What Trivy Scans
Vulnerabilities
- OS Packages: Alpine, Debian, Ubuntu, RHEL, CentOS, Oracle Linux, Amazon Linux, etc.
- Language Dependencies: npm, pip, gem, cargo, composer, nuget, go.mod, maven, gradle
- Container Images: Docker, Podman, containerd
- Kubernetes: Running clusters, YAML manifests
Misconfigurations (IaC)
- Infrastructure: Terraform, CloudFormation, ARM templates
- Containers: Dockerfile, Containerfile
- Kubernetes: YAML manifests, Helm charts, Kustomize
- Cloud: AWS, Azure, GCP configurations
Secrets
- API Keys: AWS, GCP, Azure, GitHub, GitLab, Slack, Stripe, etc.
- Private Keys: RSA, SSH, JWT secrets
- Credentials: Passwords, tokens, connection strings
Other
- License Compliance: OSS license detection
- SBOM: Generate/validate SBOMs (CycloneDX, SPDX)
- Malware: Via ClamAV integration
Installation
Binary
# macOS
brew install trivy
# Debian/Ubuntu
sudo apt-get install wget gnupg
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
# Or download binary directly
curl -L https://github.com/aquasecurity/trivy/releases/latest/download/trivy_Linux-64bit.tar.gz | tar xzDocker
docker run aquasec/trivy image nginx:latestKubernetes (Trivy Operator)
helm repo add aqua https://aquasecurity.github.io/helm-charts/
helm install trivy-operator aqua/trivy-operator --namespace trivy-system --create-namespaceUsage Examples
Scan Container Image
# Basic scan
trivy image nginx:latest
# Only HIGH and CRITICAL vulnerabilities
trivy image --severity HIGH,CRITICAL nginx:latest
# Fail CI if vulnerabilities found
trivy image --exit-code 1 --severity HIGH,CRITICAL nginx:latest
# Output in JSON
trivy image --format json --output results.json nginx:latest
# Ignore unfixed vulnerabilities
trivy image --ignore-unfixed nginx:latest
# Skip OS packages, scan only language dependencies
trivy image --vuln-type library nginx:latestScan Git Repository
# Scan all aspects of a repository
trivy repo https://github.com/your/repo
# Scan only secrets
trivy repo --scanners secret https://github.com/your/repo
# Scan only IaC misconfigurations
trivy repo --scanners misconfig https://github.com/your/repoScan Filesystem
# Scan local directory
trivy fs /path/to/project
# Scan with all scanners enabled
trivy fs --scanners vuln,misconfig,secret /path/to/project
# Scan specific files
trivy fs --skip-dirs node_modules /path/to/projectScan Kubernetes
# Scan entire cluster
trivy k8s cluster
# Scan specific namespace
trivy k8s --namespace production
# Scan all pods and show report
trivy k8s --report=summary cluster
# Scan a single manifest file
trivy config kubernetes/deployment.yamlScan Terraform
trivy config terraform/
# Only show HIGH and CRITICAL issues
trivy config --severity HIGH,CRITICAL terraform/CI/CD Integration
GitHub Actions
name: Trivy scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
exit-code: '1'
- name: Upload results to GitHub
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'GitLab CI
trivy-scan:
image: aquasec/trivy:latest
script:
- trivy fs --exit-code 1 --severity HIGH,CRITICAL .
- trivy image --exit-code 1 --severity HIGH,CRITICAL $CI_REGISTRY_IMAGE:$CI_COMMIT_SHADocker Scanning in Build Pipeline
# Build image
docker build -t myapp:latest .
# Scan before pushing
trivy image --exit-code 1 --severity HIGH,CRITICAL myapp:latest
# Push if scan passed
docker push myapp:latestReport Output
nginx:latest (debian 12.1)
============================
Total: 45 (HIGH: 30, CRITICAL: 15)
┌─────────────┬─────────────────┬──────────┬────────┬───────────────────┬───────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │
├─────────────┼─────────────────┼──────────┼────────┼───────────────────┼───────────────┤
│ libc-bin │ CVE-2023-XXXX │ HIGH │ fixed │ 2.36-9 │ 2.36-9+deb12u1│
│ libssl3 │ CVE-2023-YYYY │ CRITICAL │ fixed │ 3.0.9-1 │ 3.0.11-1~deb12│
└─────────────┴─────────────────┴──────────┴────────┴───────────────────┴───────────────┘SBOM Generation
# Generate CycloneDX SBOM
trivy image --format cyclonedx --output sbom.json nginx:latest
# Generate SPDX SBOM
trivy image --format spdx-json --output sbom.spdx.json nginx:latest
# Scan an existing SBOM for vulnerabilities
trivy sbom sbom.jsonTrivy vs Alternatives
| Feature | Trivy | Snyk | Grype | Clair |
|---|---|---|---|---|
| Open Source | Yes (Apache-2.0) | No (free tier) | Yes (Apache-2.0) | Yes (Apache-2.0) |
| Container scanning | Yes | Yes | Yes | Yes |
| IaC scanning | Yes | Yes | No | No |
| Secret scanning | Yes | Yes | No | No |
| K8s scanning | Yes | Yes | No | Limited |
| License scanning | Yes | Yes | No | No |
| SBOM generation | Yes | Yes | Yes | No |
| CI/CD integration | Easy | Easy | Easy | Complex |
| Offline mode | Yes | Limited | Yes | Yes |
常见问题
Q: 扫描速度如何? A: 非常快。典型 Docker 镜像扫描在 10-30 秒完成。首次运行会下载漏洞数据库(~300MB),后续扫描使用缓存。
Q: 数据库多久更新?
A: Trivy 的漏洞数据库每 6 小时从 NVD、Alpine secdb、Debian Security Tracker 等官方源更新。运行 trivy image --download-db-only 手动更新。
Q: 可以离线使用吗?
A: 可以。使用 --offline 模式,预先下载数据库到指定位置,然后在隔离环境使用。适合受限环境的安全扫描。
来源与致谢
- GitHub: aquasecurity/trivy — 34.5K+ ⭐ | Apache-2.0
- 官网: trivy.dev