Git Repository

Scan your remote git repository

  1. $ trivy repo https://github.com/knqyf263/trivy-ci-test

Result

  1. 2021-03-09T15:04:19.003+0200 INFO Detecting cargo vulnerabilities...
  2. 2021-03-09T15:04:19.005+0200 INFO Detecting pipenv vulnerabilities...
  3. Cargo.lock
  4. ==========
  5. Total: 7 (UNKNOWN: 7, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
  6. +----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+
  7. | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
  8. +----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+
  9. | ammonia | RUSTSEC-2019-0001 | UNKNOWN | 1.9.0 | >= 2.1.0 | Uncontrolled recursion leads |
  10. | | | | | | to abort in HTML serialization |
  11. | | | | | | -->rustsec.org/advisories/RUSTSEC-2019-0001 |
  12. +----------+-------------------+ +-------------------+------------------------------+---------------------------------------------+
  13. | openssl | RUSTSEC-2016-0001 | | 0.8.3 | >= 0.9.0 | SSL/TLS MitM vulnerability |
  14. | | | | | | due to insecure defaults |
  15. | | | | | | -->rustsec.org/advisories/RUSTSEC-2016-0001 |
  16. +----------+-------------------+ +-------------------+------------------------------+---------------------------------------------+
  17. | smallvec | RUSTSEC-2018-0018 | | 0.6.9 | >= 0.6.13 | smallvec creates uninitialized |
  18. | | | | | | value of any type |
  19. | | | | | | -->rustsec.org/advisories/RUSTSEC-2018-0018 |
  20. + +-------------------+ + +------------------------------+---------------------------------------------+
  21. | | RUSTSEC-2019-0009 | | | >= 0.6.10 | Double-free and use-after-free |
  22. | | | | | | in SmallVec::grow() |
  23. | | | | | | -->rustsec.org/advisories/RUSTSEC-2019-0009 |
  24. + +-------------------+ + + +---------------------------------------------+
  25. | | RUSTSEC-2019-0012 | | | | Memory corruption in SmallVec::grow() |
  26. | | | | | | -->rustsec.org/advisories/RUSTSEC-2019-0012 |
  27. + +-------------------+ + +------------------------------+---------------------------------------------+
  28. | | RUSTSEC-2021-0003 | | | >= 0.6.14, < 1.0.0, >= 1.6.1 | Buffer overflow in SmallVec::insert_many |
  29. | | | | | | -->rustsec.org/advisories/RUSTSEC-2021-0003 |
  30. +----------+-------------------+ +-------------------+------------------------------+---------------------------------------------+
  31. | tempdir | RUSTSEC-2018-0017 | | 0.3.7 | | `tempdir` crate has been |
  32. | | | | | | deprecated; use `tempfile` instead |
  33. | | | | | | -->rustsec.org/advisories/RUSTSEC-2018-0017 |
  34. +----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+
  35. Pipfile.lock
  36. ============
  37. Total: 20 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 5, CRITICAL: 5)
  38. +---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
  39. | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
  40. +---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
  41. | django | CVE-2019-19844 | CRITICAL | 2.0.9 | 3.0.1, 2.2.9, 1.11.27 | Django: crafted email address |
  42. | | | | | | allows account takeover |
  43. | | | | | | -->avd.aquasec.com/nvd/cve-2019-19844 |
  44. + +------------------+ + +------------------------+---------------------------------------+
  45. | | CVE-2020-7471 | | | 3.0.3, 2.2.10, 1.11.28 | django: potential SQL injection |
  46. | | | | | | via StringAgg(delimiter) |
  47. | | | | | | -->avd.aquasec.com/nvd/cve-2020-7471 |
  48. + +------------------+----------+ +------------------------+---------------------------------------+
  49. | | CVE-2019-6975 | HIGH | | 2.1.6, 2.0.11, 1.11.19 | python-django: memory exhaustion in |
  50. | | | | | | django.utils.numberformat.format() |
  51. | | | | | | -->avd.aquasec.com/nvd/cve-2019-6975 |
  52. + +------------------+ + +------------------------+---------------------------------------+
  53. | | CVE-2020-9402 | | | 3.0.4, 2.2.11, 1.11.29 | django: potential SQL injection |
  54. | | | | | | via "tolerance" parameter in |
  55. | | | | | | GIS functions and aggregates... |
  56. | | | | | | -->avd.aquasec.com/nvd/cve-2020-9402 |
  57. + +------------------+----------+ +------------------------+---------------------------------------+
  58. | | CVE-2019-3498 | MEDIUM | | 2.1.5, 2.0.10, 1.11.18 | python-django: Content spoofing |
  59. | | | | | | via URL path in default 404 page |
  60. | | | | | | -->avd.aquasec.com/nvd/cve-2019-3498 |
  61. + +------------------+ + +------------------------+---------------------------------------+
  62. | | CVE-2020-13254 | | | 3.0.7, 2.2.13 | django: potential data leakage |
  63. | | | | | | via malformed memcached keys |
  64. | | | | | | -->avd.aquasec.com/nvd/cve-2020-13254 |
  65. + +------------------+ + + +---------------------------------------+
  66. | | CVE-2020-13596 | | | | django: possible XSS via |
  67. | | | | | | admin ForeignKeyRawIdWidget |
  68. | | | | | | -->avd.aquasec.com/nvd/cve-2020-13596 |
  69. +---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
  70. | django-cors-headers | pyup.io-37132 | UNKNOWN | 2.5.2 | 3.0.0 | In django-cors-headers |
  71. | | | | | | version 3.0.0, |
  72. | | | | | | ``CORS_ORIGIN_WHITELIST`` |
  73. | | | | | | requires URI schemes, and |
  74. | | | | | | optionally ports. This... |
  75. +---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
  76. | djangorestframework | CVE-2020-25626 | MEDIUM | 3.9.2 | 3.11.2 | django-rest-framework: XSS |
  77. | | | | | | Vulnerability in API viewer |
  78. | | | | | | -->avd.aquasec.com/nvd/cve-2020-25626 |
  79. +---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
  80. | httplib2 | CVE-2021-21240 | HIGH | 0.12.1 | 0.19.0 | python-httplib2: Regular |
  81. | | | | | | expression denial of |
  82. | | | | | | service via malicious header |
  83. | | | | | | -->avd.aquasec.com/nvd/cve-2021-21240 |
  84. + +------------------+----------+ +------------------------+---------------------------------------+
  85. | | CVE-2020-11078 | MEDIUM | | 0.18.0 | python-httplib2: CRLF injection |
  86. | | | | | | via an attacker controlled |
  87. | | | | | | unescaped part of uri for... |
  88. | | | | | | -->avd.aquasec.com/nvd/cve-2020-11078 |
  89. + +------------------+----------+ + +---------------------------------------+
  90. | | pyup.io-38303 | UNKNOWN | | | Httplib2 0.18.0 is an |
  91. | | | | | | important security update to |
  92. | | | | | | patch a CWE-93 CRLF... |
  93. +---------------------+------------------+ +-------------------+------------------------+---------------------------------------+
  94. | jinja2 | pyup.io-39525 | | 2.10.1 | 2.11.3 | This affects the package |
  95. | | | | | | jinja2 from 0.0.0 and before |
  96. | | | | | | 2.11.3. The ReDOS... |
  97. +---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
  98. | py | CVE-2020-29651 | HIGH | 1.8.0 | | python-py: ReDoS in the py.path.svnwc |
  99. | | | | | | component via mailicious input |
  100. | | | | | | to blame functionality... |
  101. | | | | | | -->avd.aquasec.com/nvd/cve-2020-29651 |
  102. +---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
  103. | pyyaml | CVE-2019-20477 | CRITICAL | 5.1 | | PyYAML: command execution |
  104. | | | | | | through python/object/apply |
  105. | | | | | | constructor in FullLoader |
  106. | | | | | | -->avd.aquasec.com/nvd/cve-2019-20477 |
  107. + +------------------+ + +------------------------+---------------------------------------+
  108. | | CVE-2020-14343 | | | 5.4 | PyYAML: incomplete |
  109. | | | | | | fix for CVE-2020-1747 |
  110. | | | | | | -->avd.aquasec.com/nvd/cve-2020-14343 |
  111. + +------------------+ + +------------------------+---------------------------------------+
  112. | | CVE-2020-1747 | | | 5.3.1 | PyYAML: arbitrary command |
  113. | | | | | | execution through python/object/new |
  114. | | | | | | when FullLoader is used |
  115. | | | | | | -->avd.aquasec.com/nvd/cve-2020-1747 |
  116. +---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
  117. | urllib3 | CVE-2019-11324 | HIGH | 1.24.1 | 1.24.2 | python-urllib3: Certification |
  118. | | | | | | mishandle when error should be thrown |
  119. | | | | | | -->avd.aquasec.com/nvd/cve-2019-11324 |
  120. + +------------------+----------+ +------------------------+---------------------------------------+
  121. | | CVE-2019-11236 | MEDIUM | | | python-urllib3: CRLF injection |
  122. | | | | | | due to not encoding the |
  123. | | | | | | '\r\n' sequence leading to... |
  124. | | | | | | -->avd.aquasec.com/nvd/cve-2019-11236 |
  125. + +------------------+ + +------------------------+---------------------------------------+
  126. | | CVE-2020-26137 | | | 1.25.9 | python-urllib3: CRLF injection |
  127. | | | | | | via HTTP request method |
  128. | | | | | | -->avd.aquasec.com/nvd/cve-2020-26137 |
  129. +---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+

Scanning Private Repositories

In order to scan private GitHub or GitLab repositories, the environment variable GITHUB_TOKEN or GITLAB_TOKEN must be set, respectively, with a valid token that has access to the private repository being scanned.

The GITHUB_TOKEN environment variable will take precedence over GITLAB_TOKEN, so if a private GitLab repository will be scanned, then GITHUB_TOKEN must be unset.

For example:

  1. $ export GITHUB_TOKEN="your_private_github_token"
  2. $ trivy repo <your private GitHub repo URL>
  3. $
  4. $ # or
  5. $ export GITLAB_TOKEN="your_private_gitlab_token"
  6. $ trivy repo <your private GitLab repo URL>