### Example: Using the 'count' Plugin with Output Mode Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/plugin/user-guide.md This example demonstrates installing the 'count' plugin and then using it with Trivy image scanning to filter results published after a specific date. Ensure the plugin is installed before invocation. ```bash # Install the plugin first $ trivy plugin install count # Call the plugin supporting the output mode in image scanning $ trivy image --format json --output plugin=count --output-plugin-arg "--published-after 2023-10-01" debian:12 ``` -------------------------------- ### Server Setup Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/modes/client-server.md Command to start the Trivy server with specified listen address and authentication token. ```APIDOC ## Server Setup Start the Trivy server with specified listen address and authentication token. ### Command ```bash trivy server --listen localhost:8080 --token dummy ``` ``` -------------------------------- ### Install Trivy using Install Script Source: https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/installation.md This script downloads and installs Trivy from GitHub Releases to a specified binary path. It's a convenient way to get the latest version. ```bash curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin {{ git.tag }} ``` -------------------------------- ### Use an Installed Trivy Plugin Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/plugin/index.md Execute commands provided by an installed Trivy plugin. This example shows how to access help for the 'referrer' plugin. ```bash trivy referrer --help ``` -------------------------------- ### Scan Root Filesystem from Inside a Container Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/configuration/cli/trivy_rootfs.md This example demonstrates scanning the root filesystem from within a running container. It first installs Trivy inside the container and then executes the scan on the container's root directory. ```bash docker run --rm -it alpine:3.11 / # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin / # trivy rootfs / ``` -------------------------------- ### Trivy Plugin Install Help Option Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/configuration/cli/trivy_plugin_install.md Displays help information for the `trivy plugin install` command. ```bash -h, --help help for install ``` -------------------------------- ### Install Trivy with Nix (Command Line) Source: https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/installation.md Installs Trivy using the Nix package manager command line. This is a quick way to install for individual users. ```bash nix-env --install -A nixpkgs.trivy ``` -------------------------------- ### Example Serverless Framework Configuration and Rego Policy Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/scanner/misconfiguration/config/config.md This example shows a Serverless Framework service definition in YAML and a corresponding Rego policy to ensure service names start with 'aws-'. ```yaml service: serverless-rest-api-with-pynamodb frameworkVersion: ">=2.24.0" plugins: - serverless-python-requirements ... ``` ```rego # METADATA # title: Serverless Framework service name not starting with "aws-" # description: Ensure that Serverless Framework service names start with "aws-" # schemas: # - input: schema["serverless-schema"] # custom: # avd_id: AVD-SF-0001 ``` -------------------------------- ### Install Trivy Locally Source: https://github.com/aquasecurity/trivy/blob/main/helm/trivy/README.md Installs the Trivy chart from a local directory. Ensure you are in the chart's directory. ```bash helm install trivy . --namespace trivy --create-namespace ``` -------------------------------- ### Install Trivy Plugin from URL Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/configuration/cli/trivy_plugin_install.md Installs a plugin directly from a provided URL, such as a GitHub repository. ```bash # Install a plugin from a URL $ trivy plugin install github.com/aquasecurity/trivy-plugin-referrer ``` -------------------------------- ### Install Trivy Plugin from Local File Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/plugin/user-guide.md Install a plugin from a local archive file (e.g., a tar.gz file). ```bash $ trivy plugin install ./myplugin.tar.gz ``` -------------------------------- ### Install Plugin from GitHub Repository Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/plugin/developer-guide.md Users can install a plugin directly from a GitHub repository by providing the repository path. ```bash trivy plugin install github.com/org/repo ``` -------------------------------- ### Trivy Plugin Install Command Syntax Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/configuration/cli/trivy_plugin_install.md Basic syntax for installing a Trivy plugin. Specify the plugin name, URL, or file path. ```bash trivy plugin install NAME | URL | FILE_PATH ``` -------------------------------- ### Deploy Example Pod with Signed Image Source: https://github.com/aquasecurity/trivy/blob/main/docs/tutorials/kubernetes/kyverno.md Command to deploy an example Kubernetes Pod using a container image that is expected to have a valid signature and attestation. ```bash kubectl run app-signed --image= docker.io/anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd ``` -------------------------------- ### Install Trivy Plugin by Name Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/plugin/user-guide.md Install a plugin by its registered name. This downloads and installs the plugin into the Trivy plugin cache. ```bash $ trivy plugin install referrer ``` -------------------------------- ### Install Trivy Plugin from Git Repository Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/plugin/user-guide.md Install a plugin directly from its Git repository URL. ```bash $ trivy plugin install github.com/aquasecurity/trivy-plugin-kubectl ``` -------------------------------- ### Install Trivy Plugin from Index Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/configuration/cli/trivy_plugin_install.md Installs a plugin by its name from the default plugin index. ```bash # Install a plugin from the plugin index $ trivy plugin install referrer ``` -------------------------------- ### Run Trivy with a Loaded Module Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/advanced/modules.md After installation, modules are automatically loaded. This example shows Trivy scanning an image and logging module activity, including custom detection and severity changes. ```shell $ trivy image ghcr.io/aquasecurity/trivy-test-images:spring4shell-jre8 2022-06-12T12:57:13.210+0300 INFO Loading ghcr.io/aquasecurity/trivy-module-spring4shell/spring4shell.wasm... 2022-06-12T12:57:13.596+0300 INFO Registering WASM module: spring4shell@v1 ... 2022-06-12T12:57:14.865+0300 INFO Module spring4shell: Java Version: 8, Tomcat Version: 8.5.77 2022-06-12T12:57:14.865+0300 INFO Module spring4shell: change CVE-2022-22965 severity from CRITICAL to LOW Java (jar) Total: 9 (UNKNOWN: 1, LOW: 3, MEDIUM: 2, HIGH: 3, CRITICAL: 0) ┌──────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────┬────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤ │ org.springframework.boot:spring-boot (helloworld.war) │ CVE-2022-22965 │ LOW │ 2.6.3 │ 2.5.12, 2.6.6 │ spring-framework: RCE via Data Binding on JDK 9+ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-22965 │ ├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤ ...(snip)... ``` -------------------------------- ### Dependency Tree Table Output Example Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/configuration/reporting.md This is an example of the table output generated by Trivy when using the `--dependency-tree` flag. It shows vulnerable libraries, their severities, installed and fixed versions, and titles. It also includes the reversed dependency origin tree. ```text package-lock.json (npm) ======================= Total: 2 (HIGH: 1, CRITICAL: 1) ┌──────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├──────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤ │ follow-redirects │ CVE-2022-0155 │ HIGH │ 1.14.6 │ 1.14.7 │ follow-redirects: Exposure of Private Personal Information │ │ │ │ │ │ │ to an Unauthorized Actor │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0155 │ ├──────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤ │ glob-parent │ CVE-2020-28469 │ CRITICAL │ 3.1.0 │ 5.1.2 │ nodejs-glob-parent: Regular expression denial of service │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-28469 │ └──────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘ Dependency Origin Tree (Reversed) ================================= package-lock.json ├── follow-redirects@1.14.6, (HIGH: 1, CRITICAL: 0) │ └── axios@0.21.4 └── glob-parent@3.1.0, (HIGH: 0, CRITICAL: 1) └── chokidar@2.1.8 └── watchpack-chokidar2@2.0.1 └── watchpack@1.7.5 └── webpack@4.46.0 └── cra-append-sw@2.7.0 ``` -------------------------------- ### Install a Trivy Module Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/configuration/cli/trivy_module_install.md Use this command to install a module from a specified repository. The REPOSITORY argument is mandatory. ```bash trivy module install [flags] REPOSITORY ``` -------------------------------- ### Deploy Example Pod with Unsigned Image Source: https://github.com/aquasecurity/trivy/blob/main/docs/tutorials/kubernetes/kyverno.md Command to deploy an example Kubernetes Pod using a container image that is expected to fail policy checks due to missing or invalid attestation. ```bash kubectl run app-unsigned --image=docker.io/anaisurlichs/cns-website:0.1.1 ``` -------------------------------- ### Install Trivy on FreeBSD using pkg Source: https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/installation.md Use the pkg package manager to install Trivy on FreeBSD systems. ```bash pkg install trivy ``` -------------------------------- ### Plugin Manifest Example (plugin.yaml) Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/plugin/developer-guide.md Example of a `plugin.yaml` file for a Trivy plugin, detailing name, version, repository, platforms, and usage information. ```yaml name: "kubectl" version: "0.1.0" repository: github.com/aquasecurity/trivy-plugin-kubectl maintainer: aquasecurity output: false summary: Scan kubectl resources description: |- A Trivy plugin that scans the images of a kubernetes resource. Usage: trivy kubectl TYPE[.VERSION][.GROUP] NAME platforms: - selector: # optional os: darwin arch: amd64 uri: ./trivy-kubectl # where the execution file is (local file, http, git, etc.) bin: ./trivy-kubectl # path to the execution file - selector: # optional os: linux arch: amd64 uri: https://github.com/aquasecurity/trivy-plugin-kubectl/releases/download/v0.1.0/trivy-kubectl.tar.gz bin: ./trivy-kubectl ``` -------------------------------- ### Install Trivy Chart with a Release Name Source: https://github.com/aquasecurity/trivy/blob/main/helm/trivy/README.md Installs the Trivy chart with a specified release name, deploying Trivy in the default configuration. ```bash helm install my-release . ``` -------------------------------- ### Run Trivy Plugin on the Fly Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/plugin/user-guide.md Install and run a plugin immediately without permanently adding it to the cache if it's not already installed. This is useful for one-off tasks. ```bash trivy plugin run kubectl pod your-pod -- --exit-code 1 ``` -------------------------------- ### Example .trivyignore.yaml Configuration Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/configuration/filtering.md This example demonstrates how to configure ignore rules for vulnerabilities, misconfigurations, secrets, and licenses in a .trivyignore.yaml file. It shows how to specify IDs, paths, PURLs, and expiration dates for filtering. ```yaml vulnerabilities: - id: CVE-2022-40897 paths: - "usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA" statement: Accept the risk - id: CVE-2023-2650 - id: CVE-2023-3446 - id: CVE-2023-3817 purls: - "pkg:deb/debian/libssl1.1" - id: CVE-2023-29491 expired_at: 2023-09-01 misconfigurations: - id: AVD-DS-0001 - id: AVD-DS-0002 paths: - "docs/Dockerfile" statement: The image needs root privileges secrets: - id: aws-access-key-id - id: aws-secret-access-key paths: - "foo/bar/aws.secret" licenses: - id: GPL-3.0 # License name is used as ID paths: - "usr/share/gcc/python/libstdcxx/v6/__init__.py" - id: MIT AND GPL-2.0-or-later # Compound license expressions are supported - id: Apache-2.0 WITH LLVM-exception # License expressions with exceptions are supported - id: LLVM-exception # Individual license components or exceptions can be ignored ``` -------------------------------- ### Install a Trivy Module Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/advanced/modules.md Use this command to download and install a WebAssembly module from an OCI registry into the Trivy module cache. ```bash $ trivy module install ghcr.io/aquasecurity/trivy-module-spring4shell ``` -------------------------------- ### Use Default HTML Template (RPM Install) Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/configuration/reporting.md If Trivy is installed via RPM, default templates like `html.tpl` can be found in `/usr/local/share/trivy/templates/`. ```bash $ trivy image --format template --template "/usr/local/share/trivy/templates/html.tpl" -o report.html golang:1.12-alpine ``` -------------------------------- ### Install Trivy on Debian/Ubuntu via Repository Source: https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/installation.md Configures the APT repository for Trivy and installs the package. This involves downloading the GPG key and adding the repository to your sources. ```bash sudo apt-get install wget gnupg wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list sudo apt-get update sudo apt-get install trivy ``` -------------------------------- ### Install a Trivy Plugin Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/plugin/index.md Install a specific Trivy plugin by its name. This makes the plugin's functionality available through the Trivy CLI. ```bash trivy plugin install referrer ``` -------------------------------- ### Install Trivy Plugin from ZIP Archive URL Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/plugin/user-guide.md Install a plugin by providing a direct URL to a ZIP archive of the plugin. ```bash $ trivy plugin install https://github.com/aquasecurity/trivy-plugin-kubectl/archive/refs/heads/main.zip ``` -------------------------------- ### Example Release Notes Formatting in GitHub Discussions Source: https://github.com/aquasecurity/trivy/blob/main/docs/community/maintainer/release-flow.md This example demonstrates how to format release notes in GitHub Discussions, including links to release highlights and the changelog. Adjust URLs as needed for specific releases. ```markdown ## ⚡Release highlights and summary⚡ 👉 https://github.com/aquasecurity/trivy/discussions/6838 ## Changelog https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0520-2024-06-03 ``` -------------------------------- ### Install Trivy on OpenSUSE Source: https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/installation.md Installs Trivy on OpenSUSE using the zypper package manager. This command uses the OpenSUSE package repository. ```bash sudo zypper install trivy ``` -------------------------------- ### Example Verification of Trivy Release Asset Source: https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/signature-verification.md An example demonstrating how to verify the signature of a specific Trivy release asset (`trivy_0.71.0_Linux-64bit.tar.gz`) using Cosign, including the bundle file and identity parameters. ```shell cosign verify-blob trivy_0.71.0_Linux-64bit.tar.gz \ --bundle trivy_0.71.0_Linux-64bit.tar.gz.sigstore.json \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ --certificate-identity 'https://github.com/aquasecurity/trivy/.github/workflows/reusable-release.yaml@refs/tags/v0.71.0' ``` -------------------------------- ### Install Trivy Plugin by Version Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/plugin/user-guide.md Install a specific version of a plugin if its Git repository is properly tagged. The leading 'v' is required, and the version must follow Semantic Versioning. ```bash $ trivy plugin install referrer@v0.3.0 ``` -------------------------------- ### Registry Mirror Check Procedure Example Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/configuration/others.md Trivy checks mirrors in the specified order before falling back to the source registry. This example shows a mirror with bad authentication and another without the image. ```yaml registry: mirrors: index.docker.io: - mirror.with.bad.auth - mirror.without.image ``` -------------------------------- ### Node-collector Output Example Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/compliance/compliance.md Example JSON output from the node collector, showing the NodeInfo resource with collected information like file permissions. ```json { "apiVersion": "v1", "kind": "NodeInfo", "metadata": { "creationTimestamp": "2023-01-04T11:37:11+02:00" }, "type": "master", "info": { "adminConfFileOwnership": { "values": [ "root:root" ] }, "adminConfFilePermissions": { "values": [ 600 ] } ... } } ``` -------------------------------- ### Install Trivy Helm Chart with Custom Parameters Source: https://github.com/aquasecurity/trivy/blob/main/helm/trivy/README.md Use this command to install the Trivy Helm chart, specifying custom values for service port and vulnerability types. Ensure the namespace is correctly set. ```bash $ helm install my-release . \ --namespace my-namespace \ --set "service.port=9090" \ --set "trivy.vulnType=os\,library" ``` -------------------------------- ### Rego Policy Example Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/scanner/misconfiguration/custom/index.md Define a custom Rego policy for Kubernetes deployments. This example includes metadata, package declaration, and a deny rule to prevent deployments. ```rego # METADATA # title: Deployment not allowed # description: Deployments are not allowed because of some reasons. # schemas: # - input: schema["kubernetes"] # custom: # id: ID001 # severity: LOW # input: # selector: # - type: kubernetes package user.kubernetes.ID001 deny[res] { input.kind == "Deployment" msg := sprintf("Found deployment '%s' but deployments are not allowed", [input.metadata.name]) res := result.new(msg, input.kind) } ``` -------------------------------- ### Install Trivy on RHEL/CentOS via Repository Source: https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/installation.md Adds the Trivy repository configuration and installs Trivy using yum. Ensure the repository settings are correctly placed in /etc/yum.repos.d. ```bash cat << EOF | sudo tee -a /etc/yum.repos.d/trivy.repo [trivy] name=Trivy repository baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/\$basearch/ gpgcheck=1 enabled=1 gpgkey=https://aquasecurity.github.io/trivy-repo/rpm/public.key EOF sudo yum -y update sudo yum -y install trivy ``` -------------------------------- ### Trivy VEX Repo Init Options Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/configuration/cli/trivy_vex_repo_init.md Lists available options for the `trivy vex repo init` command, including help and configuration-related flags. ```bash -h, --help help for init ``` -------------------------------- ### Trivy VEX Repo Init Help Flag Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/configuration/cli/trivy_vex_repo_init.md Displays help information for the `trivy vex repo init` command. ```bash trivy vex repo init -h ``` -------------------------------- ### YAML Configuration for Kubelet Paths Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/compliance/compliance.md Configuration file example to help obtain paths to kubelet binaries and configuration files across different platforms. ```yaml kubelet: bins: - kubelet - hyperkube kubelet confs: - /etc/kubernetes/kubelet-config.yaml - /var/lib/kubelet/config.yaml ``` -------------------------------- ### Build and Install Spring4Shell WASM Module Source: https://github.com/aquasecurity/trivy/blob/main/examples/module/spring4shell/README.md Build the Spring4Shell WASM module and copy it to the Trivy modules directory. This is required for local setup. ```bash $ GOOS=wasip1 GOARCH=wasm go build -o spring4shell.wasm -buildmode=c-shared spring4shell.go $ mkdir -p ~/.trivy/modules $ cp spring4shell.wasm ~/.trivy/modules ``` -------------------------------- ### Start Trivy Server Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/modes/client-server.md Run Trivy as a server listening on a specified address and port, with token-based authentication. ```bash $ trivy server --listen localhost:8080 --token dummy ``` -------------------------------- ### Inspect Python Package Metadata Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/scanner/vulnerability.md This example shows how to inspect the metadata of a Python package installed via an OS package manager to verify its version and origin. ```bash [root@987ee49dc93d /]# head -n 3 /usr/lib/python3.6/site-packages/requests-2.20.0-py3.6.egg-info/PKG-INFO Metadata-Version: 2.1 Name: requests Version: 2.20.0 ``` ```bash [root@987ee49dc93d /]# rpm -ql python3-requests | grep PKG-INFO /usr/lib/python3.6/site-packages/requests-2.20.0-py3.6.egg-info/PKG-INFO ``` -------------------------------- ### Install Trivy using Homebrew Source: https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/installation.md Installs Trivy on macOS and Linux using the Homebrew package manager. This is a straightforward command for users who have Homebrew installed. ```bash brew install trivy ``` -------------------------------- ### Install Spring4Shell Module via Trivy CLI Source: https://github.com/aquasecurity/trivy/blob/main/examples/module/spring4shell/README.md Install the Spring4Shell module directly using the Trivy CLI command. This is a convenient way to manage module installations. ```bash $ trivy module install ghcr.io/aquasecurity/trivy-module-spring4shell 2022-06-13T15:32:21.972+0300 INFO Installing the module from ghcr.io/aquasecurity/trivy-module-spring4shell... ``` -------------------------------- ### Serve Documentation Locally Source: https://github.com/aquasecurity/trivy/blob/main/docs/community/contribute/pr.md Build and serve the documentation locally. View the documentation at http://localhost:8000. ```shell $ mage docs:serve ``` -------------------------------- ### Install Trivy on Debian/Ubuntu via DEB package Source: https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/installation.md Installs Trivy using a DEB package downloaded from GitHub Releases. This is useful for direct installation without configuring a repository. ```bash wget https://github.com/aquasecurity/trivy/releases/download/{{ git.tag }}/trivy_{{ git.tag[1:] }}_Linux-64bit.deb sudo dpkg -i trivy_{{ git.tag[1:] }}_Linux-64bit.deb ``` -------------------------------- ### Install Trivy on RHEL/CentOS via RPM Source: https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/installation.md Installs Trivy directly from an RPM package downloaded from GitHub Releases. This method is suitable for systems that prefer direct package installation. ```bash rpm -ivh https://github.com/aquasecurity/trivy/releases/download/{{ git.tag }}/trivy_{{ git.tag[1:] }}_Linux-64bit.rpm ``` -------------------------------- ### Help Option for Download Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/configuration/cli/trivy_vex_repo_download.md Displays help information for the download command. ```bash trivy vex repo download --help ``` -------------------------------- ### List Installed Trivy Plugins Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/plugin/user-guide.md Display all plugins that are currently installed in the Trivy plugin cache. ```bash $ trivy plugin list ``` -------------------------------- ### Run Trivy Server Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/configuration/cli/trivy_server.md Starts the Trivy server in its default configuration. This command initiates the server process. ```bash trivy server [flags] ``` ```bash # Run a server $ trivy server ``` -------------------------------- ### Trivy Plugin Run Help Options Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/configuration/cli/trivy_plugin_run.md Displays help information for the `trivy plugin run` command, detailing available options. ```bash -h, --help help for run ``` -------------------------------- ### Clone and Navigate to Terraform Demo Directory Source: https://github.com/aquasecurity/trivy/blob/main/docs/tutorials/misconfiguration/terraform.md Clone the Trivy demo repository and navigate into the Terraform misconfiguration example directory. ```bash git clone git@github.com:Cloud-Native-Security/trivy-demo.git cd bad_iac/terraform ``` -------------------------------- ### Example Ansible Playbook Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/coverage/iac/ansible.md A sample Ansible playbook demonstrating the creation of an S3 bucket with specific region and state. ```yaml - name: Example playbook hosts: localhost connection: local tasks: - name: Create S3 bucket amazon.aws.s3_bucket: name: "{{ bucket_name }}" region: "{{ bucket_region }}" state: present ``` -------------------------------- ### Initialize VEX Repository Configuration Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/configuration/cli/trivy_vex_repo.md Use this command to initialize the configuration file for VEX repositories. ```bash # Initialize the configuration file $ trivy vex repo init ``` -------------------------------- ### Uninstall Help Options Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/configuration/cli/trivy_module_uninstall.md View help information for the uninstall command, including available flags. ```bash trivy module uninstall --help ``` -------------------------------- ### Trivy Module Install Inherited Options Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/configuration/cli/trivy_module_install.md Displays options inherited from parent commands that can be used with trivy module install. ```bash --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode --enable-modules strings [EXPERIMENTAL] module names to enable --generate-default-config write the default config to trivy-default.yaml --insecure allow insecure server connections --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") -q, --quiet suppress progress bar and log output --timeout duration timeout (default 5m0s) -v, --version show version ``` -------------------------------- ### Terraform Configuration Example Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/configuration/filtering.md This is an example of a Terraform resource configuration for an AWS DB security group. It does not contain any filtering logic. ```terraform resource "aws_db_security_group" "sg" { } ``` -------------------------------- ### Install Specific Plugin Version Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/plugin/developer-guide.md Command to install a specific version of a Trivy plugin from a Git repository using version tags. ```bash $ trivy plugin install referrer@v0.3.0 ``` -------------------------------- ### Install Specific Version of Trivy Plugin Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/configuration/cli/trivy_plugin_install.md Installs a specific version of a plugin from the plugin index by appending the version tag to the plugin name. ```bash # Specify the version of the plugin to install $ trivy plugin install referrer@v0.3.0 ``` -------------------------------- ### List Installed Trivy Plugins Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/configuration/cli/trivy_plugin_list.md Run this command to see a list of all plugins currently installed with Trivy. This helps in managing your Trivy extensions. ```bash trivy plugin list ``` -------------------------------- ### Scan RPM Archives for Vulnerabilities Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/coverage/others/rpm.md This example demonstrates the workflow for scanning RPM archives for vulnerabilities. It involves generating an SBOM, manually adding OS information, and then scanning the modified SBOM. ```shell $ TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true trivy fs ./rpms -f cyclonedx -o rpms.cdx.json $ jq '(.components[] | select(.type == "operating-system")) |= (.name = "redhat" | .version = "7.9")' rpms.cdx.json > rpms-res.cdx.json $ trivy sbom ./rpms-res.cdx.json ``` -------------------------------- ### Launch Trivy Server Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/modes/client-server.md Start the Trivy server, which automatically downloads and updates the vulnerability database. It listens on localhost by default. ```bash $ trivy server --listen localhost:8080 2019-12-12T15:17:06.551+0200 INFO Need to update DB 2019-12-12T15:17:56.706+0200 INFO Reopening DB... 2019-12-12T15:17:56.707+0200 INFO Listening localhost:8080... ``` -------------------------------- ### List VEX Repositories Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/configuration/cli/trivy_vex_repo.md Use this command to list all configured VEX repositories. ```bash # List VEX repositories $ trivy vex repo list ``` -------------------------------- ### Example CycloneDX SBOM Output Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/supply-chain/sbom.md This is an example of the JSON output generated in CycloneDX format, detailing metadata, components, and dependencies of a scanned artifact. ```json { "bomFormat": "CycloneDX", "specVersion": "1.3", "serialNumber": "urn:uuid:2be5773d-7cd3-4b4b-90a5-e165474ddace", "version": 1, "metadata": { "timestamp": "2022-02-22T15:11:40.270597Z", "tools": [ { "vendor": "aquasecurity", "name": "trivy", "version": "dev" } ], "component": { "bom-ref": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64", "type": "container", "name": "alpine:3.15", "version": "", "purl": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd4", "properties": [ { "name": "aquasecurity:trivy:SchemaVersion", "value": "2" }, { "name": "aquasecurity:trivy:ImageID", "value": "sha256:c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18" }, { "name": "aquasecurity:trivy:RepoDigest", "value": "alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300" }, { "name": "aquasecurity:trivy:DiffID", "value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759" }, { "name": "aquasecurity:trivy:RepoTag", "value": "alpine:3.15" } ] } }, "components": [ { "bom-ref": "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0", "type": "library", "name": "alpine-baselayout", "version": "3.2.0-r18", "licenses": [ { "expression": "GPL-2.0-only" } ], "purl": "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0", "properties": [ { "name": "aquasecurity:trivy:SrcName", "value": "alpine-baselayout" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "3.2.0-r18" }, { "name": "aquasecurity:trivy:LayerDigest", "value": "sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3" }, { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759" } ] }, ...(snip)... { "bom-ref": "pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0", "type": "library", "name": "zlib", "version": "1.2.11-r3", "licenses": [ { "expression": "Zlib" } ], "purl": "pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0", "properties": [ { "name": "aquasecurity:trivy:SrcName", "value": "zlib" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.2.11-r3" }, { "name": "aquasecurity:trivy:LayerDigest", "value": "sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3" }, { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759" } ] }, { "bom-ref": "3da6a469-964d-4b4e-b67d-e94ec7c88d37", "type": "operating-system", "name": "alpine", "version": "3.15.0", "properties": [ { "name": "aquasecurity:trivy:Type", "value": "alpine" }, { "name": "aquasecurity:trivy:Class", "value": "os-pkgs" } ] } ], "dependencies": [ { "ref": "3da6a469-964d-4b4e-b67d-e94ec7c88d37", "dependsOn": [ "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0", "pkg:apk/alpine/alpine-keys@2.4-r1?distro=3.15.0", "pkg:apk/alpine/apk-tools@2.12.7-r3?distro=3.15.0", "pkg:apk/alpine/busybox@1.34.1-r3?distro=3.15.0", "pkg:apk/alpine/ca-certificates-bundle@20191127-r7?distro=3.15.0", "pkg:apk/alpine/libc-utils@0.7.2-r3?distro=3.15.0", "pkg:apk/alpine/libcrypto1.1@1.1.1l-r7?distro=3.15.0", "pkg:apk/alpine/libretls@3.3.4-r2?distro=3.15.0", "pkg:apk/alpine/libssl1.1@1.1.1l-r7?distro=3.15.0", "pkg:apk/alpine/musl@1.2.2-r7?distro=3.15.0", "pkg:apk/alpine/musl-utils@1.2.2-r7?distro=3.15.0", "pkg:apk/alpine/scanelf@1.3.3-r0?distro=3.15.0", "pkg:apk/alpine/ssl_client@1.34.1-r3?distro=3.15.0", "pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0" ] }, { ``` -------------------------------- ### Example OPA Trace Output Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/scanner/misconfiguration/custom/debug.md This is an example of the detailed trace output generated by the --trace-rego flag, illustrating the evaluation of a Rego query. ```text ID: DS001 File: Dockerfile Namespace: builtin.dockerfile.DS001 Query: data.builtin.dockerfile.DS001.deny Message: Specify a tag in the 'FROM' statement for image 'alpine' TRACE Enter data.builtin.dockerfile.DS001.deny = _ TRACE | Eval data.builtin.dockerfile.DS001.deny = _ TRACE | Index data.builtin.dockerfile.DS001.deny (matched 1 rule) TRACE | Enter data.builtin.dockerfile.DS001.deny TRACE | | Eval output = data.builtin.dockerfile.DS001.fail_latest[_] TRACE | | Index data.builtin.dockerfile.DS001.fail_latest (matched 1 rule) TRACE | | Enter data.builtin.dockerfile.DS001.fail_latest TRACE | | | Eval output = data.builtin.dockerfile.DS001.image_tags[_] TRACE | | | Index data.builtin.dockerfile.DS001.image_tags (matched 2 rules) TRACE | | | Enter data.builtin.dockerfile.DS001.image_tags TRACE | | | | Eval from = data.lib.docker.from[_] TRACE | | | | Index data.lib.docker.from (matched 1 rule) TRACE | | | | Enter data.lib.docker.from TRACE | | | | | Eval instruction = input.stages[_][_] TRACE | | | | | Eval instruction.Cmd = "from" TRACE | | | | | Exit data.lib.docker.from TRACE | | | | Redo data.lib.docker.from TRACE | | | | | Redo instruction.Cmd = "from" TRACE | | | | | Redo instruction = input.stages[_][_] TRACE | | | | | Eval instruction.Cmd = "from" TRACE | | | | | Fail instruction.Cmd = "from" TRACE | | | | | Redo instruction = input.stages[_][_] TRACE | | | | | Eval instruction.Cmd = "from" TRACE | | | | | Fail instruction.Cmd = "from" TRACE | | | | | Redo instruction = input.stages[_][_] TRACE | | | | Eval name = from.Value[0] TRACE | | | | Eval not startswith(name, "$") TRACE | | | | Enter startswith(name, "$") TRACE | | | | | Eval startswith(name, "$") TRACE | | | | | Fail startswith(name, "$") TRACE | | | | Eval data.builtin.dockerfile.DS001.parse_tag(name, __local505__) TRACE | | | | Index data.builtin.dockerfile.DS001.parse_tag (matched 2 rules) TRACE | | | | Enter data.builtin.dockerfile.DS001.parse_tag TRACE | | | | | Eval split(name, ":", __local504__) TRACE | | | | | Eval [img, tag] = __local504__ TRACE | | | | | Exit data.builtin.dockerfile.DS001.parse_tag TRACE | | | | Eval [img, tag] = __local505__ TRACE | | | | Eval output = {"cmd": from, "img": img, "tag": tag} TRACE | | | | Exit data.builtin.dockerfile.DS001.image_tags TRACE | | | Redo data.builtin.dockerfile.DS001.image_tags TRACE | | | | Redo output = {"cmd": from, "img": img, "tag": tag} TRACE | | | | Redo [img, tag] = __local505__ TRACE | | | | Redo data.builtin.dockerfile.DS001.parse_tag(name, __local505__) TRACE | | | | Redo data.builtin.dockerfile.DS001.parse_tag ``` -------------------------------- ### Trivy Registry Help Options Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/configuration/cli/trivy_registry.md Displays help information for the 'trivy registry' command. ```bash trivy registry --help ``` -------------------------------- ### Initialize Trivy VEX Repo Configuration Source: https://github.com/aquasecurity/trivy/blob/main/docs/guide/references/configuration/cli/trivy_vex_repo_init.md Use this command to initialize a configuration file for Trivy VEX repositories. It accepts several flags to modify its behavior. ```bash trivy vex repo init [flags] ``` -------------------------------- ### Install Trivy using MacPorts Source: https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/installation.md Installs Trivy on macOS using the MacPorts package manager. This command is for users who prefer MacPorts for managing their software. ```bash sudo port install trivy ```