Client/Server

Trivy has client/server mode. Trivy server has vulnerability database and Trivy client doesn’t have to download vulnerability database. It is useful if you want to scan images at multiple locations and do not want to download the database at every location.

Server

At first, you need to launch Trivy server. It downloads vulnerability database automatically and continue to fetch the latest DB in the background.

  1. $ trivy server --listen localhost:8080
  2. 2019-12-12T15:17:06.551+0200    INFO    Need to update DB
  3. 2019-12-12T15:17:56.706+0200    INFO    Reopening DB...
  4. 2019-12-12T15:17:56.707+0200    INFO    Listening localhost:8080...

If you want to accept a connection from outside, you have to specify 0.0.0.0 or your ip address, not localhost.

  1. $ trivy server --listen 0.0.0.0:8080

Client

Then, specify the remote address.

  1. $ trivy client --remote http://localhost:8080 alpine:3.10

Result

  1. alpine:3.10 (alpine 3.10.2)
  2. ===========================
  3. Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
  5. +---------+------------------+----------+-------------------+---------------+
  6. | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
  7. +---------+------------------+----------+-------------------+---------------+
  8. | openssl | CVE-2019-1549    | MEDIUM   | 1.1.1c-r0         | 1.1.1d-r0     |
  9. +         +------------------+          +                   +               +
  10. |         | CVE-2019-1563    |          |                   |               |
  11. +         +------------------+----------+                   +               +
  12. |         | CVE-2019-1547    | LOW      |                   |               |
  13. +---------+------------------+----------+-------------------+---------------+

Authentication

  1. $ trivy server --listen localhost:8080 --token dummy
  1. $ trivy client --remote http://localhost:8080 --token dummy alpine:3.10

Architecture

architecture