trivy
是一款漏洞的扫描器,支持对容器镜像、文件系统和Git存储库进行扫描,可以发现配置问题和硬编码的密码。
介绍
扫描目标:
- Container Image
- Filesystem
- Git repository (remote)
- Kubernetes cluster or resource
Scanners:
- OS packages and software dependencies in use (SBOM)
- Known vulnerabilities (CVEs)
- IaC misconfigurations
- Sensitive information and secrets
安装
参考
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
// or
wget https://github.com/aquasecurity/trivy/releases/download/v0.31.2/trivy_0.31.2_Linux-64bit.deb
sudo dpkg -i trivy_0.31.2_Linux-64bit.deb
yum install trivy
brew install aquasecurity/trivy/trivy
sudo port install trivy
docker run aquasec/trivy
使用
trivy <target> [--security-checks <scanner1,scanner2>] TARGET_NAME
说明:
trivy image python:3.4-alpine
trivy fs --security-checks vuln,secret,config myproject/
trivy k8s --report summary cluster