Skip to content

Trivy

Overview

Trivy

Getting Started
Getting Started
Tutorials
Tutorials
- Overview
- CI/CD
  CI/CD
- Kubernetes
  Kubernetes
- Misconfiguration
  Misconfiguration
  - Terraform scanning
  - Custom Checks with Rego
- Signing
  Signing
  - Vulnerability Scan Record Attestation
- Shell
  Shell
  - Completion
- Additional Resources
  Additional Resources
Docs
Docs
- Overview
- Target
  Target
- Scanner
  Scanner
  - Vulnerability
  - Misconfiguration
    Misconfiguration
    
    Overview
    
    Policy
    Policy
    
    Built-in Checks
    
    Custom Checks
    Custom Checks
    
    Overview
    
    Data
    
    Combine
    
    Selectors
    
    Schemas
    
    Testing
    
    Debugging Policies
    
    Contribute Checks
  - Secret
  - License
- Coverage
  Coverage
  - Overview
  - OS
    OS
    
    Overview
    
    AlmaLinux
    
    Alpine Linux
    
    Amazon Linux
    
    Azure Linux (CBL-Mariner)
    
    CentOS
    
    Chainguard
    
    Debian
    
    Oracle Linux
    
    Photon OS
    
    Red Hat
    
    Rocky Linux
    
    SUSE
    
    Ubuntu
    
    Wolfi
    
    Google Distroless (Images)
  - Language
    Language
    
    Overview
    
    C/C++
    
    Dart
    
    .NET
    
    Elixir
    
    Go
    
    Java
    
    Node.js
    
    PHP
    
    Python
    
    Ruby
    
    Rust
    
    Swift
    
    Julia
  - IaC
    IaC
    
    Overview
    
    Azure ARM Template
    
    CloudFormation
    
    Docker
    
    Helm
    
    Kubernetes
    
    Terraform
  - Others
    Others
    
    Bitnami Images
    
    Conda
    
    RPM Archives
  - Kubernetes
- Configuration
  Configuration
  - Overview
  - Filtering
  - Skipping Files
  - Reporting
  - Cache
  - DB
  - Others
- Supply Chain
  Supply Chain
  - SBOM
  - Attestation
    Attestation
    
    SBOM
    
    Cosign Vulnerability Scan Record
    
    SBOM Attestation in Rekor
  - VEX
    VEX
    
    Overview
    
    VEX Repository
    
    Local VEX Files
    
    VEX Attestation
- Compliance
  Compliance
  - Built-in Compliance
  - Custom Compliance
- Plugins
  Plugins
- Advanced
  Advanced
  - Modules
  - Advanced Network Scenarios
  - Container Image
    Container Image
    
    Embed in Dockerfile
    
    Unpacked container image filesystem
    
    Private Docker Registries
    Private Docker Registries
    
    Overview
    
    Docker Hub
    
    AWS ECR (Elastic Container Registry)
    
    GCR (Google Container Registry)
    
    ACR (Azure Container Registry)
    
    Self-Hosted
- References
  References
  - Configuration
    Configuration
    
    CLI
    CLI
    
    Overview Overview
    Table of contents
    
    trivy
    
    Synopsis
    
    Examples
    
    Options
    
    SEE ALSO
    
    Clean
    
    Config
    
    Convert
    
    Filesystem
    
    Image
    
    Kubernetes
    
    Module
    Module
    
    Module
    
    Module Install
    
    Module Uninstall
    
    Plugin
    Plugin
    
    Plugin
    
    Plugin Info
    
    Plugin Install
    
    Plugin List
    
    Plugin Run
    
    Plugin Uninstall
    
    Plugin Update
    
    Plugin Upgrade
    
    Plugin Search
    
    Registry
    Registry
    
    Registry
    
    Registry Login
    
    Registry Logout
    
    Repository
    
    Rootfs
    
    SBOM
    
    Server
    
    Version
    
    VEX
    VEX
    
    VEX
    
    VEX Download
    
    VEX Init
    
    VEX List
    
    VEX Repo
    
    VM
    
    Config file
  - Modes
    Modes
    
    Standalone
    
    Client/Server
  - Troubleshooting
Ecosystem
Ecosystem
Contributing
Contributing
- Principles
- How to contribute
  How to contribute
- Contribute Rego Checks
  Contribute Rego Checks
  - Overview
  - Add Service Support
- Maintainer
  Maintainer

Overview

trivy

Unified security scanner

Synopsis

Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets

trivy [global flags] command [flags] target

Examples

  # Scan a container image
  $ trivy image python:3.4-alpine

  # Scan a container image from a tar archive
  $ trivy image --input ruby-3.1.tar

  # Scan local filesystem
  $ trivy fs .

  # Run in server mode
  $ trivy server

Options

      --cache-dir string          cache directory (default "/path/to/cache")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
  -f, --format string             version format (json)
      --generate-default-config   write the default config to trivy-default.yaml
  -h, --help                      help for trivy
      --insecure                  allow insecure server connections
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version

SEE ALSO

trivy clean - Remove cached files
trivy config - Scan config files for misconfigurations
trivy convert - Convert Trivy JSON report into a different format
trivy filesystem - Scan local filesystem
trivy image - Scan a container image
trivy kubernetes - [EXPERIMENTAL] Scan kubernetes cluster
trivy module - Manage modules
trivy plugin - Manage plugins
trivy registry - Manage registry authentication
trivy repository - Scan a repository
trivy rootfs - Scan rootfs
trivy sbom - Scan SBOM for vulnerabilities and licenses
trivy server - Server mode
trivy version - Print the version
trivy vex - [EXPERIMENTAL] VEX utilities
trivy vm - [EXPERIMENTAL] Scan a virtual machine image