Trivy 容器扫描工具

trivy是一款漏洞的扫描器，支持对容器镜像、文件系统和Git存储库进行扫描，可以发现配置问题和硬编码的密码。

介绍

扫描目标：

• Container Image
• Filesystem
• Git repository (remote)
• Kubernetes cluster or resource

Scanners:

• OS packages and software dependencies in use (SBOM)
• Known vulnerabilities (CVEs)
• IaC misconfigurations
• Sensitive information and secrets

安装

参考

• ubuntu

sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy

// or
wget https://github.com/aquasecurity/trivy/releases/download/v0.31.2/trivy_0.31.2_Linux-64bit.deb
sudo dpkg -i trivy_0.31.2_Linux-64bit.deb

• others

yum install trivy
brew install aquasecurity/trivy/trivy
sudo port install trivy
docker run aquasec/trivy

使用

trivy <target> [--security-checks <scanner1,scanner2>] TARGET_NAME

说明：

• 运行时，会从 https://ghcr.io/v2/ 下载 ghcr.io/aquasecurity/trivy-db 数据库

• 镜像扫描

trivy image python:3.4-alpine

• 文件系统扫描

trivy fs --security-checks vuln,secret,config myproject/

• k8s 系统扫描

trivy k8s --report summary cluster