Others
Enable/Disable Scanners
You can enable/disable scanners with the --scanners flag.
Supported values:
- vuln
- misconfig
- secret
- license
For example, container image scanning enables vulnerability and secret scanners by default. If you don't need secret scanning, it can be disabled.
$ trivy image --scanners vuln alpine:3.15
Exit Code
| Scanner | Supported | 
|---|---|
| Vulnerability | ✓ | 
| Misconfiguration | ✓ | 
| Secret | ✓ | 
| License | ✓ | 
By default, Trivy exits with code 0 even when security issues are detected.
Use the --exit-code option if you want to exit with a non-zero exit code.
$ trivy image --exit-code 1 python:3.4-alpine3.9
Result
2019-05-16T12:51:43.500+0900    INFO    Updating vulnerability database...
2019-05-16T12:52:00.387+0900    INFO    Detecting Alpine vulnerabilities...
python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543    | MEDIUM   | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305     |
|         |                  |          |                   |               | with long nonces               |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
This option is useful for CI/CD. In the following example, the test will fail only when a critical vulnerability is found.
$ trivy image --exit-code 0 --severity MEDIUM,HIGH ruby:2.4.0
$ trivy image --exit-code 1 --severity CRITICAL ruby:2.4.0
Exit on EOL
| Scanner | Supported | 
|---|---|
| Vulnerability | ✓ | 
| Misconfiguration | |
| Secret | |
| License | 
Sometimes you may surprisingly get 0 vulnerabilities in an old image:
- Enabling --ignore-unfixedoption while all packages have no fixed versions.
- Scanning a rather outdated OS (e.g. Ubuntu 10.04).
An OS at the end of service/life (EOL) usually gets into this situation, which is definitely full of vulnerabilities.
--exit-on-eol can fail scanning on EOL OS with a non-zero code.
This flag is available with the following targets.
- Container images (trivy image)
- Virtual machine images (trivy vm)
- SBOM (trivy sbom)
- Root filesystem (trivy rootfs)
$ trivy image --exit-on-eol 1 alpine:3.10
Result
2023-03-01T11:07:15.455+0200    INFO    Vulnerability scanning is enabled
...
2023-03-01T11:07:17.938+0200    WARN    This OS version is no longer supported by the distribution: alpine 3.10.9
2023-03-01T11:07:17.938+0200    WARN    The vulnerability detection may be insufficient because security updates are not provided
alpine:3.10 (alpine 3.10.9)
===========================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│  Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ apk-tools │ CVE-2021-36159 │ CRITICAL │ 2.10.6-r0         │ 2.10.7-r0     │ libfetch before 2021-07-26, as used in apk-tools, xbps, and │
│           │                │          │                   │               │ other products, mishandles...                               │
│           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-36159                  │
└───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
2023-03-01T11:07:17.941+0200    ERROR   Detected EOL OS: alpine 3.10.9
This option is useful for CI/CD. The following example will fail when a critical vulnerability is found or the OS is EOSL:
$ trivy image --exit-code 1 --exit-on-eol 1 --severity CRITICAL alpine:3.16.3