Git地址:aquasecurity/trivy:扫描容器映像、文件系统和 Git 存储库中的漏洞以及配置问题 (github.com)
Trivy
Trivy (tri发音像 trigger,发音像 envy)是一个简单而全面的扫描程序,用于容器映像、文件系统和 Git 存储库中的漏洞以及配置问题。 检测操作系统软件包(Alpine,RHEL,CentOS等)和特定于语言的软件包(Bundler,Composer,npm,yarn等)的漏洞。此外,扫描基础设施即代码 (IaC) 文件(如 Terraform、Dockerfile 和 Kubernetes),以检测潜在的配置问题,这些问题会使您的部署面临攻击风险。 易于使用。只需安装二进制文件,即可进行扫描。
快速入门
扫描映像以查找漏洞
只需指定图像名称(和标记)。
$ trivy image [YOUR_IMAGE_NAME]
例如:
$ trivy image python:3.4-alpine
结果
2021-07-09T12:03:27.564+0300 INFO Number of language-specific files: 1
2021-07-09T12:03:27.564+0300 INFO Detecting pipenv vulnerabilities...
2021-07-09T12:03:27.566+0300 INFO Detected config files: 1
Pipfile.lock (pipenv)
=====================
Total: 1 (HIGH: 1, CRITICAL: 0)
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| httplib2 | CVE-2021-21240 | HIGH | 0.12.1 | 0.19.0 | python-httplib2: Regular |
| | | | | | expression denial of |
| | | | | | service via malicious header |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-21240 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
+---------------------------+------------+----------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+----------------------+----------+------------------------------------------+
| Dockerfile Security Check | DS002 | Image user is 'root' | HIGH | Last USER command in |
| | | | | Dockerfile should not be 'root' |
| | | | | -->avd.aquasec.com/appshield/ds002 |
+---------------------------+------------+----------------------+----------+------------------------------------------+扫描文件系统中的漏洞和配置错误
只需指定要扫描的目录即可。
$ trivy fs --security-checks vuln,config [YOUR_PROJECT_DIR]例如:
$ trivy fs --security-checks vuln,config myproject/结果
2021-07-09T10:06:29.188+0300 INFO Need to update the built-in policies
2021-07-09T10:06:29.188+0300 INFO Downloading the built-in policies...
2021-07-09T10:06:30.520+0300 INFO Detected config files: 1
Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+---------------------------+------------+----------------------+----------+------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+---------------------------+------------+----------------------+----------+------------------------------------------+
| Dockerfile Security Check | DS002 | Image user is 'root' | HIGH | Last USER command in |
| | | | | Dockerfile should not be 'root' |
| | | | | -->avd.aquasec.com/appshield/ds002 |
+---------------------------+------------+----------------------+----------+------------------------------------------+扫描目录中的错误配置
只需指定一个包含 IaC 文件(如 Terraform 和 Dockerfile)的目录即可。
$ trivy config [YOUR_IAC_DIR]
例如:
$ ls build/
Dockerfile
$ trivy config ./build
结果
特征
集成
- GitHub 操作
- Visual Studio Code
文档
官方文档提供了详细的安装、配置和快速入门指南,可在 Redirecting。
🏹每日分享🏹:
我:“嗯……假如你计算下概率?”
他摇了摇头:“不要用数学来说,这是个真正的实验,真正的光,真正的感应器,在地下几公里的深处,排除了能排除的所有因素。但是,没有定式。”
我恍然大悟:“啊……你是想说,来自其他宇宙的光子干扰了这个光子……那么,怎么来干扰的?
一《天才在左 疯子在右》
