alpine/trivy

Quick start

Suppose you build image demo locally (ref: https://github.com/aquasecurity/trivy/issues/480⁠)

# report all Vulnerabilities
docker run -ti --rm -v /var/run/docker.sock:/var/run/docker.sock -v ~/.cache:/root/.cache alpine/trivy image demo

2023-10-25T01:41:51.892Z	INFO	Vulnerability scanning is enabled
2023-10-25T01:41:51.892Z	INFO	Secret scanning is enabled
2023-10-25T01:41:51.892Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-10-25T01:41:51.892Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.46/docs/scanner/secret/#recommendation for faster secret detection
2023-10-25T01:41:51.907Z	INFO	Detected OS: alpine
2023-10-25T01:41:51.907Z	INFO	Detecting Alpine vulnerabilities...
2023-10-25T01:41:51.911Z	INFO	Number of language-specific files: 1
2023-10-25T01:41:51.911Z	INFO	Detecting python-pkg vulnerabilities...

demo (alpine 3.18.4)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                     Title                     │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-5363 │ MEDIUM   │ fixed  │ 3.1.3-r0          │ 3.1.4-r0      │ [Incorrect cipher key & IV length processing] │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363     │
├────────────┤               │          │        │                   │               │                                               │
│ libssl3    │               │          │        │                   │               │                                               │
│            │               │          │        │                   │               │                                               │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────┘

# report HIGH and CRITICAL only Vulnerabilities
docker run -ti --rm -v /var/run/docker.sock:/var/run/docker.sock -v ~/.cache:/root/.cache alpine/trivy image --severity HIGH,CRITICAL demo

Check online images

alias scan="docker run -ti --rm -v /var/run/docker.sock:/var/run/docker.sock -v ~/.cache:/root/.cache alpine/trivy image --severity HIGH,CRITICAL"

scan quay.io/keycloak/keycloak

There are ways to save time, that you don't need download trivy scan database each time, please reference trivy's official document.

Docker Pull Command

docker pull alpine/trivy