Examples
Also see quick start.
Skip Directories
Trivy traversals directories and scans all files except those matching the built-in allow rules by default. If your have a lot of files in your container image or project, the scanning takes time. To make it faster, you can skip traversal in the specific directory. Also, it would be helpful if your project contains secrets and certificates for testing.
$ trivy image --skip-dirs /var/lib --skip-dirs /var/log YOUR_IMAGE
$ trivy fs --skip-dirs ./my-test-dir --skip-dirs ./my-testing-cert/ /path/to/your_project
--skip-fles
also works similarly.
Filter by severity
Use --severity
option.
$ trivy fs --severity CRITICAL ./
app/secret.sh (secrets)
=======================
Total: 1 (CRITICAL: 1)
+----------+-------------------+----------+---------+--------------------------------+
| CATEGORY | DESCRIPTION | SEVERITY | LINE NO | MATCH |
+----------+-------------------+----------+---------+--------------------------------+
| AWS | AWS Access Key ID | CRITICAL | 10 | export AWS_ACCESS_KEY_ID=***** |
+----------+-------------------+----------+---------+--------------------------------+
Disable secret scanning
If you need vulnerability scanning only, you can disable secret scanning via the --security-checks
flag.
$ trivy image --security-checks vuln alpine:3.15
With configuration file
trivy-secret.yaml
in the working directory is loaded by default.
$ cat trivy-secret.yaml
rules:
- id: rule1
category: general
title: Generic Rule
severity: HIGH
regex: (?i)(?P<key>(secret))(=|:).{0,5}['"](?P<secret>[0-9a-zA-Z\-_=]{8,64})['"]
allow-rules:
- id: social-security-number
description: skip social security number
regex: 219-09-9999
- id: log-dir
description: skip log directory
path: ^\/var\/log\/
disable-rules:
- slack-access-token
- slack-web-hook
disable-allow-rules:
- markdown
# The following command automatically loads the above configuration.
$ trivy image YOUR_IMAGE
Also, you can customize the config file path via --secret-config
.
$ cat ./secret-config/trivy.yaml
rules:
- id: rule1
category: general
title: Generic Rule
severity: HIGH
regex: (?i)(?P<key>(secret))(=|:).{0,5}['"](?P<secret>[0-9a-zA-Z\-_=]{8,64})['"]
allow-rules:
- id: skip-text
description: skip text files
path: .*\.txt
enable-builtin-rules:
- aws-access-key-id
- aws-account-id
- aws-secret-access-key
disable-allow-rules:
- usr-dirs
# Pass the above config with `--secret-config`.
$ trivy fs --secret-config ./secret-config/trivy.yaml /path/to/your_project