Skip to content

Connectivity and Network considerations

Trivy requires internet connectivity in order to function normally. If your organizations blocks or restricts network traffic, that could prevent Trivy from working correctly. This document explains Trivy's network connectivity requirements, and how to configure Trivy to work in restricted networks environments, including completely air-gapped environments.

The following table lists all external resources that are required by Trivy:

External Resource Feature Details
Vulnerability Database Vulnerability scanning Trivy DB
Java Vulnerability Database Java vulnerability scanning Trivy Java DB
Checks Bundle Misconfigurations scanning Trivy Checks
VEX Hub VEX Hub VEX Hub
Maven Central / Remote Repositories Java vulnerability scanning Java Scanner/Remote Repositories

Note

Trivy is an open source project that relies on public free infrastructure. In case of extreme load, you may encounter rate limiting when Trivy attempts to connect to external resources.

The rest of this document details each resource's connectivity requirements and network related considerations.

OCI Databases

Trivy's Vulnerability, Java, and Checks Bundle are packaged as OCI images and stored in public container registries.

Connectivity requirements

The specific registries and locations are detailed in the databases document.

Communication with OCI Registries follows the OCI Distribution spec.

The following hosts are known to be used by the default container registries:

Registry Hosts Additional info
Google Artifact Registry
  • mirror.gcr.io
  • googlecode.l.googleusercontent.com
 Google's IP addresses
GitHub Container Registry
  • ghcr.io
  • pkg-containers.githubusercontent.com
 GitHub's IP addresses

Self-hosting

You can host Trivy's databases in your own container registry. Please refer to Self-hosting document for a detailed guide.

Embedded Checks

Checks Bundle is embedded in the Trivy binary (at build time), and will be used as a fallback if the external database is not available. This means that you can still scan for misconfigurations in an air-gapped environment using the database from the time of the Trivy release you are using.

VEX Hub

Connectivity Requirements

VEX Hub is hosted as at https://github.com/aquasecurity/vexhub.

Trivy is fetching VEX Hub GitHub Repository directly using simple HTTPS requests.

The following hosts are known to be used by GitHub's services:

  • api.github.com
  • codeload.github.com

For more information about GitHub connectivity (including specific IP addresses), please refer to GitHub's connectivity troubleshooting guide.

Self-hosting

You can host a copy of VEX Hub on your own internal server. Please refer to the self-hosting document for a detailed guide.

Maven Central / Remote Repositories

Trivy might call out to Maven central or other remote repositories to fetch in order to correctly identify Java packages during a vulnerability scan.

Connectivity requirements

Trivy might attempt to connect (over HTTPS) to the following URLs:

  • https://repo.maven.apache.org/maven2

Offline mode

There's no way to leverage Maven Central in a network-restricted environment, but you can prevent Trivy from trying to connect to it by using the --offline-scan flag.