# Trivy — All-in-One Security Scanner for Containers & Code

> Trivy is an open-source, comprehensive security scanner that finds vulnerabilities, misconfigurations, secrets, and SBOM issues in containers, Kubernetes, code repos, and clouds.

## Install

Save as a script file and run:

## Quick Use

```bash
# Install
brew install trivy                    # macOS
apt install trivy                     # Debian/Ubuntu

# Scan a Docker image
trivy image nginx:latest

# Scan a Git repository
trivy repo https://github.com/your/repo

# Scan Kubernetes cluster
trivy k8s --report=summary cluster

# Scan filesystem
trivy fs /path/to/project
```

## Intro

**Trivy** is a comprehensive, easy-to-use, open-source security scanner by Aqua Security. It finds vulnerabilities (OS packages, language dependencies), misconfigurations (Terraform, Dockerfile, Kubernetes), secrets (API keys, passwords), and SBOM issues — all from a single binary with zero configuration.

With 34.5K+ GitHub stars and Apache-2.0 license, Trivy has become the de facto standard for container security scanning, integrated into CI/CD pipelines at thousands of organizations worldwide.

## What Trivy Scans

### Vulnerabilities
- **OS Packages**: Alpine, Debian, Ubuntu, RHEL, CentOS, Oracle Linux, Amazon Linux, etc.
- **Language Dependencies**: npm, pip, gem, cargo, composer, nuget, go.mod, maven, gradle
- **Container Images**: Docker, Podman, containerd
- **Kubernetes**: Running clusters, YAML manifests

### Misconfigurations (IaC)
- **Infrastructure**: Terraform, CloudFormation, ARM templates
- **Containers**: Dockerfile, Containerfile
- **Kubernetes**: YAML manifests, Helm charts, Kustomize
- **Cloud**: AWS, Azure, GCP configurations

### Secrets
- **API Keys**: AWS, GCP, Azure, GitHub, GitLab, Slack, Stripe, etc.
- **Private Keys**: RSA, SSH, JWT secrets
- **Credentials**: Passwords, tokens, connection strings

### Other
- **License Compliance**: OSS license detection
- **SBOM**: Generate/validate SBOMs (CycloneDX, SPDX)
- **Malware**: Via ClamAV integration

## Installation

### Binary
```bash
# macOS
brew install trivy

# Debian/Ubuntu
sudo apt-get install wget gnupg
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy

# Or download binary directly
curl -L https://github.com/aquasecurity/trivy/releases/latest/download/trivy_Linux-64bit.tar.gz | tar xz
```

### Docker
```bash
docker run aquasec/trivy image nginx:latest
```

### Kubernetes (Trivy Operator)
```bash
helm repo add aqua https://aquasecurity.github.io/helm-charts/
helm install trivy-operator aqua/trivy-operator --namespace trivy-system --create-namespace
```

## Usage Examples

### Scan Container Image

```bash
# Basic scan
trivy image nginx:latest

# Only HIGH and CRITICAL vulnerabilities
trivy image --severity HIGH,CRITICAL nginx:latest

# Fail CI if vulnerabilities found
trivy image --exit-code 1 --severity HIGH,CRITICAL nginx:latest

# Output in JSON
trivy image --format json --output results.json nginx:latest

# Ignore unfixed vulnerabilities
trivy image --ignore-unfixed nginx:latest

# Skip OS packages, scan only language dependencies
trivy image --vuln-type library nginx:latest
```

### Scan Git Repository

```bash
# Scan all aspects of a repository
trivy repo https://github.com/your/repo

# Scan only secrets
trivy repo --scanners secret https://github.com/your/repo

# Scan only IaC misconfigurations
trivy repo --scanners misconfig https://github.com/your/repo
```

### Scan Filesystem

```bash
# Scan local directory
trivy fs /path/to/project

# Scan with all scanners enabled
trivy fs --scanners vuln,misconfig,secret /path/to/project

# Scan specific files
trivy fs --skip-dirs node_modules /path/to/project
```

### Scan Kubernetes

```bash
# Scan entire cluster
trivy k8s cluster

# Scan specific namespace
trivy k8s --namespace production

# Scan all pods and show report
trivy k8s --report=summary cluster

# Scan a single manifest file
trivy config kubernetes/deployment.yaml
```

### Scan Terraform

```bash
trivy config terraform/

# Only show HIGH and CRITICAL issues
trivy config --severity HIGH,CRITICAL terraform/
```

## CI/CD Integration

### GitHub Actions

```yaml
name: Trivy scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
          exit-code: '1'

      - name: Upload results to GitHub
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'
```

### GitLab CI

```yaml
trivy-scan:
  image: aquasec/trivy:latest
  script:
    - trivy fs --exit-code 1 --severity HIGH,CRITICAL .
    - trivy image --exit-code 1 --severity HIGH,CRITICAL $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
```

### Docker Scanning in Build Pipeline

```bash
# Build image
docker build -t myapp:latest .

# Scan before pushing
trivy image --exit-code 1 --severity HIGH,CRITICAL myapp:latest

# Push if scan passed
docker push myapp:latest
```

## Report Output

```
nginx:latest (debian 12.1)
============================
Total: 45 (HIGH: 30, CRITICAL: 15)

┌─────────────┬─────────────────┬──────────┬────────┬───────────────────┬───────────────┐
│   Library   │ Vulnerability   │ Severity │ Status │ Installed Version │ Fixed Version │
├─────────────┼─────────────────┼──────────┼────────┼───────────────────┼───────────────┤
│ libc-bin    │ CVE-2023-XXXX   │ HIGH     │ fixed  │ 2.36-9            │ 2.36-9+deb12u1│
│ libssl3     │ CVE-2023-YYYY   │ CRITICAL │ fixed  │ 3.0.9-1           │ 3.0.11-1~deb12│
└─────────────┴─────────────────┴──────────┴────────┴───────────────────┴───────────────┘
```

## SBOM Generation

```bash
# Generate CycloneDX SBOM
trivy image --format cyclonedx --output sbom.json nginx:latest

# Generate SPDX SBOM
trivy image --format spdx-json --output sbom.spdx.json nginx:latest

# Scan an existing SBOM for vulnerabilities
trivy sbom sbom.json
```

## Trivy vs Alternatives

| Feature | Trivy | Snyk | Grype | Clair |
|---------|-------|------|-------|-------|
| Open Source | Yes (Apache-2.0) | No (free tier) | Yes (Apache-2.0) | Yes (Apache-2.0) |
| Container scanning | Yes | Yes | Yes | Yes |
| IaC scanning | Yes | Yes | No | No |
| Secret scanning | Yes | Yes | No | No |
| K8s scanning | Yes | Yes | No | Limited |
| License scanning | Yes | Yes | No | No |
| SBOM generation | Yes | Yes | Yes | No |
| CI/CD integration | Easy | Easy | Easy | Complex |
| Offline mode | Yes | Limited | Yes | Yes |

## 常见问题

**Q: 扫描速度如何？**
A: 非常快。典型 Docker 镜像扫描在 10-30 秒完成。首次运行会下载漏洞数据库（~300MB），后续扫描使用缓存。

**Q: 数据库多久更新？**
A: Trivy 的漏洞数据库每 6 小时从 NVD、Alpine secdb、Debian Security Tracker 等官方源更新。运行 `trivy image --download-db-only` 手动更新。

**Q: 可以离线使用吗？**
A: 可以。使用 `--offline` 模式，预先下载数据库到指定位置，然后在隔离环境使用。适合受限环境的安全扫描。

## 来源与致谢

- GitHub: [aquasecurity/trivy](https://github.com/aquasecurity/trivy) — 34.5K+ ⭐ | Apache-2.0
- 官网: [trivy.dev](https://trivy.dev)

---
Source: https://tokrepo.com/en/workflows/302fe2bb-3535-11f1-9bc6-00163e2b0d79
Author: Script Depot