SBOM
Scan SBOM for vulnerabilities
Usage:
trivy sbom [flags] SBOM_PATH
Examples:
# Scan CycloneDX and show the result in tables
$ trivy sbom /path/to/report.cdx
# Scan CycloneDX and generate a CycloneDX report
$ trivy sbom --format cyclonedx /path/to/report.cdx
Scan Flags
--offline-scan do not issue API requests to identify dependencies
--security-checks string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
--skip-dirs string specify the directories where the traversal is skipped
--skip-files string specify the file paths to skip traversal
Report Flags
--dependency-tree show dependency origin tree (EXPERIMENTAL)
--exit-code int specify exit code when any security issues are found
-f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
-o, --output string output file name
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-t, --template string output template
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
Vulnerability Flags
--ignore-unfixed display only fixed vulnerabilities
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
Client/Server Flags
--custom-headers strings custom headers in client mode
--server string server address in client mode
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version