跳到主要内容

Trivy

Overview

This installation happens on the dsb-hub.

According to Trivy's GitHub Repository, Trivy is a comprehensive, easy-to-use open-source vulnerability scanner. It detects vulnerabilities in OS packages, container images, file systems, and Git repositories. Additionally, Trivy can identify configuration issues and hard-coded secrets, making it an essential tool for DevSecOps practices. This guide will walk you through the steps to install and configure Trivy on your system.

Installation Steps

  1. Configure and Install Package

    • Install required packages and add the Trivy repository key:

      sudo apt-get install wget apt-transport-https gnupg
      wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null

    • Add the Trivy repository to your sources list:

      echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list

    • Update your package list and install Trivy:

      sudo apt-get update
      sudo apt-get install trivy

  2. Check if Trivy is Installed Successfully

    • Verify that Trivy is installed and running correctly by running the trivy command:

      trivy

    • You should see output similar to the following, which confirms that Trivy is installed and provides usage instructions:

      Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets

      Usage:
        trivy [global flags] command [flags] target
        trivy [command]

      Examples:
        # Scan a container image
        $ trivy image python:3.4-alpine

        # Scan a container image from a tar archive
        $ trivy image --input ruby-3.1.tar

        # Scan local filesystem
        $ trivy fs .

        # Run in server mode
        $ trivy server

      Scanning Commands:
        config      Scan config files for misconfigurations
        filesystem  Scan local filesystem
        image       Scan a container image
        kubernetes  [EXPERIMENTAL] Scan kubernetes cluster
        repository  Scan a repository
        rootfs      Scan rootfs
        sbom        Scan SBOM for vulnerabilities and licenses
        vm          [EXPERIMENTAL] Scan a virtual machine image

      Management Commands:
        module      Manage modules
        plugin      Manage plugins
        vex         [EXPERIMENTAL] VEX utilities

      Utility Commands:
        clean       Remove cached files
        completion  Generate the autocompletion script for the specified shell
        convert     Convert Trivy JSON report into a different format
        help        Help about any command
        server      Server mode
        version     Print the version

      Flags:
            --cache-dir string          cache directory (default "/home/damien/.cache/trivy")
        -c, --config string             config path (default "trivy.yaml")
        -d, --debug                     debug mode
        -f, --format string             version format (json)
            --generate-default-config   write the default config to trivy-default.yaml
        -h, --help                      help for trivy
            --insecure                  allow insecure server connections
        -q, --quiet                     suppress progress bar and log output
            --timeout duration          timeout (default 5m0s)
        -v, --version                   show version

You're Done

Trivy is now installed and ready to be used for scanning vulnerabilities in container images, file systems, and more. With Trivy, you can ensure that your applications are secure and free from known vulnerabilities before deploying them to production.