gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 15:50:15 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat: add --distro flag to manually specify OS distribution for vulnerability scanning (#8070)

Browse Source 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
This commit is contained in:
Teppei Fukuda
2024-12-09 20:46:49 +09:00
committed by GitHub
parent 90f1d8d78a
commit da17dc7278
27 changed files with 441 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/docs/references/configuration/cli/trivy_filesystem.md
View File

@@ -35,6 +35,7 @@ trivy filesystem [flags] PATH
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable

1
docs/docs/references/configuration/cli/trivy_image.md
View File

@@ -49,6 +49,7 @@ trivy image [flags] IMAGE_NAME
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--docker-host string unix domain socket path to use for docker scanning
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan

1
docs/docs/references/configuration/cli/trivy_kubernetes.md
View File

@@ -45,6 +45,7 @@ trivy kubernetes [flags] [CONTEXT]
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
--disable-node-collector When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--exclude-kinds strings indicate the kinds exclude from scanning (example: node)

1
docs/docs/references/configuration/cli/trivy_rootfs.md
View File

@@ -37,6 +37,7 @@ trivy rootfs [flags] ROOTDIR
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable

1
docs/docs/references/configuration/cli/trivy_sbom.md
View File

@@ -29,6 +29,7 @@ trivy sbom [flags] SBOM_PATH
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--exit-code int specify exit code when any security issues are found

1
docs/docs/references/configuration/cli/trivy_vm.md
View File

@@ -33,6 +33,7 @@ trivy vm [flags] VM_IMAGE
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable

3
docs/docs/references/configuration/config-file.md
View File

@@ -570,6 +570,9 @@ scan:
# Same as '--detection-priority'
detection-priority: "precise"
# Same as '--distro'
distro: ""
# Same as '--file-patterns'
file-patterns: []

6
docs/docs/scanner/vulnerability.md
View File

@@ -339,6 +339,12 @@ Regardless of the chosen mode, user review of detected vulnerabilities is crucia
- `precise`: Review thoroughly, considering potential missed vulnerabilities.
- `comprehensive`: Carefully investigate each reported vulnerability due to increased false positive possibility.
### Overriding OS version
By default, Trivy automatically detects the OS during container image scanning and performs vulnerability detection based on that OS.
However, in some cases, you may want to scan an image with a different OS version than the one detected.
Also, you may want to specify the OS version when OS is not detected.
For these cases, Trivy supports a `--distro` flag using the `<family>/<version>` format (e.g. `alpine/3.20`) to set the desired OS version.
[^1]: https://github.com/GoogleContainerTools/distroless
[nvd-CVE-2023-0464]: https://nvd.nist.gov/vuln/detail/CVE-2023-0464