gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 15:50:15 -08:00
Code Issues Packages Projects Releases Wiki Activity

docs: add config file and update CLI references (#2489)

Browse Source
This commit is contained in:
Teppei Fukuda
2022-07-10 19:41:42 +03:00
committed by GitHub
parent 736e3f11f7
commit e98bde3396
18 changed files with 924 additions and 292 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
docs/docs/references/cli/client.md
View File

@@ -1,32 +1,69 @@
# Client
```bash
NAME:
trivy client - DEPRECATED client mode, use `trivy image` with `--server` option for remote scans now.
Usage:
[DEPRECATED] trivy client [flags] IMAGE_NAME
USAGE:
trivy image --server value
Aliases:
client, c
trivy client [deprecated command options] image_name
Scan Flags
--offline-scan do not issue API requests to identify dependencies
--security-checks string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
--skip-dirs string specify the directories where the traversal is skipped
--skip-files string specify the file paths to skip traversal
DEPRECATED OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
--input value, -i value input file path instead of image name [$TRIVY_INPUT]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--output value, -o value output file name [$TRIVY_OUTPUT]
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
--ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
--vuln-type value comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT]
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
--offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
--token value for authentication [$TRIVY_TOKEN]
--token-header value specify a header name for token (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
--remote value server address (default: "http://localhost:4954") [$TRIVY_REMOTE]
--custom-headers value custom headers [$TRIVY_CUSTOM_HEADERS]
--help, -h show help (default: false)
Report Flags
--dependency-tree show dependency origin tree (EXPERIMENTAL)
--exit-code int specify exit code when any security issues are found
-f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
-o, --output string output file name
--report string specify a report format for the output. (all,summary) (default "all")
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-t, --template string output template
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
Vulnerability Flags
--ignore-unfixed display only fixed vulnerabilities
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
Misconfiguration Flags
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--file-patterns strings specify config file patterns, available with '--security-checks config'
--include-non-failures include successes and exceptions, available with '--security-checks config'
--policy-namespaces strings Rego namespaces
--trace enable more verbose trace output for custom queries
Client/Server Flags
--custom-headers strings custom headers in client mode
--remote string server address (default "http://localhost:4954")
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

69
docs/docs/references/cli/config.md
View File

@@ -1,29 +1,52 @@
# Config
``` bash
NAME:
trivy config - scan config files
Scan config files for misconfigurations
USAGE:
trivy config [command options] dir
Usage:
trivy config [flags] DIR
Aliases:
config, conf
Scan Flags
--skip-dirs string specify the directories where the traversal is skipped
--skip-files string specify the file paths to skip traversal
Report Flags
--dependency-tree show dependency origin tree (EXPERIMENTAL)
--exit-code int specify exit code when any security issues are found
-f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
-o, --output string output file name
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-t, --template string output template
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
Misconfiguration Flags
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--file-patterns strings specify config file patterns, available with '--security-checks config'
--include-non-failures include successes and exceptions, available with '--security-checks config'
--policy-namespaces strings Rego namespaces
--trace enable more verbose trace output for custom queries
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--output value, -o value output file name [$TRIVY_OUTPUT]
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
--skip-policy-update skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
--reset remove all caches and database (default: false) [$TRIVY_RESET]
--clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT]
--skip-files value specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
--skip-dirs value specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
--policy value, --config-policy value specify paths to the Rego policy files directory, applying config files [$TRIVY_POLICY]
--data value, --config-data value specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_DATA]
--policy-namespaces value, --namespaces value Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES]
--file-patterns value specify file patterns [$TRIVY_FILE_PATTERNS]
--include-successes include successes of misconfigurations (default: false) [$TRIVY_INCLUDE_SUCCESSES]
--help, -h show help (default: false)
```

110
docs/docs/references/cli/fs.md
View File

@@ -1,42 +1,80 @@
# Filesystem
```bash
NAME:
trivy filesystem - scan local filesystem for language-specific dependencies and config files
Scan local filesystem
USAGE:
trivy filesystem [command options] path
Usage:
trivy filesystem [flags] PATH
OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--output value, -o value output file name [$TRIVY_OUTPUT]
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
--skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
--skip-policy-update skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
--insecure allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
--clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
--ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
--vuln-type value comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
--security-checks value comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
--cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
--cache-ttl value cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT]
--no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
--offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
--db-repository value OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
--skip-files value specify the file paths to skip traversal (accepts multiple inputs) [$TRIVY_SKIP_FILES]
--skip-dirs value specify the directories where the traversal is skipped (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
--config-policy value specify paths to the Rego policy files directory, applying config files (accepts multiple inputs) [$TRIVY_CONFIG_POLICY]
--config-data value specify paths from which data for the Rego policies will be recursively loaded (accepts multiple inputs) [$TRIVY_CONFIG_DATA]
--policy-namespaces value, --namespaces value Rego namespaces (default: "users") (accepts multiple inputs) [$TRIVY_POLICY_NAMESPACES]
--server value server address [$TRIVY_SERVER]
--token value for authentication in client/server mode [$TRIVY_TOKEN]
--token-header value specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
--custom-headers value custom headers in client/server mode (accepts multiple inputs) [$TRIVY_CUSTOM_HEADERS]
--help, -h show help (default: false)
Aliases:
filesystem, fs
Examples:
# Scan a local project including language-specific files
$ trivy fs /path/to/your_project
# Scan a single file
$ trivy fs ./trivy-ci-test/Pipfile.lock
Scan Flags
--offline-scan do not issue API requests to identify dependencies
--security-checks string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
--skip-dirs string specify the directories where the traversal is skipped
--skip-files string specify the file paths to skip traversal
Report Flags
--dependency-tree show dependency origin tree (EXPERIMENTAL)
--exit-code int specify exit code when any security issues are found
-f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
-o, --output string output file name
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-t, --template string output template
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
Vulnerability Flags
--ignore-unfixed display only fixed vulnerabilities
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
Misconfiguration Flags
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--file-patterns strings specify config file patterns, available with '--security-checks config'
--include-non-failures include successes and exceptions, available with '--security-checks config'
--policy-namespaces strings Rego namespaces
--trace enable more verbose trace output for custom queries
Secret Flags
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
Client/Server Flags
--custom-headers strings custom headers in client mode
--server string server address in client mode
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

130
docs/docs/references/cli/image.md
View File

@@ -1,43 +1,99 @@
# Image
```bash
NAME:
trivy image - scan an image
Scan a container image
USAGE:
trivy image [command options] image_name
Usage:
trivy image [flags] IMAGE_NAME
OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
--input value, -i value input file path instead of image name [$TRIVY_INPUT]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--output value, -o value output file name [$TRIVY_OUTPUT]
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
--skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
--download-db-only download/update vulnerability database but don't run a scan (default: false) [$TRIVY_DOWNLOAD_DB_ONLY]
--reset remove all caches and database (default: false) [$TRIVY_RESET]
--clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
--no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
--ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
--vuln-type value comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
--security-checks value comma-separated list of what security issues to detect (vuln,config,secret) (default: "vuln,secret") [$TRIVY_SECURITY_CHECKS]
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT]
--light deprecated (default: false) [$TRIVY_LIGHT]
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
--cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
--cache-ttl value cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
--offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
--insecure allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
--db-repository value OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
--skip-files value specify the file paths to skip traversal (accepts multiple inputs) [$TRIVY_SKIP_FILES]
--skip-dirs value specify the directories where the traversal is skipped (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
--server value server address [$TRIVY_SERVER]
--token value for authentication in client/server mode [$TRIVY_TOKEN]
--token-header value specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
--custom-headers value custom headers in client/server mode (accepts multiple inputs) [$TRIVY_CUSTOM_HEADERS]
--help, -h show help (default: false)
Aliases:
image, i
Examples:
# Scan a container image
$ trivy image python:3.4-alpine
# Scan a container image from a tar archive
$ trivy image --input ruby-3.1.tar
# Filter by severities
$ trivy image --severity HIGH,CRITICAL alpine:3.15
# Ignore unfixed/unpatched vulnerabilities
$ trivy image --ignore-unfixed alpine:3.15
# Scan a container image in client mode
$ trivy image --server http://127.0.0.1:4954 alpine:latest
# Generate json result
$ trivy image --format json --output result.json alpine:3.15
# Generate a report in the CycloneDX format
$ trivy image --format cyclonedx --output result.cdx alpine:3.15
Scan Flags
--offline-scan do not issue API requests to identify dependencies
--security-checks string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
--skip-dirs string specify the directories where the traversal is skipped
--skip-files string specify the file paths to skip traversal
Report Flags
--dependency-tree show dependency origin tree (EXPERIMENTAL)
--exit-code int specify exit code when any security issues are found
-f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
-o, --output string output file name
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-t, --template string output template
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
Image Flags
--input string input file path instead of image name
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine)
Vulnerability Flags
--ignore-unfixed display only fixed vulnerabilities
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
Misconfiguration Flags
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--file-patterns strings specify config file patterns, available with '--security-checks config'
--include-non-failures include successes and exceptions, available with '--security-checks config'
--policy-namespaces strings Rego namespaces
--trace enable more verbose trace output for custom queries
Secret Flags
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
Client/Server Flags
--custom-headers strings custom headers in client mode
--server string server address in client mode
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

65
docs/docs/references/cli/index.md
View File

@@ -1,32 +1,49 @@
Trivy has several sub commands, image, fs, repo, client and server.
``` bash
NAME:
trivy - Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
USAGE:
trivy [global options] command [command options] target
Usage:
trivy [command]
VERSION:
dev
Examples:
# Scan a container image
$ trivy image python:3.4-alpine
COMMANDS:
image, i scan an image
filesystem, fs scan local filesystem for language-specific dependencies and config files
rootfs scan rootfs
repository, repo scan remote repository
server, s server mode
config, conf scan config files
plugin, p manage plugins
kubernetes, k8s scan kubernetes vulnerabilities and misconfigurations
sbom generate SBOM for an artifact
version print the version
help, h Shows a list of commands or help for one command
# Scan a container image from a tar archive
$ trivy image --input ruby-3.1.tar
GLOBAL OPTIONS:
--quiet, -q suppress progress bar and log output (default: false) [$TRIVY_QUIET]
--debug, -d debug mode (default: false) [$TRIVY_DEBUG]
--cache-dir value cache directory (default: "/Users/teppei/Library/Caches/trivy") [$TRIVY_CACHE_DIR]
--help, -h show help (default: false)
--version, -v print the version (default: false)
# Scan local filesystem
$ trivy fs .
# Run in server mode
$ trivy server
Available Commands:
config Scan config files for misconfigurations
filesystem Scan local filesystem
help Help about any command
image Scan a container image
kubectl scan kubectl resources
kubernetes scan kubernetes cluster
module Manage modules
plugin Manage plugins
repository Scan a remote repository
rootfs Scan rootfs
sbom Scan SBOM for vulnerabilities
server Server mode
version Print the version
Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
-f, --format string version format (json)
-h, --help help for trivy
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
Use "trivy [command] --help" for more information about a command.
```

30
docs/docs/references/cli/module.md
View File

@@ -1,17 +1,27 @@
# Module
```bash
NAME:
trivy module - manage modules
Manage modules
USAGE:
trivy module command [command options] [arguments...]
Usage:
trivy module [command]
COMMANDS:
install, i install a module
uninstall, u uninstall a module
help, h Shows a list of commands or help for one command
Aliases:
module, m
OPTIONS:
--help, -h show help (default: false)
Available Commands:
install Install a module
uninstall Uninstall a module
Flags:
-h, --help help for module
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

38
docs/docs/references/cli/plugin.md
View File

@@ -1,21 +1,31 @@
# Plugin
```bash
NAME:
trivy plugin - manage plugins
Manage plugins
USAGE:
trivy plugin command [command options] plugin_uri
Usage:
trivy plugin [command]
COMMANDS:
install, i install a plugin
uninstall, u uninstall a plugin
list, l list installed plugin
info information about a plugin
run, r run a plugin on the fly
update update an existing plugin
help, h Shows a list of commands or help for one command
Aliases:
plugin, p
OPTIONS:
--help, -h show help (default: false)
Available Commands:
Uninstall uninstall a plugin
info Show information about the specified plugin
install Install a plugin
list List installed plugin
run Run a plugin on the fly
update Update an existing plugin
Flags:
-h, --help help for plugin
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

103
docs/docs/references/cli/repo.md
View File

@@ -1,38 +1,77 @@
# Repository
```bash
NAME:
trivy repository - scan remote repository
Scan a remote repository
USAGE:
trivy repository [command options] repo_url
Usage:
trivy repository [flags] REPO_URL
OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
--input value, -i value input file path instead of image name [$TRIVY_INPUT]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--output value, -o value output file name [$TRIVY_OUTPUT]
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
--skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
--skip-policy-update skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
--clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
--ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
--vuln-type value comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
--security-checks value comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
--cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
--cache-ttl value cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT]
--no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
--quiet, -q suppress progress bar and log output (default: false) [$TRIVY_QUIET]
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
--offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
--insecure allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
--db-repository value OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
--skip-files value specify the file paths to skip traversal (accepts multiple inputs) [$TRIVY_SKIP_FILES]
--skip-dirs value specify the directories where the traversal is skipped (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
--help, -h show help (default: false)
Aliases:
repository, repo
Examples:
# Scan your remote git repository
$ trivy repo https://github.com/knqyf263/trivy-ci-test
Scan Flags
--offline-scan do not issue API requests to identify dependencies
--security-checks string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
--skip-dirs string specify the directories where the traversal is skipped
--skip-files string specify the file paths to skip traversal
Report Flags
--dependency-tree show dependency origin tree (EXPERIMENTAL)
--exit-code int specify exit code when any security issues are found
-f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
-o, --output string output file name
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-t, --template string output template
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
Vulnerability Flags
--ignore-unfixed display only fixed vulnerabilities
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
Misconfiguration Flags
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--file-patterns strings specify config file patterns, available with '--security-checks config'
--include-non-failures include successes and exceptions, available with '--security-checks config'
--policy-namespaces strings Rego namespaces
--trace enable more verbose trace output for custom queries
Secret Flags
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
Client/Server Flags
--custom-headers strings custom headers in client mode
--server string server address in client mode
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

98
docs/docs/references/cli/rootfs.md
View File

@@ -1,36 +1,74 @@
# Rootfs
```bash
NAME:
trivy rootfs - scan rootfs
Scan rootfs
USAGE:
trivy rootfs [command options] dir
Usage:
trivy rootfs [flags] ROOTDIR
OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--output value, -o value output file name [$TRIVY_OUTPUT]
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
--skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
--insecure allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
--skip-policy-update skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
--clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
--ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
--vuln-type value comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
--security-checks value comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
--cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT]
--no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
--offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
--skip-files value specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
--skip-dirs value specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
--config-policy value specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]
--config-data value specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_CONFIG_DATA]
--policy-namespaces value, --namespaces value Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES]
--help, -h show help (default: false)
Examples:
# Scan unpacked filesystem
$ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
$ trivy rootfs /tmp/rootfs
# Scan from inside a container
$ docker run --rm -it alpine:3.11
/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
/ # trivy rootfs /
Scan Flags
--offline-scan do not issue API requests to identify dependencies
--security-checks string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
--skip-dirs string specify the directories where the traversal is skipped
--skip-files string specify the file paths to skip traversal
Report Flags
--dependency-tree show dependency origin tree (EXPERIMENTAL)
--exit-code int specify exit code when any security issues are found
-f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
-o, --output string output file name
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-t, --template string output template
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
Vulnerability Flags
--ignore-unfixed display only fixed vulnerabilities
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
Misconfiguration Flags
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify paths to the Rego policy files directory, applying config files
--file-patterns strings specify config file patterns, available with '--security-checks config'
--include-non-failures include successes and exceptions, available with '--security-checks config'
--policy-namespaces strings Rego namespaces
--trace enable more verbose trace output for custom queries
Secret Flags
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

99
docs/docs/references/cli/sbom.md
View File

@@ -1,46 +1,67 @@
# SBOM
```bash
NAME:
trivy sbom - scan SBOM for vulnerabilities
Scan SBOM for vulnerabilities
USAGE:
trivy sbom [command options] SBOM
Usage:
trivy sbom [flags] SBOM_PATH
OPTIONS:
--cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
--cache-ttl value cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
--clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
--custom-headers value custom headers in client/server mode (accepts multiple inputs) [$TRIVY_CUSTOM_HEADERS]
--db-repository value OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
--download-db-only download/update vulnerability database but don't run a scan (default: false) [$TRIVY_DOWNLOAD_DB_ONLY]
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
--format value, -f value format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default: "table") [$TRIVY_FORMAT]
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
--ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
--input value, -i value input file path instead of image name [$TRIVY_INPUT]
--insecure allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
--no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
--offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
--output value, -o value output file name [$TRIVY_OUTPUT]
--reset remove all caches and database (default: false) [$TRIVY_RESET]
--security-checks value comma-separated list of what security issues to detect (vuln,config,secret) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
--server value server address [$TRIVY_SERVER]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
--skip-dirs value specify the directories where the traversal is skipped (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
--skip-files value specify the file paths to skip traversal (accepts multiple inputs) [$TRIVY_SKIP_FILES]
--template value, -t value output template [$TRIVY_TEMPLATE]
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT]
--token value for authentication in client/server mode [$TRIVY_TOKEN]
--token-header value specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
Examples:
# Scan CycloneDX and show the result in tables
$ trivy sbom /path/to/report.cdx
EXAMPLES:
- Scan CycloneDX and show the result in tables:
$ trivy sbom /path/to/report.cdx
# Scan CycloneDX and generate a CycloneDX report
$ trivy sbom --format cyclonedx /path/to/report.cdx
- Scan CycloneDX and generate a CycloneDX report:
$ trivy sbom --format cyclonedx /path/to/report.cdx
```
Scan Flags
--offline-scan do not issue API requests to identify dependencies
--security-checks string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
--skip-dirs string specify the directories where the traversal is skipped
--skip-files string specify the file paths to skip traversal
Report Flags
--dependency-tree show dependency origin tree (EXPERIMENTAL)
--exit-code int specify exit code when any security issues are found
-f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
-o, --output string output file name
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-t, --template string output template
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
Vulnerability Flags
--ignore-unfixed display only fixed vulnerabilities
--vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library")
Client/Server Flags
--custom-headers strings custom headers in client mode
--server string server address in client mode
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

58
docs/docs/references/cli/server.md
View File

@@ -1,22 +1,48 @@
# Server
```bash
NAME:
trivy server - server mode
Server mode
USAGE:
trivy server [command options] [arguments...]
Usage:
trivy server [flags]
OPTIONS:
--skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
--download-db-only download/update vulnerability database but don't run a scan (default: false) [$TRIVY_DOWNLOAD_DB_ONLY]
--insecure allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
--reset remove all caches and database (default: false) [$TRIVY_RESET]
--cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
--cache-ttl value cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
--db-repository value OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
--token value for authentication in client/server mode [$TRIVY_TOKEN]
--token-header value specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
--listen value listen address (default: "localhost:4954") [$TRIVY_LISTEN]
--help, -h show help (default: false)
Aliases:
server, s
Examples:
# Run a server
$ trivy server
# Listen on 0.0.0.0:10000
$ trivy server --listen 0.0.0.0:10000
Cache Flags
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
DB Flags
--db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
Client/Server Flags
--listen string listen address in server mode (default "localhost:4954")
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
Global Flags:
--cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
--insecure allow insecure server connections when using TLS
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
```

271
docs/docs/references/customization/config-file.md Normal file
View File

@@ -0,0 +1,271 @@
# Config file
Trivy can be customized by tweaking a `trivy.yaml` file. The config path can be overridden by the `--config` flag.
An example is [here][example].
## Global Options
```
# Same as '--quiet'
# Default is false
quiet: false
# Same as '--debug'
# Default is false
debug: false
# Same as '--insecure'
# Default is false
insecure: false
# Same as '--timeout'
# Default is '5m'
timeout: 10m
# Same as '--cache-dir'
# Default is your system cache dir
cache-dir: $HOME/.cache/trivy
```
## Report Options
```
# Same as '--format'
# Default is 'table'
format: table
# Same as '--report' (available with 'trivy k8s')
# Default is all
report: all
# Same as '--template'
# Default is empty
template:
# Same as '--dependency-tree'
# Default is false
dependency-tree: false
# Same as '--list-all-pkgs'
# Default is false
list-all-pkgs: false
# Same as '--ignorefile'
# Default is '.trivyignore'
ignorefile: .trivyignore
# Same as '--ignore-policy'
# Default is empty
ignore-policy:
# Same as '--exit-code'
# Default is 0
exit-code: 0
# Same as '--output'
# Default is empty (stdout)
output:
# Same as '--severity'
# Default is all severities
severity:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
```
## Scan Options
Available in client/server mode
```
scan:
# Same as '--skip-dirs'
# Default is empty
skip-dirs:
- usr/local/
- etc/
# Same as '--skip-files'
# Default is empty
skip-files:
- package-dev.json
# Same as '--offline-scan'
# Default is false
offline-scan: false
# Same as '--security-checks'
# Default depends on subcommand
security-checks:
- vuln
- config
- secret
```
## Cache Options
```
cache:
# Same as '--cache-backend'
# Default is 'fs'
backend: 'fs'
# Same as '--cache-ttl'
# Default is 0 (no ttl)
ttl: 0
# Redis options
redis:
# Same as '--redis-ca'
# Default is empty
ca:
# Same as '--redis-cert'
# Default is empty
cert:
# Same as '--redis-key'
# Default is empty
key:
```
## DB Options
```
db:
# Same as '--skip-db-update'
# Default is false
skip-update: false
# Same as '--no-progress'
# Default is false
no-progress: false
# Same as '--db-repository'
# Default is 'github.com/aquasecurity-trivy-repo'
repository: github.com/aquasecurity-trivy-repo
```
## Image Options
Available with container image scanning
```
image:
# Same as '--input' (available with 'trivy image')
# Default is empty
input:
# Same as '--removed-pkgs'
# Default is false
removed-pkgs: false
```
## Vulnerability Options
Available with vulnerability scanning
```
vulnerability:
# Same as '--vuln-type'
# Default is 'os,library'
type:
- os
- library
# Same as '--ignore-unfixed'
# Default is false
ignore-unfixed: false
```
## Secret Options
Available with secret scanning
```
secret:
# Same as '--secret-config'
# Default is 'trivy-secret.yaml'
config: config/trivy/secret.yaml
```
## Misconfiguration Options
Available with misconfiguration scanning
```
misconfiguration:
# Same as '--file-patterns'
# Default is empty
file-patterns:
-
# Same as '--include-non-failures'
# Default is false
include-non-failures: false
# Same as '--trace'
# Default is false
trace: false
# Same as '--config-policy'
# Default is empty
policy:
- policy/repository
- policy/custom
# Same as '--config-data'
# Default is empty
data:
- data/
# Same as '--policy-namespaces'
# Default is empty
namespaces:
- opa.examples
- users
```
## Kubernetes Options
Available with Kubernetes scanning
```
kubernetes:
# Same as '--context'
# Default is empty
context:
# Same as '--namespace'
# Default is empty
namespace:
```
## Client/Server Options
Available in client/server mode
```
server:
# Same as '--server' (available in client mode)
# Default is empty
addr: http://localhost:4954
# Same as '--token'
# Default is empty
token: "something-secret"
# Same as '--token-header'
# Default is 'Trivy-Token'
token-header: 'My-Token-Header'
# Same as '--custom-headers'
# Default is empty
custom-headers:
- scanner: trivy
- x-api-token: xxx
# Same as '--listen' (available in server mode)
# Default is 'localhost:4954'
listen: 0.0.0.0:10000
```
[example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml

17
docs/docs/references/customization/envs.md Normal file
View File

@@ -0,0 +1,17 @@
# Environment variables
Trivy can be customized by environment variables.
The environment variable key is the flag name converted by the following procedure.
- Add `TRIVY_` prefix
- Make it all uppercase
- Replace `-` with `_`
For example,
- `--debug` => `TRIVY_DEBUG`
- `--cache-dir` => `TRIVY_CACHE_DIR`
```
$ TRIVY_DEBUG=true TRIVY_SEVERITY=CRITICAL trivy image alpine:3.15
```

24
examples/trivy-conf/trivy.yaml Normal file
View File

@@ -0,0 +1,24 @@
timeout: 10m
format: json
dependency-tree: true
list-all-pkgs: true
exit-code: 1
output: result.json
severity:
- HIGH
- CRITICAL
scan:
skip-dirs:
- /lib64
- /lib
- /usr/lib
- /usr/include
security-checks:
- vuln
- secret
vulnerability:
type:
- os
- library
ignore-unfixed: true

3
mkdocs.yml
View File

@@ -97,6 +97,9 @@ nav:
- ACR (Azure Container Registry): docs/advanced/private-registries/acr.md
- Self-Hosted: docs/advanced/private-registries/self.md
- References:
- Customization:
- Environment variables: docs/references/customization/envs.md
- Config file: docs/references/customization/config-file.md
- CLI:
- Overview: docs/references/cli/index.md
- Image: docs/references/cli/image.md

5
pkg/commands/app.go
View File

@@ -528,7 +528,10 @@ func NewServerCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
func NewConfigCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
reportFlagGroup := flag.NewReportFlagGroup()
reportFlagGroup.ReportFormat = nil // TODO: support --format summary
reportFlagGroup.DependencyTree = nil // disable '--dependency-tree'
reportFlagGroup.IgnorePolicy = nil // disable '--ignore-policy'
reportFlagGroup.ListAllPkgs = nil // disable '--list-all-pkgs'
reportFlagGroup.ReportFormat = nil // TODO: support --format summary
scanFlags := &flag.ScanFlagGroup{
// Enable only '--skip-dirs' and '--skip-files' and disable other flags

3
pkg/flag/global_flags.go
View File

@@ -4,7 +4,6 @@ import (
"time"
"github.com/spf13/cobra"
"github.com/spf13/viper"
"github.com/aquasecurity/trivy/pkg/utils"
)
@@ -125,7 +124,7 @@ func (f *GlobalFlagGroup) ToOptions() GlobalOptions {
Quiet: getBool(f.Quiet),
Debug: getBool(f.Debug),
Insecure: getBool(f.Insecure),
Timeout: viper.GetDuration(f.Timeout.ConfigName),
Timeout: getDuration(f.Timeout),
CacheDir: getString(f.CacheDir),
}
}

6
pkg/flag/misconf_flags.go
View File

@@ -37,19 +37,19 @@ var (
}
ConfigPolicyFlag = Flag{
Name: "config-policy",
ConfigName: "misconfiguration.config-policy",
ConfigName: "misconfiguration.policy",
Value: []string{},
Usage: "specify paths to the Rego policy files directory, applying config files",
}
ConfigDataFlag = Flag{
Name: "config-data",
ConfigName: "misconfiguration.config-data",
ConfigName: "misconfiguration.data",
Value: []string{},
Usage: "specify paths from which data for the Rego policies will be recursively loaded",
}
PolicyNamespaceFlag = Flag{
Name: "policy-namespaces",
ConfigName: "misconfiguration.policy-namespaces",
ConfigName: "misconfiguration.namespaces",
Value: []string{},
Usage: "Rego namespaces",
}