Difference between revisions of "Trivy repo"

From wikieduonline
Jump to navigation Jump to search
m (Welcome moved page Trivy repository to Trivy repo)
Line 1: Line 1:
 
{{lc}}
 
{{lc}}
 +
<pre>
 +
trivy repo --help
 +
Scan a repository
 +
 +
Usage:
 +
  trivy repository [flags] (REPO_PATH | REPO_URL)
 +
 +
Aliases:
 +
  repository, repo
 +
 +
Examples:
 +
  # Scan your remote git repository
 +
  $ trivy repo https://github.com/knqyf263/trivy-ci-test
 +
  # Scan your local git repository
 +
  $ trivy repo /path/to/your/repository
 +
 +
Scan Flags
 +
      --detection-priority string  specify the detection priority:
 +
                                      - "precise": Prioritizes precise by minimizing false positives.
 +
                                      - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
 +
                                    (precise,comprehensive) (default "precise")
 +
      --file-patterns strings      specify config file patterns
 +
      --offline-scan                do not issue API requests to identify dependencies
 +
      --parallel int                number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
 +
      --rekor-url string            [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
 +
      --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
 +
      --scanners strings            comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
 +
      --skip-dirs strings          specify the directories or glob patterns to skip
 +
      --skip-files strings          specify the files or glob patterns to skip
 +
 +
Report Flags
 +
      --dependency-tree            [EXPERIMENTAL] show dependency origin tree of vulnerable packages
 +
      --exit-code int              specify exit code when any security issues are found
 +
  -f, --format string              format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
 +
      --ignore-policy string      specify the Rego file path to evaluate each vulnerability
 +
      --ignorefile string          specify .trivyignore file (default ".trivyignore")
 +
      --list-all-pkgs              output all packages in the JSON report regardless of vulnerability
 +
  -o, --output string              output file name
 +
      --output-plugin-arg string  [EXPERIMENTAL] output plugin arguments
 +
  -s, --severity strings          severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
 +
      --show-suppressed            [EXPERIMENTAL] show suppressed vulnerabilities
 +
  -t, --template string            output template
 +
 +
Cache Flags
 +
      --cache-backend string  [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
 +
      --cache-ttl duration    cache TTL when using redis as cache backend
 +
      --redis-ca string        redis ca file location, if using redis as cache backend
 +
      --redis-cert string      redis certificate file location, if using redis as cache backend
 +
      --redis-key string      redis key file location, if using redis as cache backend
 +
      --redis-tls              enable redis TLS with public certificates, if using redis as cache backend
 +
 +
DB Flags
 +
      --db-repository strings        OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
 +
      --download-db-only            download/update vulnerability database but don't run a scan
 +
      --download-java-db-only        download/update Java index database but don't run a scan
 +
      --java-db-repository strings  OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
 +
      --no-progress                  suppress progress bar
 +
      --skip-db-update              skip updating vulnerability database
 +
      --skip-java-db-update          skip updating Java index database
 +
 +
Registry Flags
 +
      --password strings        password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
 +
      --password-stdin          password from stdin. Comma-separated passwords are not supported.
 +
      --registry-token string  registry token
 +
      --username strings        username. Comma-separated usernames allowed.
 +
 +
Vulnerability Flags
 +
      --ignore-status strings  comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
 +
      --ignore-unfixed          display only fixed vulnerabilities
 +
      --skip-vex-repo-update    [EXPERIMENTAL] Skip VEX Repository update
 +
      --vex strings            [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
 +
 +
Misconfiguration Flags
 +
      --cf-params strings                specify paths to override the CloudFormation parameters files
 +
      --checks-bundle-repository string  OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
 +
      --config-file-schemas strings      specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
 +
      --helm-api-versions strings        Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
 +
      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
 +
      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
 +
      --helm-set-file strings            specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
 +
      --helm-set-string strings          specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
 +
      --helm-values strings              specify paths to override the Helm values.yaml files
 +
      --include-non-failures              include successes, available with '--scanners misconfig'
 +
      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
 +
      --tf-exclude-downloaded-modules    exclude misconfigurations for downloaded terraform modules
 +
      --tf-vars strings                  specify paths to override the Terraform tfvars files
 +
 +
Module Flags
 +
      --enable-modules strings  [EXPERIMENTAL] module names to enable
 +
      --module-dir string        specify directory to the wasm modules that will be loaded (default "/Users/qs/.trivy/modules")
 +
 +
Secret Flags
 +
      --secret-config string  specify a path to config file for secret scanning (default "trivy-secret.yaml")
 +
 +
License Flags
 +
      --ignored-licenses strings        specify a list of license to ignore
 +
      --license-confidence-level float  specify license classifier's confidence level (default 0.9)
 +
      --license-full                    eagerly look for licenses in source code headers and license files
 +
 +
Rego Flags
 +
      --check-namespaces strings    Rego namespaces
 +
      --config-check strings        specify the paths to the Rego check files or to the directories containing them, applying config files
 +
      --config-data strings        specify paths from which data for the Rego checks will be recursively loaded
 +
      --include-deprecated-checks  include deprecated checks
 +
      --skip-check-update          skip fetching rego check updates
 +
      --trace                      enable more verbose trace output for custom queries
 +
 +
Package Flags
 +
      --include-dev-deps            include development dependencies in the report (supported: npm, yarn)
 +
      --pkg-relationships strings  list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
 +
      --pkg-types strings          list of package types (os,library) (default [os,library])
 +
 +
Client/Server Flags
 +
      --custom-headers strings  custom headers in client mode
 +
      --server string            server address in client mode
 +
      --token string            for authentication in client/server mode
 +
      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
 +
 +
Repository Flags
 +
      --branch string  pass the branch name to be scanned
 +
      --commit string  pass the commit hash to be scanned
 +
      --tag string      pass the tag name to be scanned
 +
 +
Global Flags:
 +
      --cache-dir string          cache directory (default "/Users/qs/Library/Caches/trivy")
 +
  -c, --config string            config path (default "trivy.yaml")
 +
  -d, --debug                    debug mode
 +
      --generate-default-config  write the default config to trivy-default.yaml
 +
      --insecure                  allow insecure server connections
 +
  -q, --quiet                    suppress progress bar and log output
 +
      --timeout duration          timeout (default 5m0s)
 +
  -v, --version                  show version
 +
</pre>
  
  

Revision as of 12:29, 8 November 2024

trivy repo --help
Scan a repository

Usage:
  trivy repository [flags] (REPO_PATH | REPO_URL)

Aliases:
  repository, repo

Examples:
  # Scan your remote git repository
  $ trivy repo https://github.com/knqyf263/trivy-ci-test
  # Scan your local git repository
  $ trivy repo /path/to/your/repository

Scan Flags
      --detection-priority string   specify the detection priority:
                                      - "precise": Prioritizes precise by minimizing false positives.
                                      - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
                                     (precise,comprehensive) (default "precise")
      --file-patterns strings       specify config file patterns
      --offline-scan                do not issue API requests to identify dependencies
      --parallel int                number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --rekor-url string            [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
      --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
      --scanners strings            comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
      --skip-dirs strings           specify the directories or glob patterns to skip
      --skip-files strings          specify the files or glob patterns to skip

Report Flags
      --dependency-tree            [EXPERIMENTAL] show dependency origin tree of vulnerable packages
      --exit-code int              specify exit code when any security issues are found
  -f, --format string              format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
      --ignore-policy string       specify the Rego file path to evaluate each vulnerability
      --ignorefile string          specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs              output all packages in the JSON report regardless of vulnerability
  -o, --output string              output file name
      --output-plugin-arg string   [EXPERIMENTAL] output plugin arguments
  -s, --severity strings           severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --show-suppressed            [EXPERIMENTAL] show suppressed vulnerabilities
  -t, --template string            output template

Cache Flags
      --cache-backend string   [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
      --cache-ttl duration     cache TTL when using redis as cache backend
      --redis-ca string        redis ca file location, if using redis as cache backend
      --redis-cert string      redis certificate file location, if using redis as cache backend
      --redis-key string       redis key file location, if using redis as cache backend
      --redis-tls              enable redis TLS with public certificates, if using redis as cache backend

DB Flags
      --db-repository strings        OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
      --download-db-only             download/update vulnerability database but don't run a scan
      --download-java-db-only        download/update Java index database but don't run a scan
      --java-db-repository strings   OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
      --no-progress                  suppress progress bar
      --skip-db-update               skip updating vulnerability database
      --skip-java-db-update          skip updating Java index database

Registry Flags
      --password strings        password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --password-stdin          password from stdin. Comma-separated passwords are not supported.
      --registry-token string   registry token
      --username strings        username. Comma-separated usernames allowed.

Vulnerability Flags
      --ignore-status strings   comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
      --ignore-unfixed          display only fixed vulnerabilities
      --skip-vex-repo-update    [EXPERIMENTAL] Skip VEX Repository update
      --vex strings             [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)

Misconfiguration Flags
      --cf-params strings                 specify paths to override the CloudFormation parameters files
      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
      --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
      --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
      --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
      --helm-values strings               specify paths to override the Helm values.yaml files
      --include-non-failures              include successes, available with '--scanners misconfig'
      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --tf-vars strings                   specify paths to override the Terraform tfvars files

Module Flags
      --enable-modules strings   [EXPERIMENTAL] module names to enable
      --module-dir string        specify directory to the wasm modules that will be loaded (default "/Users/qs/.trivy/modules")

Secret Flags
      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")

License Flags
      --ignored-licenses strings         specify a list of license to ignore
      --license-confidence-level float   specify license classifier's confidence level (default 0.9)
      --license-full                     eagerly look for licenses in source code headers and license files

Rego Flags
      --check-namespaces strings    Rego namespaces
      --config-check strings        specify the paths to the Rego check files or to the directories containing them, applying config files
      --config-data strings         specify paths from which data for the Rego checks will be recursively loaded
      --include-deprecated-checks   include deprecated checks
      --skip-check-update           skip fetching rego check updates
      --trace                       enable more verbose trace output for custom queries

Package Flags
      --include-dev-deps            include development dependencies in the report (supported: npm, yarn)
      --pkg-relationships strings   list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
      --pkg-types strings           list of package types (os,library) (default [os,library])

Client/Server Flags
      --custom-headers strings   custom headers in client mode
      --server string            server address in client mode
      --token string             for authentication in client/server mode
      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")

Repository Flags
      --branch string   pass the branch name to be scanned
      --commit string   pass the commit hash to be scanned
      --tag string      pass the tag name to be scanned

Global Flags:
      --cache-dir string          cache directory (default "/Users/qs/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version


See also

Advertising: