used to scan docker images (either your own, or public ones) on your local system. It can be run either as a docker image, or installed natively on an O/S.
Trivy can be integrated in to your Continuous Integration (CI) process. THis is advantageous because vulnerabilities can be determiend prior to pushing a release package to an artifact repository.
- Install Docker for your O/S.
- Pull the latest trivy docker image
docker pull aquasec/trivy:latest
- Install trivy for your O/S. Recommed using the Install script.
Note, these examples are being run from windows, with the trivy cache being mounted to C:\temp-trivy. Change this to whatever directory you want to use to cache the trivy database.
To scan docker images locally via the docker container, you must mount docker.sock, e.g. -v //var/run/docker.sock:/var/run/docker.sock. Without this, it will scan remote images only, and will not scan any locally build images you have.
These examples show running trivy both as a docker container (option 1), and natively (option 2).
Various commmand line interface options exist, such as specifying the exit code to use if there are findings.
The docker commands below are multi-line escaped with back-ticks. Replace with \ for Linux
docker run --rm `
-v //var/run/docker.sock:/var/run/docker.sock `
-v C:\temp-trivy:/root/.cache/ aquasec/trivy:latest `
image hello-world
trivy image hello-world
docker run --rm `
-v //var/run/docker.sock:/var/run/docker.sock `
-v C:\temp-trivy:/root/.cache/ aquasec/trivy:latest `
image node:14-alpine
trivy image hello-world node:14-alpine
With docker image, the folder for scanning must be mounted as a path inside the container. This example uses the ./configs/ directory in this repository.
docker run --rm `
-v //var/run/docker.sock:/var/run/docker.sock `
-v $PWD/configs\:/root/configs/ `
-v C:\temp-trivy:/root/.cache/ `
aquasec/trivy:latest `
fs --security-checks vuln,config /root/configs
trivy fs --security-checks vuln,config ./configs
See Advanced configuration for all examples.
Sometimes there is no reasonable solution to a vulnerability. A vulnerability can be assessed and suppressed if deemed acceptable by the community.
THe CLI allows specifying a trivyignore file (with a default location).
docker run --rm -v $PWD/.trivyignore:/.trivyignore -v $PWD/configs:/root/configs/ -v C:\temp-trivy:/root/.cache/ aquasec/trivy:latest fs --security-checks vuln,config /root/configs
for non-docker usage, the .trivyignore file is already in the correct location if running trivy from the root directory. Try editing the file to filter / unfilter things.
trivy fs --security-checks vuln,config ./configs
If scanning your built docker image, you may come across vulnerabilities that do not seem to be
caused by your Dockerfile / software. Trivy tries to separate out vulnerabilities from the base image
and contents added by your image. However, depending on the base image, it may be hard to distinguish that. FOr example,
alpine-node contains vulnerable node packages, but these show up in the node packages section of the vuln report, not in the
base image report.
So, consider scanning the base image of your custom containers, in addition to the final image.