Skip to content

CLI Installation

RHEL/CentOS

Add repository setting to /etc/yum.repos.d.

RELEASE_VERSION=$(grep -Po '(?<=VERSION_ID=")[0-9]' /etc/os-release)
cat << EOF | sudo tee -a /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$RELEASE_VERSION/\$basearch/
gpgcheck=0
enabled=1
EOF
sudo yum -y update
sudo yum -y install trivy
rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.36.1/trivy_0.36.1_Linux-64bit.rpm

Debian/Ubuntu

Add repository setting to /etc/apt/sources.list.d.

sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
wget https://github.com/aquasecurity/trivy/releases/download/v0.36.1/trivy_0.36.1_Linux-64bit.deb
sudo dpkg -i trivy_0.36.1_Linux-64bit.deb

Arch Linux

Package trivy can be installed from the Arch Community Package Manager.

pacman -S trivy

Homebrew

You can use homebrew on macOS and Linux.

brew install trivy

MacPorts

You can also install trivy via MacPorts on macOS:

sudo port install trivy

More info here.

Nix/NixOS

Direct issues installing trivy via nix through the channels mentioned here

You can use nix on Linux or macOS and on other platforms unofficially.

nix-env --install -A nixpkgs.trivy

Or through your configuration as usual

NixOS:

  # your other config ...
  environment.systemPackages = with pkgs; [
    # your other packages ...
    trivy
  ];

home-manager:

  # your other config ...
  home.packages = with pkgs; [
    # your other packages ...
    trivy
  ];

Install Script

This script downloads Trivy binary based on your OS and architecture.

curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.36.1

Binary

Download the archive file for your operating system/architecture from here. Unpack the archive, and put the binary somewhere in your $PATH (on UNIX-y systems, /usr/local/bin or the like). Make sure it has execution bits turned on.

From source

mkdir -p $GOPATH/src/github.com/aquasecurity
cd $GOPATH/src/github.com/aquasecurity
git clone --depth 1 --branch v0.36.1 https://github.com/aquasecurity/trivy
cd trivy/cmd/trivy/
export GO111MODULE=on
go install

Docker

Docker Hub

Replace [YOUR_CACHE_DIR] with the cache directory on your machine.

docker pull aquasec/trivy:0.36.1

Example:

docker run --rm -v [YOUR_CACHE_DIR]:/root/.cache/ aquasec/trivy:0.36.1 image [YOUR_IMAGE_NAME]
docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.36.1 image [YOUR_IMAGE_NAME]

If you would like to scan the image on your host machine, you need to mount docker.sock.

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
    -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.36.1 image python:3.4-alpine

Please re-pull latest aquasec/trivy if an error occurred.

Result
2019-05-16T01:20:43.180+0900    INFO    Updating vulnerability database...
2019-05-16T01:20:53.029+0900    INFO    Detecting Alpine vulnerabilities...

python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543    | MEDIUM   | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305     |
|         |                  |          |                   |               | with long nonces               |
+---------+------------------+----------+-------------------+---------------+--------------------------------+

GitHub Container Registry

The same image is hosted on GitHub Container Registry as well.

docker pull ghcr.io/aquasecurity/trivy:0.36.1

Amazon ECR Public

The same image is hosted on Amazon ECR Public as well.

docker pull public.ecr.aws/aquasecurity/trivy:0.36.1

AWS private registry permissions

You may need to grant permissions to allow trivy to pull images from private registry (AWS ECR).

It depends on how you want to provide AWS Role to trivy.

IAM Role Service account

Add the AWS role in trivy's service account annotations:

trivy:

  serviceAccount:
    annotations: {}
      # eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME

Kube2iam or Kiam

Add the AWS role to pod's annotations:

podAnnotations: {}
  ## kube2iam/kiam annotation
  # iam.amazonaws.com/role: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME

Tip: List all releases using helm list.

Other Tools to use and deploy Trivy

For additional tools and ways to install and use Trivy in different environments such as in Docker Desktop and Kubernetes clusters, see the links in the Ecosystem section.