Installation
RHEL/CentOS
Add repository setting to /etc/yum.repos.d
.
RELEASE_VERSION=$(grep -Po '(?<=VERSION_ID=")[0-9]' /etc/os-release)
cat << EOF | sudo tee -a /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$RELEASE_VERSION/\$basearch/
gpgcheck=0
enabled=1
EOF
sudo yum -y update
sudo yum -y install trivy
rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.31.3/trivy_0.31.3_Linux-64bit.rpm
Debian/Ubuntu
Add repository setting to /etc/apt/sources.list.d
.
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
wget https://github.com/aquasecurity/trivy/releases/download/v0.31.3/trivy_0.31.3_Linux-64bit.deb
sudo dpkg -i trivy_0.31.3_Linux-64bit.deb
Arch Linux
Package trivy-bin can be installed from the Arch User Repository.
pikaur -Sy trivy-bin
yay -Sy trivy-bin
Homebrew
You can use homebrew on macOS and Linux.
brew install aquasecurity/trivy/trivy
MacPorts
You can also install trivy
via MacPorts on macOS:
sudo port install trivy
More info here.
Nix/NixOS
Direct issues installing trivy
via nix
through the channels mentioned here
You can use nix
on Linux or macOS and on other platforms unofficially.
nix-env --install -A nixpkgs.trivy
Or through your configuration as usual
NixOS:
# your other config ...
environment.systemPackages = with pkgs; [
# your other packages ...
trivy
];
home-manager:
# your other config ...
home.packages = with pkgs; [
# your other packages ...
trivy
];
Install Script
This script downloads Trivy binary based on your OS and architecture.
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.3
Binary
Download the archive file for your operating system/architecture from here.
Unpack the archive, and put the binary somewhere in your $PATH
(on UNIX-y systems, /usr/local/bin or the like).
Make sure it has execution bits turned on.
From source
mkdir -p $GOPATH/src/github.com/aquasecurity
cd $GOPATH/src/github.com/aquasecurity
git clone --depth 1 --branch v0.31.3 https://github.com/aquasecurity/trivy
cd trivy/cmd/trivy/
export GO111MODULE=on
go install
Docker
Docker Hub
Replace [YOUR_CACHE_DIR] with the cache directory on your machine.
docker pull aquasec/trivy:0.31.3
Example:
docker run --rm -v [YOUR_CACHE_DIR]:/root/.cache/ aquasec/trivy:0.31.3 image [YOUR_IMAGE_NAME]
docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.31.3 image [YOUR_IMAGE_NAME
If you would like to scan the image on your host machine, you need to mount docker.sock
.
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
-v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.31.3 python:3.4-alpine
Please re-pull latest aquasec/trivy
if an error occurred.
Result
2019-05-16T01:20:43.180+0900 INFO Updating vulnerability database...
2019-05-16T01:20:53.029+0900 INFO Detecting Alpine vulnerabilities...
python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |
| | | | | | with long nonces |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
GitHub Container Registry
The same image is hosted on GitHub Container Registry as well.
docker pull ghcr.io/aquasecurity/trivy:0.31.3
Amazon ECR Public
The same image is hosted on Amazon ECR Public as well.
docker pull public.ecr.aws/aquasecurity/trivy:0.31.3
Helm
Installing from the Aqua Chart Repository
helm repo add aquasecurity https://aquasecurity.github.io/helm-charts/
helm repo update
helm search repo trivy
helm install my-trivy aquasecurity/trivy
Installing the Chart
To install the chart with the release name my-release
:
helm install my-release .
The command deploys Trivy on the Kubernetes cluster in the default configuration. The Parameters section lists the parameters that can be configured during installation.
AWS private registry permissions
You may need to grant permissions to allow trivy to pull images from private registry (AWS ECR).
It depends on how you want to provide AWS Role to trivy.
IAM Role Service account
Add the AWS role in trivy's service account annotations:
trivy:
serviceAccount:
annotations: {}
# eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
Kube2iam or Kiam
Add the AWS role to pod's annotations:
podAnnotations: {}
## kube2iam/kiam annotation
# iam.amazonaws.com/role: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
Tip: List all releases using
helm list
.