alpine/trivy
Suppose you build image demo
locally (ref: https://github.com/aquasecurity/trivy/issues/480)
# report all Vulnerabilities
docker run -ti --rm -v /var/run/docker.sock:/var/run/docker.sock -v ~/.cache:/root/.cache alpine/trivy image demo
2023-10-25T01:41:51.892Z INFO Vulnerability scanning is enabled
2023-10-25T01:41:51.892Z INFO Secret scanning is enabled
2023-10-25T01:41:51.892Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-10-25T01:41:51.892Z INFO Please see also https://aquasecurity.github.io/trivy/v0.46/docs/scanner/secret/#recommendation for faster secret detection
2023-10-25T01:41:51.907Z INFO Detected OS: alpine
2023-10-25T01:41:51.907Z INFO Detecting Alpine vulnerabilities...
2023-10-25T01:41:51.911Z INFO Number of language-specific files: 1
2023-10-25T01:41:51.911Z INFO Detecting python-pkg vulnerabilities...
demo (alpine 3.18.4)
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-5363 │ MEDIUM │ fixed │ 3.1.3-r0 │ 3.1.4-r0 │ [Incorrect cipher key & IV length processing] │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5363 │
├────────────┤ │ │ │ │ │ │
│ libssl3 │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────┘
# report HIGH and CRITICAL only Vulnerabilities
docker run -ti --rm -v /var/run/docker.sock:/var/run/docker.sock -v ~/.cache:/root/.cache alpine/trivy image --severity HIGH,CRITICAL demo
Check online images
alias scan="docker run -ti --rm -v /var/run/docker.sock:/var/run/docker.sock -v ~/.cache:/root/.cache alpine/trivy image --severity HIGH,CRITICAL"
scan quay.io/keycloak/keycloak
There are ways to save time, that you don't need download trivy scan database each time, please reference trivy's official document.
docker pull alpine/trivy