trivy是一款漏洞的扫描器,支持对容器镜像、文件系统和Git存储库进行扫描,可以发现配置问题和硬编码的密码。
介绍
扫描目标:
- Container Image
- Filesystem
- Git repository (remote)
- Kubernetes cluster or resource
Scanners:
- OS packages and software dependencies in use (SBOM)
- Known vulnerabilities (CVEs)
- IaC misconfigurations
- Sensitive information and secrets
安装
- ubuntu
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
// or
wget https://github.com/aquasecurity/trivy/releases/download/v0.31.2/trivy_0.31.2_Linux-64bit.deb
sudo dpkg -i trivy_0.31.2_Linux-64bit.deb- others
yum install trivy
brew install aquasecurity/trivy/trivy
sudo port install trivy
docker run aquasec/trivy使用
trivy <target> [--security-checks <scanner1,scanner2>] TARGET_NAME说明:
-
运行时,会从 https://ghcr.io/v2/ 下载 ghcr.io/aquasecurity/trivy-db 数据库
-
镜像扫描
trivy image python:3.4-alpine- 文件系统扫描
trivy fs --security-checks vuln,secret,config myproject/- k8s 系统扫描
trivy k8s --report summary cluster