Code Repository¶
Scan your local or remote code repositories for
- Vulnerabilities
- Misconfigurations
- Secrets
- Licenses
By default, vulnerability and secret scanning are enabled, and you can configure that with --scanners
.
$ trivy repo (REPO_PATH | REPO_URL)
For example, you can scan a local repository as below.
$ trivy repo ./
It's also possible to scan a single file.
$ trivy repo ./trivy-ci-test/Pipfile.lock
To scan remote code repositories, you need to specify the URL.
$ trivy repo https://github.com/aquasecurity/trivy-ci-test
Rationale¶
trivy repo
is designed to scan code repositories, and it is intended to be used for scanning local/remote repositories in your machine or in your CI environment.
Therefore, unlike container/VM image scanning, it targets lock files such as package-lock.json and does not target artifacts like JAR files, binary files, etc.
See here for the detail.
Scanners¶
Vulnerabilities¶
It is enabled by default. Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json. See here for the detail.
$ trivy repo ~/src/github.com/aquasecurity/trivy-ci-test
Result
2020-06-01T17:06:58.652+0300 WARN OS is not detected and vulnerabilities in OS packages are not detected.
2020-06-01T17:06:58.652+0300 INFO Detecting pipenv vulnerabilities...
2020-06-01T17:06:58.691+0300 INFO Detecting cargo vulnerabilities...
Pipfile.lock
============
Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
| django | CVE-2020-7471 | HIGH | 2.0.9 | 3.0.3, 2.2.10, 1.11.28 | django: potential |
| | | | | | SQL injection via |
| | | | | | StringAgg(delimiter) |
+ +------------------+----------+ +------------------------+------------------------------------+
| | CVE-2019-19844 | MEDIUM | | 3.0.1, 2.2.9, 1.11.27 | Django: crafted email address |
| | | | | | allows account takeover |
+ +------------------+ + +------------------------+------------------------------------+
| | CVE-2019-3498 | | | 2.1.5, 2.0.10, 1.11.18 | python-django: Content |
| | | | | | spoofing via URL path in |
| | | | | | default 404 page |
+ +------------------+ + +------------------------+------------------------------------+
| | CVE-2019-6975 | | | 2.1.6, 2.0.11, 1.11.19 | python-django: |
| | | | | | memory exhaustion in |
| | | | | | django.utils.numberformat.format() |
+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
...
Misconfigurations¶
It is disabled by default and can be enabled with --scanners misconfig
.
See here for the detail.
$ trivy repo --scanners misconfig (REPO_PATH | REPO_URL)
Secrets¶
It is enabled by default. See here for the detail.
$ trivy repo (REPO_PATH | REPO_URL)
Licenses¶
It is disabled by default. See here for the detail.
$ trivy repo --scanners license (REPO_PATH | REPO_URL)
SBOM generation¶
Trivy can generate SBOM for code repositories. See here for the detail.
References¶
The following flags and environmental variables are available for remote git repositories.
Scanning a Branch¶
Pass a --branch
argument with a valid branch name on the remote repository provided:
$ trivy repo --branch <branch-name> <repo-name>
Scanning upto a Commit¶
Pass a --commit
argument with a valid commit hash on the remote repository provided:
$ trivy repo --commit <commit-hash> <repo-name>
Scanning a Tag¶
Pass a --tag
argument with a valid tag on the remote repository provided:
$ trivy repo --tag <tag-name> <repo-name>
Scanning Private Repositories¶
In order to scan private GitHub or GitLab repositories, the environment variable GITHUB_TOKEN
or GITLAB_TOKEN
must be set, respectively, with a valid token that has access to the private repository being scanned.
The GITHUB_TOKEN
environment variable will take precedence over GITLAB_TOKEN
, so if a private GitLab repository will be scanned, then GITHUB_TOKEN
must be unset.
You can find how to generate your GitHub Token in the following GitHub documentation.
For example:
$ export GITHUB_TOKEN="your_private_github_token"
$ trivy repo <your private GitHub repo URL>
# or
$ export GITLAB_TOKEN="your_private_gitlab_token"
$ trivy repo <your private GitLab repo URL>