CLI Installation
RHEL/CentOS
Add repository setting to /etc/yum.repos.d
.
RELEASE_VERSION=$(grep -Po '(?<=VERSION_ID=")[0-9]' /etc/os-release)
cat << EOF | sudo tee -a /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$RELEASE_VERSION/\$basearch/
gpgcheck=0
enabled=1
EOF
sudo yum -y update
sudo yum -y install trivy
rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.36.1/trivy_0.36.1_Linux-64bit.rpm
Debian/Ubuntu
Add repository setting to /etc/apt/sources.list.d
.
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
wget https://github.com/aquasecurity/trivy/releases/download/v0.36.1/trivy_0.36.1_Linux-64bit.deb
sudo dpkg -i trivy_0.36.1_Linux-64bit.deb
Arch Linux
Package trivy can be installed from the Arch Community Package Manager.
pacman -S trivy
Homebrew
You can use homebrew on macOS and Linux.
brew install trivy
MacPorts
You can also install trivy
via MacPorts on macOS:
sudo port install trivy
More info here.
Nix/NixOS
Direct issues installing trivy
via nix
through the channels mentioned here
You can use nix
on Linux or macOS and on other platforms unofficially.
nix-env --install -A nixpkgs.trivy
Or through your configuration as usual
NixOS:
# your other config ...
environment.systemPackages = with pkgs; [
# your other packages ...
trivy
];
home-manager:
# your other config ...
home.packages = with pkgs; [
# your other packages ...
trivy
];
Install Script
This script downloads Trivy binary based on your OS and architecture.
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.36.1
Binary
Download the archive file for your operating system/architecture from here.
Unpack the archive, and put the binary somewhere in your $PATH
(on UNIX-y systems, /usr/local/bin or the like).
Make sure it has execution bits turned on.
From source
mkdir -p $GOPATH/src/github.com/aquasecurity
cd $GOPATH/src/github.com/aquasecurity
git clone --depth 1 --branch v0.36.1 https://github.com/aquasecurity/trivy
cd trivy/cmd/trivy/
export GO111MODULE=on
go install
Docker
Docker Hub
Replace [YOUR_CACHE_DIR] with the cache directory on your machine.
docker pull aquasec/trivy:0.36.1
Example:
docker run --rm -v [YOUR_CACHE_DIR]:/root/.cache/ aquasec/trivy:0.36.1 image [YOUR_IMAGE_NAME]
docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.36.1 image [YOUR_IMAGE_NAME]
If you would like to scan the image on your host machine, you need to mount docker.sock
.
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
-v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.36.1 image python:3.4-alpine
Please re-pull latest aquasec/trivy
if an error occurred.
Result
2019-05-16T01:20:43.180+0900 INFO Updating vulnerability database...
2019-05-16T01:20:53.029+0900 INFO Detecting Alpine vulnerabilities...
python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |
| | | | | | with long nonces |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
GitHub Container Registry
The same image is hosted on GitHub Container Registry as well.
docker pull ghcr.io/aquasecurity/trivy:0.36.1
Amazon ECR Public
The same image is hosted on Amazon ECR Public as well.
docker pull public.ecr.aws/aquasecurity/trivy:0.36.1
AWS private registry permissions
You may need to grant permissions to allow trivy to pull images from private registry (AWS ECR).
It depends on how you want to provide AWS Role to trivy.
IAM Role Service account
Add the AWS role in trivy's service account annotations:
trivy:
serviceAccount:
annotations: {}
# eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
Kube2iam or Kiam
Add the AWS role to pod's annotations:
podAnnotations: {}
## kube2iam/kiam annotation
# iam.amazonaws.com/role: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
Tip: List all releases using
helm list
.
Other Tools to use and deploy Trivy
For additional tools and ways to install and use Trivy in different environments such as in Docker Desktop and Kubernetes clusters, see the links in the Ecosystem section.