trivy v0.36 releases: A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI

trivy

A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI

Trivy (tri pronounced like trigger, vy pronounced like envy) is a comprehensive security scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it.

Trivy has different scanners that look for different security issues, and different targets where it can find those issues.

Targets:

• Container Image
• Filesystem
• Git repository (remote)
• Kubernetes cluster or resource

Scanners:

• OS packages and software dependencies in use (SBOM)
• Known vulnerabilities (CVEs)
• IaC misconfigurations
• Sensitive information and secrets

Highlights

• Comprehensive vulnerability detection
  • OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
  • Language-specific packages (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
  • High accuracy, especially Alpine Linux and RHEL/CentOS
• Supply chain security (SBOM support)
  • Support CycloneDX
  • Support SPDX
• Misconfiguration detection (IaC scanning)
  • Wide variety of security checks are provided out of the box
  • Kubernetes, Docker, Terraform, and more
  • User-defined policies using OPA Rego
• Secret detection
  • A wide variety of built-in rules are provided out of the box
  • User-defined patterns
  • Efficient scanning of container images
• Simple
  • Available in apt, yum, brew, dockerhub
  • No pre-requisites such as a database, system libraries, or eny environmental requirements. The binary runs anywhere.
  • The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish instantaneously.
• Fits your workflow
  • Great for CI such as GitHub Actions, Jenkins, GitLab CI, etc.
  • Available as extension for IDEs such as vscode, jetbrains, vim
  • Available as extension for Docker Desktop, Rancher Desktop
  • See integrations section in the documentation.

Changelog v0.36

• 4813cf5 docs: improve compliance docs (#3340)
• 025e509 feat(deps): add yarn lock dependency tree (#3348)
• 4d59a1e fix: compliance change id and title naming (#3349)
• eaa5bcf feat: add support for mix.lock files for elixir language (#3328)
• a888440 feat: add k8s cis bench (#3315)
• 62b369e test: disable SearchLocalStoreByNameOrDigest test for non-amd64 arch (#3322)
• c110c4e revert: cache merged layers (#3334)
• bc759ef feat(cyclonedx): add recommendation (#3336)
• fe3831e feat(ubuntu): added support ubuntu ESM versions (#1893)
• b0cebec fix: change logic to build relative paths for skip-dirs and skip-files (#3331)
• a66d3fe chore(deps): bump github.com/hashicorp/golang-lru from 0.5.4 to 2.0.1 (#3265)
• 5190f95 feat: Adding support for Windows testing (#3037)
• b00f3c6 feat: add support for Alpine 3.17 (#3319)
• a70f885 docs: change PodFile.lock to Podfile.lock (#3318)
• 1ec1fe6 fix(sbom): support for the detection of old CycloneDX predicate type (#3316)
• 68eda79 feat(secret): Use .trivyignore for filtering secret scanning result (#3312)
• b95d435 chore(go): remove experimental FS API usage in Wasm (#3299)
• ac6b7c3 ci: add workflow to add issues to roadmap project (#3292)
• cfabdf9 fix(vuln): include duplicate vulnerabilities with different package paths in the final report (#3275)
• 56e3d8d chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 (#3250)
• bbccb44 feat(sbom): better support for third-party SBOMs (#3262)
• e879b06 docs: add information about languages with support for dependency locations (#3306)
• e92266f feat(vm): add region option to vm scan to be able to scan any region’s ami and ebs snapshots (#3284)
• 01c7fb1 chore(deps): bump github.com/Azure/azure-sdk-for-go from 66.0.0+incompatible to 67.1.0+incompatible (#3251)
• 23d0613 fix(vuln): change severity vendor priority for ghsa-ids and vulns from govuln (#3255)
• 407c240 docs: remove comparisons (#3289)
• 93c5d2d feat: add support for Wolfi Linux (#3215)
• 2809794 ci: add go.mod to canary workflow (#3288)
• 08b55c3 feat(python): skip dev dependencies (#3282)
• 52300e6 chore: update ubuntu version for Github action runnners (#3257)
• a7ac6ac fix(go): skip dep without Path for go-binaries (#3254)
• 4436a20 feat(rust): add ID for cargo pgks (#3256)
• 34d505a chore(deps): bump github.com/samber/lo from 1.33.0 to 1.36.0 (#3263)
• ea95602 chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.2 to 3.2.3 (#3253)
• aea298b feat: add support for swift cocoapods lock files (#2956)
• c67fe17 fix(sbom): use proper constants (#3286)
• f907255 chore(deps): bump golang.org/x/term from 0.1.0 to 0.3.0 (#3278)
• 8f95743 test(vm): import relevant analyzers (#3285)
• 8744534 feat: support scan remote repository (#3131)
• c278d86 docs: fix typo in fluxcd (#3268)
• fa2281f docs: fix broken “ecosystem” link in readme (#3280)
• a3eece4 feat(misconf): Add compliance check support (#3130)
• 7a6cf5a docs: Adding Concourse resource for trivy (#3224)
• dd26bd2 chore(deps): change golang from 1.19.2 to 1.19 (#3249)
• cbba6d1 fix(sbom): duplicate dependson (#3261)
• fa2e3ac chore(deps): bump alpine from 3.16.2 to 3.17.0 (#3247)
• 5c43475 chore(go): updates wazero to 1.0.0-pre.4 (#3242)
• d29b0ed feat(report): add dependency locations to sarif format (#3210)
• 967e32f fix(rpm): add rocky to osVendors (#3241)
• 9477416 docs: fix a typo (#3236)
• 97ce61e feat(dotnet): add dependency parsing for nuget lock files (#3222)
• 17e13c4 docs: add pre-commit hook to community tools (#3203)
• b1a2c4e feat(helm): pass arbitrary env vars to trivy (#3208)

Install && Use

Copyright (C) 2019 Teppei Fukuda (knqyf263)