Filesystem

Scan a filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem).

  1. $ trivy fs /path/to/project

Local Project

Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.

  1. $ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test

Result

  1. 2020-06-01T17:06:58.652+0300    WARN    OS is not detected and vulnerabilities in OS packages are not detected.
  2. 2020-06-01T17:06:58.652+0300    INFO    Detecting pipenv vulnerabilities...
  3. 2020-06-01T17:06:58.691+0300    INFO    Detecting cargo vulnerabilities...
  5. Pipfile.lock
  6. ============
  7. Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
  9. +---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
  10. |       LIBRARY       | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |     FIXED VERSION      |               TITLE                |
  11. +---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
  12. | django              | CVE-2020-7471    | HIGH     | 2.0.9             | 3.0.3, 2.2.10, 1.11.28 | django: potential                  |
  13. |                     |                  |          |                   |                        | SQL injection via                  |
  14. |                     |                  |          |                   |                        | StringAgg(delimiter)               |
  15. +                     +------------------+----------+                   +------------------------+------------------------------------+
  16. |                     | CVE-2019-19844   | MEDIUM   |                   | 3.0.1, 2.2.9, 1.11.27  | Django: crafted email address      |
  17. |                     |                  |          |                   |                        | allows account takeover            |
  18. +                     +------------------+          +                   +------------------------+------------------------------------+
  19. |                     | CVE-2019-3498    |          |                   | 2.1.5, 2.0.10, 1.11.18 | python-django: Content             |
  20. |                     |                  |          |                   |                        | spoofing via URL path in           |
  21. |                     |                  |          |                   |                        | default 404 page                   |
  22. +                     +------------------+          +                   +------------------------+------------------------------------+
  23. |                     | CVE-2019-6975    |          |                   | 2.1.6, 2.0.11, 1.11.19 | python-django:                     |
  24. |                     |                  |          |                   |                        | memory exhaustion in               |
  25. |                     |                  |          |                   |                        | django.utils.numberformat.format() |
  26. +---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
  27. ...

From Inside Containers

Scan your container from inside the container.

  1. $ docker run --rm -it alpine:3.11
  2. / # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
  3. / # trivy fs /

Result

  1. 2021-03-08T05:22:26.378Z        INFO    Need to update DB
  2. 2021-03-08T05:22:26.380Z        INFO    Downloading DB...
  3. 20.37 MiB / 20.37 MiB [-------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8.24 MiB p/s 2s
  4. 2021-03-08T05:22:30.134Z        INFO    Detecting Alpine vulnerabilities...
  5. 2021-03-08T05:22:30.138Z        INFO    Trivy skips scanning programming language libraries because no supported file was detected
  7. 313430f09696 (alpine 3.11.7)
  8. ============================
  9. Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 6, CRITICAL: 0)
  11. +--------------+------------------+----------+-------------------+---------------+---------------------------------------+
  12. |   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
  13. +--------------+------------------+----------+-------------------+---------------+---------------------------------------+
  14. | libcrypto1.1 | CVE-2021-23839   | HIGH     | 1.1.1i-r0         | 1.1.1j-r0     | openssl: incorrect SSLv2              |
  15. |              |                  |          |                   |               | rollback protection                   |
  16. |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
  17. +              +------------------+          +                   +               +---------------------------------------+
  18. |              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
  19. |              |                  |          |                   |               | overflow in CipherUpdate              |
  20. |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
  21. +              +------------------+          +                   +               +---------------------------------------+
  22. |              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
  23. |              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
  24. |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
  25. +--------------+------------------+          +                   +               +---------------------------------------+
  26. | libssl1.1    | CVE-2021-23839   |          |                   |               | openssl: incorrect SSLv2              |
  27. |              |                  |          |                   |               | rollback protection                   |
  28. |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
  29. +              +------------------+          +                   +               +---------------------------------------+
  30. |              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
  31. |              |                  |          |                   |               | overflow in CipherUpdate              |
  32. |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
  33. +              +------------------+          +                   +               +---------------------------------------+
  34. |              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
  35. |              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
  36. |              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
  37. +--------------+------------------+----------+-------------------+---------------+---------------------------------------+