Trivy 容器漏洞扫描工具
软件简介
Trivy 是一个简单而且功能完整的容器漏洞扫描工具,特别使用用于持续集成。
准确性比较
在 Alpine Linux 中检测的漏洞 (2019/05/12)
详细的比较请看 Comparison with other scanners
特性
全面检测漏洞
操作系统 (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Debian and Ubuntu)
应用依赖 (Bundler, Composer, Pipenv, npm, yarn and Cargo)
简单
Specify only an image name
详情请看 Quick Start 和 Examples
易于安装
No need for prerequirements such as installation of DB, libraries, etc.
apt-get install,yum installandbrew installis possible (See Installation)准确度高
Especially Alpine Linux and RHEL/CentOS (See Comparison with other scanners)
Other OSes are also high
DevSecOps
Suitable for CI such as Travis CI, CircleCI, Jenkins, etc.
See CI Example
安装
RHEL/CentOS
Add repository setting to /etc/yum.repos.d .
$ sudo vim /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://knqyf263.github.io/trivy-repo/rpm/releases/$releasever/$basearch/
gpgcheck=0
enabled=1
$ sudo yum -y update
$ sudo yum -y install trivy
or
$ rpm -ivh https://github.com/knqyf263/trivy/releases/download/v0.0.13/trivy_0.0.13_Linux-64bit.rpm
Debian/Ubuntu
Replace [CODE_NAME] with your code name
CODE_NAME: wheezy, jessie, stretch, buster, trusty, xenial, bionic
$ sudo apt-get install apt-transport-https gnupg
$ wget -qO - https://knqyf263.github.io/trivy-repo/deb/public.key | sudo apt-key add -
$ echo deb https://knqyf263.github.io/trivy-repo/deb [CODE_NAME] main | sudo tee -a /etc/apt/sources.list.d/trivy.list
$ sudo apt-get update$ sudo apt-get install trivy
or
$ sudo apt-get install rpm
$ wget https://github.com/knqyf263/trivy/releases/download/v0.0.13/trivy_0.0.13_Linux-64bit.deb
$ sudo dpkg -i trivy_0.0.13_Linux-64bit.deb
Mac OS X / Homebrew
You can use homebrew on OS X.
brew tap knqyf263/trivy brew install knqyf263/trivy/trivy
二进制 (包括 Windows)
进入 releases 页面,找到相应的把柄,解压并增加可执行权限。
从源码安装
go get -u github.com/knqyf263/trivy
