trivy repo

From wikieduonline
(Redirected from Trivy repository)
Jump to navigation Jump to search

trivy repo https://yourrepo.com
2024-11-08T13:30:05+01:00	INFO	[vulndb] Need to update DB
2024-11-08T13:30:05+01:00	INFO	[vulndb] Downloading vulnerability DB...
2024-11-08T13:30:05+01:00	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-08T13:30:07+01:00	ERROR	[vulndb] Failed to download artifact	repo="ghcr.io/aquasecurity/trivy-db:2" 
err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: 
retry-after: 261.843µs, allowed: 44000/minute\n\n"
2024-11-08T13:30:07+01:00	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI 
artifact error: failed to download vulnerability DB: failed to download artifact from any source: 1 error occurred: 
	* OCI repository error: 1 error occurred:
	* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 261.843µs, allowed: 
44000/minute


trivy repo --help
Scan a repository

Usage:
  trivy repository [flags] (REPO_PATH | REPO_URL)

Aliases:
  repository, repo

Examples:
  # Scan your remote git repository
  $ trivy repo https://github.com/knqyf263/trivy-ci-test
  # Scan your local git repository
  $ trivy repo /path/to/your/repository

Scan Flags
      --detection-priority string   specify the detection priority:
                                      - "precise": Prioritizes precise by minimizing false positives.
                                      - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
                                     (precise,comprehensive) (default "precise")
      --file-patterns strings       specify config file patterns
      --offline-scan                do not issue API requests to identify dependencies
      --parallel int                number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --rekor-url string            [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
      --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
      --scanners strings            comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
      --skip-dirs strings           specify the directories or glob patterns to skip
      --skip-files strings          specify the files or glob patterns to skip

Report Flags
      --dependency-tree            [EXPERIMENTAL] show dependency origin tree of vulnerable packages
      --exit-code int              specify exit code when any security issues are found
  -f, --format string              format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
      --ignore-policy string       specify the Rego file path to evaluate each vulnerability
      --ignorefile string          specify .trivyignore file (default ".trivyignore")
      --list-all-pkgs              output all packages in the JSON report regardless of vulnerability
  -o, --output string              output file name
      --output-plugin-arg string   [EXPERIMENTAL] output plugin arguments
  -s, --severity strings           severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
      --show-suppressed            [EXPERIMENTAL] show suppressed vulnerabilities
  -t, --template string            output template

Cache Flags
      --cache-backend string   [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
      --cache-ttl duration     cache TTL when using redis as cache backend
      --redis-ca string        redis ca file location, if using redis as cache backend
      --redis-cert string      redis certificate file location, if using redis as cache backend
      --redis-key string       redis key file location, if using redis as cache backend
      --redis-tls              enable redis TLS with public certificates, if using redis as cache backend

DB Flags
      --db-repository strings        OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
      --download-db-only             download/update vulnerability database but don't run a scan
      --download-java-db-only        download/update Java index database but don't run a scan
      --java-db-repository strings   OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
      --no-progress                  suppress progress bar
      --skip-db-update               skip updating vulnerability database
      --skip-java-db-update          skip updating Java index database

Registry Flags
      --password strings        password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --password-stdin          password from stdin. Comma-separated passwords are not supported.
      --registry-token string   registry token
      --username strings        username. Comma-separated usernames allowed.

Vulnerability Flags
      --ignore-status strings   comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
      --ignore-unfixed          display only fixed vulnerabilities
      --skip-vex-repo-update    [EXPERIMENTAL] Skip VEX Repository update
      --vex strings             [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)

Misconfiguration Flags
      --cf-params strings                 specify paths to override the CloudFormation parameters files
      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
      --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
      --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
      --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
      --helm-values strings               specify paths to override the Helm values.yaml files
      --include-non-failures              include successes, available with '--scanners misconfig'
      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --tf-vars strings                   specify paths to override the Terraform tfvars files

Module Flags
      --enable-modules strings   [EXPERIMENTAL] module names to enable
      --module-dir string        specify directory to the wasm modules that will be loaded (default "/Users/qs/.trivy/modules")

Secret Flags
      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")

License Flags
      --ignored-licenses strings         specify a list of license to ignore
      --license-confidence-level float   specify license classifier's confidence level (default 0.9)
      --license-full                     eagerly look for licenses in source code headers and license files

Rego Flags
      --check-namespaces strings    Rego namespaces
      --config-check strings        specify the paths to the Rego check files or to the directories containing them, applying config files
      --config-data strings         specify paths from which data for the Rego checks will be recursively loaded
      --include-deprecated-checks   include deprecated checks
      --skip-check-update           skip fetching rego check updates
      --trace                       enable more verbose trace output for custom queries

Package Flags
      --include-dev-deps            include development dependencies in the report (supported: npm, yarn)
      --pkg-relationships strings   list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
      --pkg-types strings           list of package types (os,library) (default [os,library])

Client/Server Flags
      --custom-headers strings   custom headers in client mode
      --server string            server address in client mode
      --token string             for authentication in client/server mode
      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")

Repository Flags
      --branch string   pass the branch name to be scanned
      --commit string   pass the commit hash to be scanned
      --tag string      pass the tag name to be scanned

Global Flags:
      --cache-dir string          cache directory (default "/Users/qs/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
      --generate-default-config   write the default config to trivy-default.yaml
      --insecure                  allow insecure server connections
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version


See also[edit]

Advertising: