=== "Repository"
Add repository setting to /etc/yum.repos.d
.
``` bash
RELEASE_VERSION=$(grep -Po '(?<=VERSION_ID=")[0-9]' /etc/os-release)
cat << EOF | sudo tee -a /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$RELEASE_VERSION/\$basearch/
gpgcheck=0
enabled=1
EOF
sudo yum -y update
sudo yum -y install trivy
```
=== "RPM"
``` bash
rpm -ivh https://github.com/aquasecurity/trivy/releases/download/{{ git.tag }}/trivy_{{ git.tag[1:] }}_Linux-64bit.rpm
```
=== "Repository"
Add repository setting to /etc/apt/sources.list.d
.
``` bash
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
```
=== "DEB"
``` bash
wget https://github.com/aquasecurity/trivy/releases/download/{{ git.tag }}/trivy_{{ git.tag[1:] }}_Linux-64bit.deb
sudo dpkg -i trivy_{{ git.tag[1:] }}_Linux-64bit.deb
```
Package trivy can be installed from the Arch Community Package Manager.
pacman -S trivy
You can use homebrew on macOS and Linux.
brew install aquasecurity/trivy/trivy
You can also install trivy
via MacPorts on macOS:
sudo port install trivy
More info here.
Direct issues installing trivy
via nix
through the channels mentioned here
You can use nix
on Linux or macOS and on other platforms unofficially.
nix-env --install -A nixpkgs.trivy
Or through your configuration as usual
NixOS:
# your other config ...
environment.systemPackages = with pkgs; [
# your other packages ...
trivy
];
home-manager:
# your other config ...
home.packages = with pkgs; [
# your other packages ...
trivy
];
This script downloads Trivy binary based on your OS and architecture.
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin {{ git.tag }}
Download the archive file for your operating system/architecture from [here](https://github.com/aquasecurity/trivy/releases/tag/{{ git.tag }}).
Unpack the archive, and put the binary somewhere in your $PATH
(on UNIX-y systems, /usr/local/bin or the like).
Make sure it has execution bits turned on.
mkdir -p $GOPATH/src/github.com/aquasecurity
cd $GOPATH/src/github.com/aquasecurity
git clone --depth 1 --branch {{ git.tag }} https://github.com/aquasecurity/trivy
cd trivy/cmd/trivy/
export GO111MODULE=on
go install
Replace [YOUR_CACHE_DIR] with the cache directory on your machine.
docker pull aquasec/trivy:{{ git.tag[1:] }}
Example:
=== "Linux"
``` bash
docker run --rm -v [YOUR_CACHE_DIR]:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} image [YOUR_IMAGE_NAME]
```
=== "macOS"
``` bash
docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} image [YOUR_IMAGE_NAME
```
If you would like to scan the image on your host machine, you need to mount docker.sock
.
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
-v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} python:3.4-alpine
Please re-pull latest aquasec/trivy
if an error occurred.
Result
2019-05-16T01:20:43.180+0900 INFO Updating vulnerability database...
2019-05-16T01:20:53.029+0900 INFO Detecting Alpine vulnerabilities...
python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |
| | | | | | with long nonces |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
The same image is hosted on GitHub Container Registry as well.
docker pull ghcr.io/aquasecurity/trivy:{{ git.tag[1:] }}
The same image is hosted on Amazon ECR Public as well.
docker pull public.ecr.aws/aquasecurity/trivy:{{ git.tag[1:] }}
helm repo add aquasecurity https://aquasecurity.github.io/helm-charts/
helm repo update
helm search repo trivy
helm install my-trivy aquasecurity/trivy
To install the chart with the release name my-release
:
helm install my-release .
The command deploys Trivy on the Kubernetes cluster in the default configuration. The [Parameters][helm] section lists the parameters that can be configured during installation.
You may need to grant permissions to allow trivy to pull images from private registry (AWS ECR).
It depends on how you want to provide AWS Role to trivy.
Add the AWS role in trivy's service account annotations:
trivy:
serviceAccount:
annotations: {}
# eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
Add the AWS role to pod's annotations:
podAnnotations: {}
## kube2iam/kiam annotation
# iam.amazonaws.com/role: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
Tip: List all releases using
helm list
.
[helm]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/helm/trivy