trivy v0.7 releases: A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI
trivy
A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI
Trivy (tri pronounced like trigger, vy pronounced like envy) is a simple and comprehensive vulnerability scanner for containers. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Trivy is easy to use. Just install the binary and you’re ready to scan. All you need to do for scanning is to specify an image name of the container.
It is considered to be used in CI. Before pushing to a container registry, you can scan your local container image easily.
Features
- Detect comprehensive vulnerabilities
- OS packages (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Debian, and Ubuntu)
- Application dependencies (Bundler, Composer, Pipenv, npm, yarn, and Cargo)
- Simple
- Specify only an image name
- See Quick Start and Examples
- Easy installation
- No need for pre-requirements such as the installation of DB, libraries, etc.
apt-get install,yum installandbrew installis possible (See Installation)
- High accuracy
- Especially Alpine Linux and RHEL/CentOS (See Comparison with other scanners)
- Other OSes are also high
- DevSecOps
- Suitable for CI such as Travis CI, CircleCI, Jenkins, etc.
- See CI Example
Vulnerability Detection
OS Packages
The unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution.
| OS | Supported Versions | Target Packages | Detection of unfixed vulnerabilities |
|---|---|---|---|
| Alpine Linux | 2.2 – 2.7, 3.0 – 3.10 | Installed by apk | NO |
| Red Hat Universal Base Image | 7, 8 | Installed by yum/rpm | YES |
| Red Hat Enterprise Linux | 6, 7, 8 | Installed by yum/rpm | YES |
| CentOS | 6, 7 | Installed by yum/rpm | YES |
| Debian GNU/Linux | wheezy, jessie, stretch, buster | Installed by apt/apt-get/dpkg | YES |
| Ubuntu | 12.04, 14.04, 16.04, 18.04, 18.10, 19.04 | Installed by apt/apt-get/dpkg | YES |
Changelog v0.7
New Feature
Support OCI Image Format
An image directory compliant with “Open Container Image Layout Specification”.
Buildah:
$ buildah push docker.io/library/alpine:3.11 oci:/path/to/alpine
$ trivy --input /path/to/alpine
Skopeo:
$ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine
$ trivy --input /path/to/alpine
Override severity with vendor score if exists
Trivy displayed a severity from NVD, which is generic, but it’s more accurate to use the severity from vendor such as Red Hat and Debian. Currently, the vendor’s severity is preferred than NVD’s severity.
Bugs
rpc: fix output to use templates when in client/server mode. (#469)
A template didn’t work in client/server mode.
Changelog
09442d6 chore(ci): move integration tests to GitHub Actions (#485)
415b99d feat: support OCI Image Format (#475)
35b038e chore(github): fix issue templates (#483)
34a95c1 contrib/gitlab.tpl: Add new id field (#468)
b282142 chore(docs): add triage.md (#473)
216a33b fix: handle a scratch/busybox/DockerSlim image gracefully (#476)
ad0bb7c rpc: Fix output to use templates when in client server mode. (#469)
17b84f6 Override with Vendor score if exists (#433)
7629f7f docs: Update installation docs for pointing to Trivy Releases. (#463)
Install && Use
Copyright (C) 2019 Teppei Fukuda (knqyf263)
