Difference between revisions of "Trivy repo"
Jump to navigation
Jump to search
m (Welcome moved page Trivy repository to Trivy repo) |
|||
(3 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
{{lc}} | {{lc}} | ||
+ | |||
+ | trivy repo https://yourrepo.com | ||
+ | 2024-11-08T13:30:05+01:00 INFO [vulndb] Need to update DB | ||
+ | 2024-11-08T13:30:05+01:00 INFO [vulndb] Downloading vulnerability DB... | ||
+ | 2024-11-08T13:30:05+01:00 INFO [vulndb] Downloading artifact... repo="[[ghcr.io/aquasecurity/trivy-db]]:2" | ||
+ | 2024-11-08T13:30:07+01:00 ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" | ||
+ | err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: | ||
+ | retry-after: 261.843µs, allowed: 44000/minute\n\n" | ||
+ | 2024-11-08T13:30:07+01:00 FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI | ||
+ | artifact error: failed to download vulnerability DB: failed to download artifact from any source: 1 error occurred: | ||
+ | * OCI repository error: 1 error occurred: | ||
+ | * GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: [[TOOMANYREQUESTS]]: retry-after: 261.843µs, allowed: | ||
+ | 44000/minute | ||
+ | |||
+ | |||
+ | |||
+ | [[trivy]] repo --help | ||
+ | |||
+ | <pre> | ||
+ | Scan a repository | ||
+ | |||
+ | Usage: | ||
+ | trivy repository [flags] (REPO_PATH | REPO_URL) | ||
+ | |||
+ | Aliases: | ||
+ | repository, repo | ||
+ | |||
+ | Examples: | ||
+ | # Scan your remote git repository | ||
+ | $ trivy repo https://github.com/knqyf263/trivy-ci-test | ||
+ | # Scan your local git repository | ||
+ | $ trivy repo /path/to/your/repository | ||
+ | |||
+ | Scan Flags | ||
+ | --detection-priority string specify the detection priority: | ||
+ | - "precise": Prioritizes precise by minimizing false positives. | ||
+ | - "comprehensive": Aims to detect more security findings at the cost of potential false positives. | ||
+ | (precise,comprehensive) (default "precise") | ||
+ | --file-patterns strings specify config file patterns | ||
+ | --offline-scan do not issue API requests to identify dependencies | ||
+ | --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5) | ||
+ | --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") | ||
+ | --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) | ||
+ | --scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret]) | ||
+ | --skip-dirs strings specify the directories or glob patterns to skip | ||
+ | --skip-files strings specify the files or glob patterns to skip | ||
+ | |||
+ | Report Flags | ||
+ | --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages | ||
+ | --exit-code int specify exit code when any security issues are found | ||
+ | -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") | ||
+ | --ignore-policy string specify the Rego file path to evaluate each vulnerability | ||
+ | --ignorefile string specify .trivyignore file (default ".trivyignore") | ||
+ | --list-all-pkgs output all packages in the JSON report regardless of vulnerability | ||
+ | -o, --output string output file name | ||
+ | --output-plugin-arg string [EXPERIMENTAL] output plugin arguments | ||
+ | -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) | ||
+ | --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities | ||
+ | -t, --template string output template | ||
+ | |||
+ | Cache Flags | ||
+ | --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory") | ||
+ | --cache-ttl duration cache TTL when using redis as cache backend | ||
+ | --redis-ca string redis ca file location, if using redis as cache backend | ||
+ | --redis-cert string redis certificate file location, if using redis as cache backend | ||
+ | --redis-key string redis key file location, if using redis as cache backend | ||
+ | --redis-tls enable redis TLS with public certificates, if using redis as cache backend | ||
+ | |||
+ | DB Flags | ||
+ | --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2]) | ||
+ | --download-db-only download/update vulnerability database but don't run a scan | ||
+ | --download-java-db-only download/update Java index database but don't run a scan | ||
+ | --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1]) | ||
+ | --no-progress suppress progress bar | ||
+ | --skip-db-update skip updating vulnerability database | ||
+ | --skip-java-db-update skip updating Java index database | ||
+ | |||
+ | Registry Flags | ||
+ | --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. | ||
+ | --password-stdin password from stdin. Comma-separated passwords are not supported. | ||
+ | --registry-token string registry token | ||
+ | --username strings username. Comma-separated usernames allowed. | ||
+ | |||
+ | Vulnerability Flags | ||
+ | --ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life) | ||
+ | --ignore-unfixed display only fixed vulnerabilities | ||
+ | --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update | ||
+ | --vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path) | ||
+ | |||
+ | Misconfiguration Flags | ||
+ | --cf-params strings specify paths to override the CloudFormation parameters files | ||
+ | --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1") | ||
+ | --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking | ||
+ | --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment) | ||
+ | --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command. | ||
+ | --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) | ||
+ | --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) | ||
+ | --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) | ||
+ | --helm-values strings specify paths to override the Helm values.yaml files | ||
+ | --include-non-failures include successes, available with '--scanners misconfig' | ||
+ | --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) | ||
+ | --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules | ||
+ | --tf-vars strings specify paths to override the Terraform tfvars files | ||
+ | |||
+ | Module Flags | ||
+ | --enable-modules strings [EXPERIMENTAL] module names to enable | ||
+ | --module-dir string specify directory to the wasm modules that will be loaded (default "/Users/qs/.trivy/modules") | ||
+ | |||
+ | Secret Flags | ||
+ | --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") | ||
+ | |||
+ | License Flags | ||
+ | --ignored-licenses strings specify a list of license to ignore | ||
+ | --license-confidence-level float specify license classifier's confidence level (default 0.9) | ||
+ | --license-full eagerly look for licenses in source code headers and license files | ||
+ | |||
+ | Rego Flags | ||
+ | --check-namespaces strings Rego namespaces | ||
+ | --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files | ||
+ | --config-data strings specify paths from which data for the Rego checks will be recursively loaded | ||
+ | --include-deprecated-checks include deprecated checks | ||
+ | --skip-check-update skip fetching rego check updates | ||
+ | --trace enable more verbose trace output for custom queries | ||
+ | |||
+ | Package Flags | ||
+ | --include-dev-deps include development dependencies in the report (supported: npm, yarn) | ||
+ | --pkg-relationships strings list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect]) | ||
+ | --pkg-types strings list of package types (os,library) (default [os,library]) | ||
+ | |||
+ | Client/Server Flags | ||
+ | --custom-headers strings custom headers in client mode | ||
+ | --server string server address in client mode | ||
+ | --token string for authentication in client/server mode | ||
+ | --token-header string specify a header name for token in client/server mode (default "Trivy-Token") | ||
+ | |||
+ | Repository Flags | ||
+ | --branch string pass the branch name to be scanned | ||
+ | --commit string pass the commit hash to be scanned | ||
+ | --tag string pass the tag name to be scanned | ||
+ | |||
+ | Global Flags: | ||
+ | --cache-dir string cache directory (default "/Users/qs/Library/Caches/trivy") | ||
+ | -c, --config string config path (default "trivy.yaml") | ||
+ | -d, --debug debug mode | ||
+ | --generate-default-config write the default config to trivy-default.yaml | ||
+ | --insecure allow insecure server connections | ||
+ | -q, --quiet suppress progress bar and log output | ||
+ | --timeout duration timeout (default 5m0s) | ||
+ | -v, --version show version | ||
+ | </pre> | ||
Latest revision as of 12:35, 8 November 2024
trivy repo https://yourrepo.com 2024-11-08T13:30:05+01:00 INFO [vulndb] Need to update DB 2024-11-08T13:30:05+01:00 INFO [vulndb] Downloading vulnerability DB... 2024-11-08T13:30:05+01:00 INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2" 2024-11-08T13:30:07+01:00 ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 261.843µs, allowed: 44000/minute\n\n" 2024-11-08T13:30:07+01:00 FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source: 1 error occurred: * OCI repository error: 1 error occurred: * GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 261.843µs, allowed: 44000/minute
trivy repo --help
Scan a repository Usage: trivy repository [flags] (REPO_PATH | REPO_URL) Aliases: repository, repo Examples: # Scan your remote git repository $ trivy repo https://github.com/knqyf263/trivy-ci-test # Scan your local git repository $ trivy repo /path/to/your/repository Scan Flags --detection-priority string specify the detection priority: - "precise": Prioritizes precise by minimizing false positives. - "comprehensive": Aims to detect more security findings at the cost of potential false positives. (precise,comprehensive) (default "precise") --file-patterns strings specify config file patterns --offline-scan do not issue API requests to identify dependencies --parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5) --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) --scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret]) --skip-dirs strings specify the directories or glob patterns to skip --skip-files strings specify the files or glob patterns to skip Report Flags --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages --exit-code int specify exit code when any security issues are found -f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table") --ignore-policy string specify the Rego file path to evaluate each vulnerability --ignorefile string specify .trivyignore file (default ".trivyignore") --list-all-pkgs output all packages in the JSON report regardless of vulnerability -o, --output string output file name --output-plugin-arg string [EXPERIMENTAL] output plugin arguments -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities -t, --template string output template Cache Flags --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory") --cache-ttl duration cache TTL when using redis as cache backend --redis-ca string redis ca file location, if using redis as cache backend --redis-cert string redis certificate file location, if using redis as cache backend --redis-key string redis key file location, if using redis as cache backend --redis-tls enable redis TLS with public certificates, if using redis as cache backend DB Flags --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2]) --download-db-only download/update vulnerability database but don't run a scan --download-java-db-only download/update Java index database but don't run a scan --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1]) --no-progress suppress progress bar --skip-db-update skip updating vulnerability database --skip-java-db-update skip updating Java index database Registry Flags --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. --password-stdin password from stdin. Comma-separated passwords are not supported. --registry-token string registry token --username strings username. Comma-separated usernames allowed. Vulnerability Flags --ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life) --ignore-unfixed display only fixed vulnerabilities --skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update --vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path) Misconfiguration Flags --cf-params strings specify paths to override the CloudFormation parameters files --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1") --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking --helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment) --helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command. --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) --helm-values strings specify paths to override the Helm values.yaml files --include-non-failures include successes, available with '--scanners misconfig' --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) --tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules --tf-vars strings specify paths to override the Terraform tfvars files Module Flags --enable-modules strings [EXPERIMENTAL] module names to enable --module-dir string specify directory to the wasm modules that will be loaded (default "/Users/qs/.trivy/modules") Secret Flags --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") License Flags --ignored-licenses strings specify a list of license to ignore --license-confidence-level float specify license classifier's confidence level (default 0.9) --license-full eagerly look for licenses in source code headers and license files Rego Flags --check-namespaces strings Rego namespaces --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files --config-data strings specify paths from which data for the Rego checks will be recursively loaded --include-deprecated-checks include deprecated checks --skip-check-update skip fetching rego check updates --trace enable more verbose trace output for custom queries Package Flags --include-dev-deps include development dependencies in the report (supported: npm, yarn) --pkg-relationships strings list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect]) --pkg-types strings list of package types (os,library) (default [os,library]) Client/Server Flags --custom-headers strings custom headers in client mode --server string server address in client mode --token string for authentication in client/server mode --token-header string specify a header name for token in client/server mode (default "Trivy-Token") Repository Flags --branch string pass the branch name to be scanned --commit string pass the commit hash to be scanned --tag string pass the tag name to be scanned Global Flags: --cache-dir string cache directory (default "/Users/qs/Library/Caches/trivy") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode --generate-default-config write the default config to trivy-default.yaml --insecure allow insecure server connections -q, --quiet suppress progress bar and log output --timeout duration timeout (default 5m0s) -v, --version show version
See also[edit]
Advertising: