Quick Start

Scan image for vulnerabilities

Simply specify an image name (and a tag).

  1. $ trivy image [YOUR_IMAGE_NAME]

For example:

  1. $ trivy image python:3.4-alpine

Result

  1. 2019-05-16T01:20:43.180+0900 INFO Updating vulnerability database...
  2. 2019-05-16T01:20:53.029+0900 INFO Detecting Alpine vulnerabilities...
  3. python:3.4-alpine3.9 (alpine 3.9.2)
  4. ===================================
  5. Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
  6. +---------+------------------+----------+-------------------+---------------+--------------------------------+
  7. | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
  8. +---------+------------------+----------+-------------------+---------------+--------------------------------+
  9. | openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |
  10. | | | | | | with long nonces |
  11. +---------+------------------+----------+-------------------+---------------+--------------------------------+

For more details, see here.

Scan directory for misconfigurations

Simply specify a directory containing IaC files such as Terraform and Dockerfile.

  1. $ trivy config [YOUR_IAC_DIR]

For example:

  1. $ ls build/
  2. Dockerfile
  3. $ trivy config ./build

Result

  1. 2021-07-09T10:06:29.188+0300 INFO Need to update the built-in policies
  2. 2021-07-09T10:06:29.188+0300 INFO Downloading the built-in policies...
  3. 2021-07-09T10:06:30.520+0300 INFO Detected config files: 1
  4. Dockerfile (dockerfile)
  5. =======================
  6. Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
  7. Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
  8. +---------------------------+------------+----------------------+----------+------------------------------------------+
  9. | TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
  10. +---------------------------+------------+----------------------+----------+------------------------------------------+
  11. | Dockerfile Security Check | DS002 | Image user is 'root' | HIGH | Last USER command in |
  12. | | | | | Dockerfile should not be 'root' |
  13. | | | | | -->avd.aquasec.com/appshield/ds002 |
  14. +---------------------------+------------+----------------------+----------+------------------------------------------+

For more details, see here.