diff --git a/docs/docs/references/cli/client.md b/docs/docs/references/cli/client.md index e200570c4f..3d210dd788 100644 --- a/docs/docs/references/cli/client.md +++ b/docs/docs/references/cli/client.md @@ -1,32 +1,69 @@ # Client ```bash -NAME: - trivy client - DEPRECATED client mode, use `trivy image` with `--server` option for remote scans now. +Usage: + [DEPRECATED] trivy client [flags] IMAGE_NAME -USAGE: - trivy image --server value +Aliases: + client, c - trivy client [deprecated command options] image_name +Scan Flags + --offline-scan do not issue API requests to identify dependencies + --security-checks string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret") + --skip-dirs string specify the directories where the traversal is skipped + --skip-files string specify the file paths to skip traversal -DEPRECATED OPTIONS: - --template value, -t value output template [$TRIVY_TEMPLATE] - --format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT] - --input value, -i value input file path instead of image name [$TRIVY_INPUT] - --severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY] - --output value, -o value output file name [$TRIVY_OUTPUT] - --exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE] - --ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED] - --removed-pkgs detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS] - --vuln-type value comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE] - --ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE] - --timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT] - --ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY] - --list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS] - --offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN] - --token value for authentication [$TRIVY_TOKEN] - --token-header value specify a header name for token (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER] - --remote value server address (default: "http://localhost:4954") [$TRIVY_REMOTE] - --custom-headers value custom headers [$TRIVY_CUSTOM_HEADERS] - --help, -h show help (default: false) +Report Flags + --dependency-tree show dependency origin tree (EXPERIMENTAL) + --exit-code int specify exit code when any security issues are found + -f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table") + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignorefile string specify .trivyignore file (default ".trivyignore") + --list-all-pkgs enabling the option will output all packages regardless of vulnerability + -o, --output string output file name + --report string specify a report format for the output. (all,summary) (default "all") + -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") + -t, --template string output template + +Cache Flags + --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --clear-cache clear image caches without scanning + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + +DB Flags + --db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db") + --download-db-only download/update vulnerability database but don't run a scan + --no-progress suppress progress bar + --reset remove all caches and database + --skip-db-update skip updating vulnerability database + +Vulnerability Flags + --ignore-unfixed display only fixed vulnerabilities + --vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library") + +Misconfiguration Flags + --config-data strings specify paths from which data for the Rego policies will be recursively loaded + --config-policy strings specify paths to the Rego policy files directory, applying config files + --file-patterns strings specify config file patterns, available with '--security-checks config' + --include-non-failures include successes and exceptions, available with '--security-checks config' + --policy-namespaces strings Rego namespaces + --trace enable more verbose trace output for custom queries + +Client/Server Flags + --custom-headers strings custom headers in client mode + --remote string server address (default "http://localhost:4954") + --token string for authentication in client/server mode + --token-header string specify a header name for token in client/server mode (default "Trivy-Token") + +Global Flags: + --cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy") + -c, --config string config path (default "trivy.yaml") + -d, --debug debug mode + --insecure allow insecure server connections when using TLS + -q, --quiet suppress progress bar and log output + --timeout duration timeout (default 5m0s) + -v, --version show version ``` diff --git a/docs/docs/references/cli/config.md b/docs/docs/references/cli/config.md index bf7e7d8a07..cb39adb127 100644 --- a/docs/docs/references/cli/config.md +++ b/docs/docs/references/cli/config.md @@ -1,29 +1,52 @@ # Config ``` bash -NAME: - trivy config - scan config files +Scan config files for misconfigurations -USAGE: - trivy config [command options] dir +Usage: + trivy config [flags] DIR + +Aliases: + config, conf + +Scan Flags + --skip-dirs string specify the directories where the traversal is skipped + --skip-files string specify the file paths to skip traversal + +Report Flags + --dependency-tree show dependency origin tree (EXPERIMENTAL) + --exit-code int specify exit code when any security issues are found + -f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table") + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignorefile string specify .trivyignore file (default ".trivyignore") + --list-all-pkgs enabling the option will output all packages regardless of vulnerability + -o, --output string output file name + -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") + -t, --template string output template + +Cache Flags + --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --clear-cache clear image caches without scanning + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + +Misconfiguration Flags + --config-data strings specify paths from which data for the Rego policies will be recursively loaded + --config-policy strings specify paths to the Rego policy files directory, applying config files + --file-patterns strings specify config file patterns, available with '--security-checks config' + --include-non-failures include successes and exceptions, available with '--security-checks config' + --policy-namespaces strings Rego namespaces + --trace enable more verbose trace output for custom queries + +Global Flags: + --cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy") + -c, --config string config path (default "trivy.yaml") + -d, --debug debug mode + --insecure allow insecure server connections when using TLS + -q, --quiet suppress progress bar and log output + --timeout duration timeout (default 5m0s) + -v, --version show version -OPTIONS: - --template value, -t value output template [$TRIVY_TEMPLATE] - --format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT] - --severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY] - --output value, -o value output file name [$TRIVY_OUTPUT] - --exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE] - --skip-policy-update skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE] - --reset remove all caches and database (default: false) [$TRIVY_RESET] - --clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE] - --ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE] - --timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT] - --skip-files value specify the file paths to skip traversal [$TRIVY_SKIP_FILES] - --skip-dirs value specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS] - --policy value, --config-policy value specify paths to the Rego policy files directory, applying config files [$TRIVY_POLICY] - --data value, --config-data value specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_DATA] - --policy-namespaces value, --namespaces value Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES] - --file-patterns value specify file patterns [$TRIVY_FILE_PATTERNS] - --include-successes include successes of misconfigurations (default: false) [$TRIVY_INCLUDE_SUCCESSES] - --help, -h show help (default: false) ``` diff --git a/docs/docs/references/cli/fs.md b/docs/docs/references/cli/fs.md index cebcfbb5c5..005b97288c 100644 --- a/docs/docs/references/cli/fs.md +++ b/docs/docs/references/cli/fs.md @@ -1,42 +1,80 @@ # Filesystem ```bash -NAME: - trivy filesystem - scan local filesystem for language-specific dependencies and config files +Scan local filesystem -USAGE: - trivy filesystem [command options] path +Usage: + trivy filesystem [flags] PATH -OPTIONS: - --template value, -t value output template [$TRIVY_TEMPLATE] - --format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT] - --severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY] - --output value, -o value output file name [$TRIVY_OUTPUT] - --exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE] - --skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE] - --skip-policy-update skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE] - --insecure allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE] - --clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE] - --ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED] - --vuln-type value comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE] - --security-checks value comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS] - --ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE] - --cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND] - --cache-ttl value cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL] - --timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT] - --no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS] - --ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY] - --list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS] - --offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN] - --db-repository value OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY] - --skip-files value specify the file paths to skip traversal (accepts multiple inputs) [$TRIVY_SKIP_FILES] - --skip-dirs value specify the directories where the traversal is skipped (accepts multiple inputs) [$TRIVY_SKIP_DIRS] - --config-policy value specify paths to the Rego policy files directory, applying config files (accepts multiple inputs) [$TRIVY_CONFIG_POLICY] - --config-data value specify paths from which data for the Rego policies will be recursively loaded (accepts multiple inputs) [$TRIVY_CONFIG_DATA] - --policy-namespaces value, --namespaces value Rego namespaces (default: "users") (accepts multiple inputs) [$TRIVY_POLICY_NAMESPACES] - --server value server address [$TRIVY_SERVER] - --token value for authentication in client/server mode [$TRIVY_TOKEN] - --token-header value specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER] - --custom-headers value custom headers in client/server mode (accepts multiple inputs) [$TRIVY_CUSTOM_HEADERS] - --help, -h show help (default: false) +Aliases: + filesystem, fs + +Examples: + # Scan a local project including language-specific files + $ trivy fs /path/to/your_project + + # Scan a single file + $ trivy fs ./trivy-ci-test/Pipfile.lock + +Scan Flags + --offline-scan do not issue API requests to identify dependencies + --security-checks string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret") + --skip-dirs string specify the directories where the traversal is skipped + --skip-files string specify the file paths to skip traversal + +Report Flags + --dependency-tree show dependency origin tree (EXPERIMENTAL) + --exit-code int specify exit code when any security issues are found + -f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table") + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignorefile string specify .trivyignore file (default ".trivyignore") + --list-all-pkgs enabling the option will output all packages regardless of vulnerability + -o, --output string output file name + -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") + -t, --template string output template + +Cache Flags + --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --clear-cache clear image caches without scanning + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + +DB Flags + --db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db") + --download-db-only download/update vulnerability database but don't run a scan + --no-progress suppress progress bar + --reset remove all caches and database + --skip-db-update skip updating vulnerability database + +Vulnerability Flags + --ignore-unfixed display only fixed vulnerabilities + --vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library") + +Misconfiguration Flags + --config-data strings specify paths from which data for the Rego policies will be recursively loaded + --config-policy strings specify paths to the Rego policy files directory, applying config files + --file-patterns strings specify config file patterns, available with '--security-checks config' + --include-non-failures include successes and exceptions, available with '--security-checks config' + --policy-namespaces strings Rego namespaces + --trace enable more verbose trace output for custom queries + +Secret Flags + --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") + +Client/Server Flags + --custom-headers strings custom headers in client mode + --server string server address in client mode + --token string for authentication in client/server mode + --token-header string specify a header name for token in client/server mode (default "Trivy-Token") + +Global Flags: + --cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy") + -c, --config string config path (default "trivy.yaml") + -d, --debug debug mode + --insecure allow insecure server connections when using TLS + -q, --quiet suppress progress bar and log output + --timeout duration timeout (default 5m0s) + -v, --version show version ``` \ No newline at end of file diff --git a/docs/docs/references/cli/image.md b/docs/docs/references/cli/image.md index e26dd779a5..e5c7abb588 100644 --- a/docs/docs/references/cli/image.md +++ b/docs/docs/references/cli/image.md @@ -1,43 +1,99 @@ # Image ```bash -NAME: - trivy image - scan an image +Scan a container image -USAGE: - trivy image [command options] image_name +Usage: + trivy image [flags] IMAGE_NAME -OPTIONS: - --template value, -t value output template [$TRIVY_TEMPLATE] - --format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT] - --input value, -i value input file path instead of image name [$TRIVY_INPUT] - --severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY] - --output value, -o value output file name [$TRIVY_OUTPUT] - --exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE] - --skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE] - --download-db-only download/update vulnerability database but don't run a scan (default: false) [$TRIVY_DOWNLOAD_DB_ONLY] - --reset remove all caches and database (default: false) [$TRIVY_RESET] - --clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE] - --no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS] - --ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED] - --removed-pkgs detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS] - --vuln-type value comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE] - --security-checks value comma-separated list of what security issues to detect (vuln,config,secret) (default: "vuln,secret") [$TRIVY_SECURITY_CHECKS] - --ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE] - --timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT] - --light deprecated (default: false) [$TRIVY_LIGHT] - --ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY] - --list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS] - --cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND] - --cache-ttl value cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL] - --offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN] - --insecure allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE] - --db-repository value OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY] - --skip-files value specify the file paths to skip traversal (accepts multiple inputs) [$TRIVY_SKIP_FILES] - --skip-dirs value specify the directories where the traversal is skipped (accepts multiple inputs) [$TRIVY_SKIP_DIRS] - --server value server address [$TRIVY_SERVER] - --token value for authentication in client/server mode [$TRIVY_TOKEN] - --token-header value specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER] - --custom-headers value custom headers in client/server mode (accepts multiple inputs) [$TRIVY_CUSTOM_HEADERS] - --help, -h show help (default: false) +Aliases: + image, i + +Examples: + # Scan a container image + $ trivy image python:3.4-alpine + + # Scan a container image from a tar archive + $ trivy image --input ruby-3.1.tar + + # Filter by severities + $ trivy image --severity HIGH,CRITICAL alpine:3.15 + + # Ignore unfixed/unpatched vulnerabilities + $ trivy image --ignore-unfixed alpine:3.15 + + # Scan a container image in client mode + $ trivy image --server http://127.0.0.1:4954 alpine:latest + + # Generate json result + $ trivy image --format json --output result.json alpine:3.15 + + # Generate a report in the CycloneDX format + $ trivy image --format cyclonedx --output result.cdx alpine:3.15 + +Scan Flags + --offline-scan do not issue API requests to identify dependencies + --security-checks string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret") + --skip-dirs string specify the directories where the traversal is skipped + --skip-files string specify the file paths to skip traversal + +Report Flags + --dependency-tree show dependency origin tree (EXPERIMENTAL) + --exit-code int specify exit code when any security issues are found + -f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table") + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignorefile string specify .trivyignore file (default ".trivyignore") + --list-all-pkgs enabling the option will output all packages regardless of vulnerability + -o, --output string output file name + -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") + -t, --template string output template + +Cache Flags + --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --clear-cache clear image caches without scanning + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + +DB Flags + --db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db") + --download-db-only download/update vulnerability database but don't run a scan + --no-progress suppress progress bar + --reset remove all caches and database + --skip-db-update skip updating vulnerability database + +Image Flags + --input string input file path instead of image name + --removed-pkgs detect vulnerabilities of removed packages (only for Alpine) + +Vulnerability Flags + --ignore-unfixed display only fixed vulnerabilities + --vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library") + +Misconfiguration Flags + --config-data strings specify paths from which data for the Rego policies will be recursively loaded + --config-policy strings specify paths to the Rego policy files directory, applying config files + --file-patterns strings specify config file patterns, available with '--security-checks config' + --include-non-failures include successes and exceptions, available with '--security-checks config' + --policy-namespaces strings Rego namespaces + --trace enable more verbose trace output for custom queries + +Secret Flags + --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") + +Client/Server Flags + --custom-headers strings custom headers in client mode + --server string server address in client mode + --token string for authentication in client/server mode + --token-header string specify a header name for token in client/server mode (default "Trivy-Token") + +Global Flags: + --cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy") + -c, --config string config path (default "trivy.yaml") + -d, --debug debug mode + --insecure allow insecure server connections when using TLS + -q, --quiet suppress progress bar and log output + --timeout duration timeout (default 5m0s) + -v, --version show version ``` diff --git a/docs/docs/references/cli/index.md b/docs/docs/references/cli/index.md index b008b13881..13b21d06d5 100644 --- a/docs/docs/references/cli/index.md +++ b/docs/docs/references/cli/index.md @@ -1,32 +1,49 @@ Trivy has several sub commands, image, fs, repo, client and server. ``` bash -NAME: - trivy - Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets +Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets -USAGE: - trivy [global options] command [command options] target +Usage: + trivy [command] -VERSION: - dev +Examples: + # Scan a container image + $ trivy image python:3.4-alpine -COMMANDS: - image, i scan an image - filesystem, fs scan local filesystem for language-specific dependencies and config files - rootfs scan rootfs - repository, repo scan remote repository - server, s server mode - config, conf scan config files - plugin, p manage plugins - kubernetes, k8s scan kubernetes vulnerabilities and misconfigurations - sbom generate SBOM for an artifact - version print the version - help, h Shows a list of commands or help for one command + # Scan a container image from a tar archive + $ trivy image --input ruby-3.1.tar -GLOBAL OPTIONS: - --quiet, -q suppress progress bar and log output (default: false) [$TRIVY_QUIET] - --debug, -d debug mode (default: false) [$TRIVY_DEBUG] - --cache-dir value cache directory (default: "/Users/teppei/Library/Caches/trivy") [$TRIVY_CACHE_DIR] - --help, -h show help (default: false) - --version, -v print the version (default: false) + # Scan local filesystem + $ trivy fs . + + # Run in server mode + $ trivy server + +Available Commands: + config Scan config files for misconfigurations + filesystem Scan local filesystem + help Help about any command + image Scan a container image + kubectl scan kubectl resources + kubernetes scan kubernetes cluster + module Manage modules + plugin Manage plugins + repository Scan a remote repository + rootfs Scan rootfs + sbom Scan SBOM for vulnerabilities + server Server mode + version Print the version + +Flags: + --cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy") + -c, --config string config path (default "trivy.yaml") + -d, --debug debug mode + -f, --format string version format (json) + -h, --help help for trivy + --insecure allow insecure server connections when using TLS + -q, --quiet suppress progress bar and log output + --timeout duration timeout (default 5m0s) + -v, --version show version + +Use "trivy [command] --help" for more information about a command. ``` diff --git a/docs/docs/references/cli/module.md b/docs/docs/references/cli/module.md index 118aac008f..ddd35f33bb 100644 --- a/docs/docs/references/cli/module.md +++ b/docs/docs/references/cli/module.md @@ -1,17 +1,27 @@ # Module ```bash -NAME: - trivy module - manage modules +Manage modules -USAGE: - trivy module command [command options] [arguments...] +Usage: + trivy module [command] -COMMANDS: - install, i install a module - uninstall, u uninstall a module - help, h Shows a list of commands or help for one command +Aliases: + module, m -OPTIONS: - --help, -h show help (default: false) +Available Commands: + install Install a module + uninstall Uninstall a module + +Flags: + -h, --help help for module + +Global Flags: + --cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy") + -c, --config string config path (default "trivy.yaml") + -d, --debug debug mode + --insecure allow insecure server connections when using TLS + -q, --quiet suppress progress bar and log output + --timeout duration timeout (default 5m0s) + -v, --version show version ``` \ No newline at end of file diff --git a/docs/docs/references/cli/plugin.md b/docs/docs/references/cli/plugin.md index 58cf57a9b4..5a308b28e9 100644 --- a/docs/docs/references/cli/plugin.md +++ b/docs/docs/references/cli/plugin.md @@ -1,21 +1,31 @@ # Plugin ```bash -NAME: - trivy plugin - manage plugins +Manage plugins -USAGE: - trivy plugin command [command options] plugin_uri +Usage: + trivy plugin [command] -COMMANDS: - install, i install a plugin - uninstall, u uninstall a plugin - list, l list installed plugin - info information about a plugin - run, r run a plugin on the fly - update update an existing plugin - help, h Shows a list of commands or help for one command +Aliases: + plugin, p -OPTIONS: - --help, -h show help (default: false) +Available Commands: + Uninstall uninstall a plugin + info Show information about the specified plugin + install Install a plugin + list List installed plugin + run Run a plugin on the fly + update Update an existing plugin + +Flags: + -h, --help help for plugin + +Global Flags: + --cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy") + -c, --config string config path (default "trivy.yaml") + -d, --debug debug mode + --insecure allow insecure server connections when using TLS + -q, --quiet suppress progress bar and log output + --timeout duration timeout (default 5m0s) + -v, --version show version ``` \ No newline at end of file diff --git a/docs/docs/references/cli/repo.md b/docs/docs/references/cli/repo.md index 9f7285217d..8fa81e73b3 100644 --- a/docs/docs/references/cli/repo.md +++ b/docs/docs/references/cli/repo.md @@ -1,38 +1,77 @@ # Repository ```bash -NAME: - trivy repository - scan remote repository +Scan a remote repository -USAGE: - trivy repository [command options] repo_url +Usage: + trivy repository [flags] REPO_URL -OPTIONS: - --template value, -t value output template [$TRIVY_TEMPLATE] - --format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT] - --input value, -i value input file path instead of image name [$TRIVY_INPUT] - --severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY] - --output value, -o value output file name [$TRIVY_OUTPUT] - --exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE] - --skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE] - --skip-policy-update skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE] - --clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE] - --ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED] - --removed-pkgs detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS] - --vuln-type value comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE] - --security-checks value comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS] - --ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE] - --cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND] - --cache-ttl value cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL] - --timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT] - --no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS] - --quiet, -q suppress progress bar and log output (default: false) [$TRIVY_QUIET] - --ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY] - --list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS] - --offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN] - --insecure allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE] - --db-repository value OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY] - --skip-files value specify the file paths to skip traversal (accepts multiple inputs) [$TRIVY_SKIP_FILES] - --skip-dirs value specify the directories where the traversal is skipped (accepts multiple inputs) [$TRIVY_SKIP_DIRS] - --help, -h show help (default: false) +Aliases: + repository, repo + +Examples: + # Scan your remote git repository + $ trivy repo https://github.com/knqyf263/trivy-ci-test + +Scan Flags + --offline-scan do not issue API requests to identify dependencies + --security-checks string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret") + --skip-dirs string specify the directories where the traversal is skipped + --skip-files string specify the file paths to skip traversal + +Report Flags + --dependency-tree show dependency origin tree (EXPERIMENTAL) + --exit-code int specify exit code when any security issues are found + -f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table") + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignorefile string specify .trivyignore file (default ".trivyignore") + --list-all-pkgs enabling the option will output all packages regardless of vulnerability + -o, --output string output file name + -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") + -t, --template string output template + +Cache Flags + --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --clear-cache clear image caches without scanning + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + +DB Flags + --db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db") + --download-db-only download/update vulnerability database but don't run a scan + --no-progress suppress progress bar + --reset remove all caches and database + --skip-db-update skip updating vulnerability database + +Vulnerability Flags + --ignore-unfixed display only fixed vulnerabilities + --vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library") + +Misconfiguration Flags + --config-data strings specify paths from which data for the Rego policies will be recursively loaded + --config-policy strings specify paths to the Rego policy files directory, applying config files + --file-patterns strings specify config file patterns, available with '--security-checks config' + --include-non-failures include successes and exceptions, available with '--security-checks config' + --policy-namespaces strings Rego namespaces + --trace enable more verbose trace output for custom queries + +Secret Flags + --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") + +Client/Server Flags + --custom-headers strings custom headers in client mode + --server string server address in client mode + --token string for authentication in client/server mode + --token-header string specify a header name for token in client/server mode (default "Trivy-Token") + +Global Flags: + --cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy") + -c, --config string config path (default "trivy.yaml") + -d, --debug debug mode + --insecure allow insecure server connections when using TLS + -q, --quiet suppress progress bar and log output + --timeout duration timeout (default 5m0s) + -v, --version show version ``` \ No newline at end of file diff --git a/docs/docs/references/cli/rootfs.md b/docs/docs/references/cli/rootfs.md index 643548f75c..ba27989de7 100644 --- a/docs/docs/references/cli/rootfs.md +++ b/docs/docs/references/cli/rootfs.md @@ -1,36 +1,74 @@ # Rootfs ```bash -NAME: - trivy rootfs - scan rootfs +Scan rootfs -USAGE: - trivy rootfs [command options] dir +Usage: + trivy rootfs [flags] ROOTDIR -OPTIONS: - --template value, -t value output template [$TRIVY_TEMPLATE] - --format value, -f value format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT] - --severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY] - --output value, -o value output file name [$TRIVY_OUTPUT] - --exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE] - --skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE] - --insecure allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE] - --skip-policy-update skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE] - --clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE] - --ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED] - --vuln-type value comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE] - --security-checks value comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS] - --ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE] - --cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND] - --timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT] - --no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS] - --ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY] - --list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS] - --offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN] - --skip-files value specify the file paths to skip traversal [$TRIVY_SKIP_FILES] - --skip-dirs value specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS] - --config-policy value specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY] - --config-data value specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_CONFIG_DATA] - --policy-namespaces value, --namespaces value Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES] - --help, -h show help (default: false) +Examples: + # Scan unpacked filesystem + $ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf - + $ trivy rootfs /tmp/rootfs + + # Scan from inside a container + $ docker run --rm -it alpine:3.11 + / # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + / # trivy rootfs / + +Scan Flags + --offline-scan do not issue API requests to identify dependencies + --security-checks string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret") + --skip-dirs string specify the directories where the traversal is skipped + --skip-files string specify the file paths to skip traversal + +Report Flags + --dependency-tree show dependency origin tree (EXPERIMENTAL) + --exit-code int specify exit code when any security issues are found + -f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table") + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignorefile string specify .trivyignore file (default ".trivyignore") + --list-all-pkgs enabling the option will output all packages regardless of vulnerability + -o, --output string output file name + -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") + -t, --template string output template + +Cache Flags + --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --clear-cache clear image caches without scanning + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + +DB Flags + --db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db") + --download-db-only download/update vulnerability database but don't run a scan + --no-progress suppress progress bar + --reset remove all caches and database + --skip-db-update skip updating vulnerability database + +Vulnerability Flags + --ignore-unfixed display only fixed vulnerabilities + --vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library") + +Misconfiguration Flags + --config-data strings specify paths from which data for the Rego policies will be recursively loaded + --config-policy strings specify paths to the Rego policy files directory, applying config files + --file-patterns strings specify config file patterns, available with '--security-checks config' + --include-non-failures include successes and exceptions, available with '--security-checks config' + --policy-namespaces strings Rego namespaces + --trace enable more verbose trace output for custom queries + +Secret Flags + --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") + +Global Flags: + --cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy") + -c, --config string config path (default "trivy.yaml") + -d, --debug debug mode + --insecure allow insecure server connections when using TLS + -q, --quiet suppress progress bar and log output + --timeout duration timeout (default 5m0s) + -v, --version show version ``` \ No newline at end of file diff --git a/docs/docs/references/cli/sbom.md b/docs/docs/references/cli/sbom.md index c30a22b9cf..e07fd5f53f 100644 --- a/docs/docs/references/cli/sbom.md +++ b/docs/docs/references/cli/sbom.md @@ -1,46 +1,67 @@ # SBOM ```bash -NAME: - trivy sbom - scan SBOM for vulnerabilities +Scan SBOM for vulnerabilities -USAGE: - trivy sbom [command options] SBOM +Usage: + trivy sbom [flags] SBOM_PATH -OPTIONS: - --cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND] - --cache-ttl value cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL] - --clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE] - --custom-headers value custom headers in client/server mode (accepts multiple inputs) [$TRIVY_CUSTOM_HEADERS] - --db-repository value OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY] - --download-db-only download/update vulnerability database but don't run a scan (default: false) [$TRIVY_DOWNLOAD_DB_ONLY] - --exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE] - --format value, -f value format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default: "table") [$TRIVY_FORMAT] - --ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY] - --ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED] - --ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE] - --input value, -i value input file path instead of image name [$TRIVY_INPUT] - --insecure allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE] - --list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS] - --no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS] - --offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN] - --output value, -o value output file name [$TRIVY_OUTPUT] - --reset remove all caches and database (default: false) [$TRIVY_RESET] - --security-checks value comma-separated list of what security issues to detect (vuln,config,secret) (default: "vuln") [$TRIVY_SECURITY_CHECKS] - --server value server address [$TRIVY_SERVER] - --severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY] - --skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE] - --skip-dirs value specify the directories where the traversal is skipped (accepts multiple inputs) [$TRIVY_SKIP_DIRS] - --skip-files value specify the file paths to skip traversal (accepts multiple inputs) [$TRIVY_SKIP_FILES] - --template value, -t value output template [$TRIVY_TEMPLATE] - --timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT] - --token value for authentication in client/server mode [$TRIVY_TOKEN] - --token-header value specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER] +Examples: + # Scan CycloneDX and show the result in tables + $ trivy sbom /path/to/report.cdx -EXAMPLES: - - Scan CycloneDX and show the result in tables: - $ trivy sbom /path/to/report.cdx + # Scan CycloneDX and generate a CycloneDX report + $ trivy sbom --format cyclonedx /path/to/report.cdx - - Scan CycloneDX and generate a CycloneDX report: - $ trivy sbom --format cyclonedx /path/to/report.cdx -``` + +Scan Flags + --offline-scan do not issue API requests to identify dependencies + --security-checks string comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret") + --skip-dirs string specify the directories where the traversal is skipped + --skip-files string specify the file paths to skip traversal + +Report Flags + --dependency-tree show dependency origin tree (EXPERIMENTAL) + --exit-code int specify exit code when any security issues are found + -f, --format string format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table") + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignorefile string specify .trivyignore file (default ".trivyignore") + --list-all-pkgs enabling the option will output all packages regardless of vulnerability + -o, --output string output file name + -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") + -t, --template string output template + +Cache Flags + --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --clear-cache clear image caches without scanning + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + +DB Flags + --db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db") + --download-db-only download/update vulnerability database but don't run a scan + --no-progress suppress progress bar + --reset remove all caches and database + --skip-db-update skip updating vulnerability database + +Vulnerability Flags + --ignore-unfixed display only fixed vulnerabilities + --vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library") + +Client/Server Flags + --custom-headers strings custom headers in client mode + --server string server address in client mode + --token string for authentication in client/server mode + --token-header string specify a header name for token in client/server mode (default "Trivy-Token") + +Global Flags: + --cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy") + -c, --config string config path (default "trivy.yaml") + -d, --debug debug mode + --insecure allow insecure server connections when using TLS + -q, --quiet suppress progress bar and log output + --timeout duration timeout (default 5m0s) + -v, --version show version +``` \ No newline at end of file diff --git a/docs/docs/references/cli/server.md b/docs/docs/references/cli/server.md index c6ad8cac62..84805b5d6d 100644 --- a/docs/docs/references/cli/server.md +++ b/docs/docs/references/cli/server.md @@ -1,22 +1,48 @@ # Server ```bash -NAME: - trivy server - server mode +Server mode -USAGE: - trivy server [command options] [arguments...] +Usage: + trivy server [flags] -OPTIONS: - --skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE] - --download-db-only download/update vulnerability database but don't run a scan (default: false) [$TRIVY_DOWNLOAD_DB_ONLY] - --insecure allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE] - --reset remove all caches and database (default: false) [$TRIVY_RESET] - --cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND] - --cache-ttl value cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL] - --db-repository value OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY] - --token value for authentication in client/server mode [$TRIVY_TOKEN] - --token-header value specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER] - --listen value listen address (default: "localhost:4954") [$TRIVY_LISTEN] - --help, -h show help (default: false) +Aliases: + server, s + +Examples: + # Run a server + $ trivy server + + # Listen on 0.0.0.0:10000 + $ trivy server --listen 0.0.0.0:10000 + + +Cache Flags + --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --clear-cache clear image caches without scanning + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + +DB Flags + --db-repository string OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db") + --download-db-only download/update vulnerability database but don't run a scan + --no-progress suppress progress bar + --reset remove all caches and database + --skip-db-update skip updating vulnerability database + +Client/Server Flags + --listen string listen address in server mode (default "localhost:4954") + --token string for authentication in client/server mode + --token-header string specify a header name for token in client/server mode (default "Trivy-Token") + +Global Flags: + --cache-dir string cache directory (default "/Users/teppei/Library/Caches/trivy") + -c, --config string config path (default "trivy.yaml") + -d, --debug debug mode + --insecure allow insecure server connections when using TLS + -q, --quiet suppress progress bar and log output + --timeout duration timeout (default 5m0s) + -v, --version show version ``` diff --git a/docs/docs/references/customization/config-file.md b/docs/docs/references/customization/config-file.md new file mode 100644 index 0000000000..079780e495 --- /dev/null +++ b/docs/docs/references/customization/config-file.md @@ -0,0 +1,271 @@ +# Config file + +Trivy can be customized by tweaking a `trivy.yaml` file. The config path can be overridden by the `--config` flag. + +An example is [here][example]. + +## Global Options + +``` +# Same as '--quiet' +# Default is false +quiet: false + +# Same as '--debug' +# Default is false +debug: false + +# Same as '--insecure' +# Default is false +insecure: false + +# Same as '--timeout' +# Default is '5m' +timeout: 10m + +# Same as '--cache-dir' +# Default is your system cache dir +cache-dir: $HOME/.cache/trivy +``` + +## Report Options + +``` +# Same as '--format' +# Default is 'table' +format: table + +# Same as '--report' (available with 'trivy k8s') +# Default is all +report: all + +# Same as '--template' +# Default is empty +template: + +# Same as '--dependency-tree' +# Default is false +dependency-tree: false + +# Same as '--list-all-pkgs' +# Default is false +list-all-pkgs: false + +# Same as '--ignorefile' +# Default is '.trivyignore' +ignorefile: .trivyignore + +# Same as '--ignore-policy' +# Default is empty +ignore-policy: + +# Same as '--exit-code' +# Default is 0 +exit-code: 0 + +# Same as '--output' +# Default is empty (stdout) +output: + +# Same as '--severity' +# Default is all severities +severity: + - UNKNOWN + - LOW + - MEDIUM + - HIGH + - CRITICAL +``` + +## Scan Options +Available in client/server mode + +``` +scan: + # Same as '--skip-dirs' + # Default is empty + skip-dirs: + - usr/local/ + - etc/ + + # Same as '--skip-files' + # Default is empty + skip-files: + - package-dev.json + + # Same as '--offline-scan' + # Default is false + offline-scan: false + + # Same as '--security-checks' + # Default depends on subcommand + security-checks: + - vuln + - config + - secret +``` + +## Cache Options + +``` +cache: + # Same as '--cache-backend' + # Default is 'fs' + backend: 'fs' + + # Same as '--cache-ttl' + # Default is 0 (no ttl) + ttl: 0 + + # Redis options + redis: + # Same as '--redis-ca' + # Default is empty + ca: + + # Same as '--redis-cert' + # Default is empty + cert: + + # Same as '--redis-key' + # Default is empty + key: +``` + +## DB Options + +``` +db: + # Same as '--skip-db-update' + # Default is false + skip-update: false + + # Same as '--no-progress' + # Default is false + no-progress: false + + # Same as '--db-repository' + # Default is 'github.com/aquasecurity-trivy-repo' + repository: github.com/aquasecurity-trivy-repo +``` + +## Image Options +Available with container image scanning + +``` +image: + # Same as '--input' (available with 'trivy image') + # Default is empty + input: + + # Same as '--removed-pkgs' + # Default is false + removed-pkgs: false +``` + +## Vulnerability Options +Available with vulnerability scanning + +``` +vulnerability: + # Same as '--vuln-type' + # Default is 'os,library' + type: + - os + - library + + # Same as '--ignore-unfixed' + # Default is false + ignore-unfixed: false +``` + +## Secret Options +Available with secret scanning + +``` +secret: + # Same as '--secret-config' + # Default is 'trivy-secret.yaml' + config: config/trivy/secret.yaml +``` + + +## Misconfiguration Options +Available with misconfiguration scanning + +``` +misconfiguration: + # Same as '--file-patterns' + # Default is empty + file-patterns: + - + + # Same as '--include-non-failures' + # Default is false + include-non-failures: false + + # Same as '--trace' + # Default is false + trace: false + + # Same as '--config-policy' + # Default is empty + policy: + - policy/repository + - policy/custom + + # Same as '--config-data' + # Default is empty + data: + - data/ + + # Same as '--policy-namespaces' + # Default is empty + namespaces: + - opa.examples + - users +``` + +## Kubernetes Options +Available with Kubernetes scanning + +``` +kubernetes: + # Same as '--context' + # Default is empty + context: + + # Same as '--namespace' + # Default is empty + namespace: +``` + +## Client/Server Options +Available in client/server mode + +``` +server: + # Same as '--server' (available in client mode) + # Default is empty + addr: http://localhost:4954 + + # Same as '--token' + # Default is empty + token: "something-secret" + + # Same as '--token-header' + # Default is 'Trivy-Token' + token-header: 'My-Token-Header' + + # Same as '--custom-headers' + # Default is empty + custom-headers: + - scanner: trivy + - x-api-token: xxx + + # Same as '--listen' (available in server mode) + # Default is 'localhost:4954' + listen: 0.0.0.0:10000 +``` + +[example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml diff --git a/docs/docs/references/customization/envs.md b/docs/docs/references/customization/envs.md new file mode 100644 index 0000000000..aadc96d6b4 --- /dev/null +++ b/docs/docs/references/customization/envs.md @@ -0,0 +1,17 @@ +# Environment variables + +Trivy can be customized by environment variables. +The environment variable key is the flag name converted by the following procedure. + +- Add `TRIVY_` prefix +- Make it all uppercase +- Replace `-` with `_` + +For example, + +- `--debug` => `TRIVY_DEBUG` +- `--cache-dir` => `TRIVY_CACHE_DIR` + +``` +$ TRIVY_DEBUG=true TRIVY_SEVERITY=CRITICAL trivy image alpine:3.15 +``` \ No newline at end of file diff --git a/examples/trivy-conf/trivy.yaml b/examples/trivy-conf/trivy.yaml new file mode 100644 index 0000000000..c9a0fef765 --- /dev/null +++ b/examples/trivy-conf/trivy.yaml @@ -0,0 +1,24 @@ +timeout: 10m +format: json +dependency-tree: true +list-all-pkgs: true +exit-code: 1 +output: result.json +severity: + - HIGH + - CRITICAL +scan: + skip-dirs: + - /lib64 + - /lib + - /usr/lib + - /usr/include + + security-checks: + - vuln + - secret +vulnerability: + type: + - os + - library + ignore-unfixed: true \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index 06de1f54c9..f7811c201a 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -97,6 +97,9 @@ nav: - ACR (Azure Container Registry): docs/advanced/private-registries/acr.md - Self-Hosted: docs/advanced/private-registries/self.md - References: + - Customization: + - Environment variables: docs/references/customization/envs.md + - Config file: docs/references/customization/config-file.md - CLI: - Overview: docs/references/cli/index.md - Image: docs/references/cli/image.md diff --git a/pkg/commands/app.go b/pkg/commands/app.go index 5ba03a42bb..10be367745 100644 --- a/pkg/commands/app.go +++ b/pkg/commands/app.go @@ -528,7 +528,10 @@ func NewServerCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { func NewConfigCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { reportFlagGroup := flag.NewReportFlagGroup() - reportFlagGroup.ReportFormat = nil // TODO: support --format summary + reportFlagGroup.DependencyTree = nil // disable '--dependency-tree' + reportFlagGroup.IgnorePolicy = nil // disable '--ignore-policy' + reportFlagGroup.ListAllPkgs = nil // disable '--list-all-pkgs' + reportFlagGroup.ReportFormat = nil // TODO: support --format summary scanFlags := &flag.ScanFlagGroup{ // Enable only '--skip-dirs' and '--skip-files' and disable other flags diff --git a/pkg/flag/global_flags.go b/pkg/flag/global_flags.go index e63d61a9e1..ebbfc2ab65 100644 --- a/pkg/flag/global_flags.go +++ b/pkg/flag/global_flags.go @@ -4,7 +4,6 @@ import ( "time" "github.com/spf13/cobra" - "github.com/spf13/viper" "github.com/aquasecurity/trivy/pkg/utils" ) @@ -125,7 +124,7 @@ func (f *GlobalFlagGroup) ToOptions() GlobalOptions { Quiet: getBool(f.Quiet), Debug: getBool(f.Debug), Insecure: getBool(f.Insecure), - Timeout: viper.GetDuration(f.Timeout.ConfigName), + Timeout: getDuration(f.Timeout), CacheDir: getString(f.CacheDir), } } diff --git a/pkg/flag/misconf_flags.go b/pkg/flag/misconf_flags.go index 59526317e2..897fa2b471 100644 --- a/pkg/flag/misconf_flags.go +++ b/pkg/flag/misconf_flags.go @@ -37,19 +37,19 @@ var ( } ConfigPolicyFlag = Flag{ Name: "config-policy", - ConfigName: "misconfiguration.config-policy", + ConfigName: "misconfiguration.policy", Value: []string{}, Usage: "specify paths to the Rego policy files directory, applying config files", } ConfigDataFlag = Flag{ Name: "config-data", - ConfigName: "misconfiguration.config-data", + ConfigName: "misconfiguration.data", Value: []string{}, Usage: "specify paths from which data for the Rego policies will be recursively loaded", } PolicyNamespaceFlag = Flag{ Name: "policy-namespaces", - ConfigName: "misconfiguration.policy-namespaces", + ConfigName: "misconfiguration.namespaces", Value: []string{}, Usage: "Rego namespaces", }