v0.9.1

Bug fixes

• Debug option doesn't work as expected (#515)
• Progress logged as stderr (#513)

Changelog

65cbe3c fix(alpine): support 3.12 (#517)
f94e8dc chore(README): prepare for v0.9.0 (#507)
9629303 fix(config): transpose arguments (#516)

Docker images

• docker pull docker.io/aquasec/trivy:0.9.1
• docker pull docker.io/aquasec/trivy:latest

v0.9.0

New Features

[IMPORTANT] Support GitHub Advisory Database (#467)

Trivy supports GitHub Advisory Database to detect vulnerabilities of programming language libraries. It uses multiple data sources for each language as show below.

https://github.com/aquasecurity/trivy#data-source

This allows Trivy to be more accurate and affects the number of vulnerabilities Trivy detects.

Thank you for the contribution, @masahiro331!

Filesystem scan

Scan a filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem).

When you specify the path to your project, Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.

$ trivy fs /path/to/project

Also, Trivy can scan your container from inside the container.

$ docker run --rm -it alpine:3.11
/ # apk add curl
/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin
/ # trivy fs /

Embed in Dockerfile 🎉

Scan your image as part of the build process by embedding Trivy in the Dockerfile. This approach can be used to update Dockerfiles currently using Aqua’s Microscanner

$ cat Dockerfile
FROM alpine:3.7
RUN apk add --no-cache curl \
    && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin \
    && trivy filesystem --exit-code 1 --no-progress / \
    && trivy --reset && rm -f /usr/loca/bin/trivy && apk del curl
$ docker build -t vulnerable-image .

Git Repository scan

Scan your remote git repository.

$ trivy repo https://github.com/aquasecurity/trivy-ci-test

Only public repositories are supported.

Bug fixes

CVE duplication in scanning result

Close aquasecurity/harbor-scanner-trivy#114

When Trivy scans an image containing multiple lock files regardless of OS and packages, it sometimes has false positives.

Changelog

020c4a3 fix(app): add ArgsUsage (#508)
2f2d1a9 feat: support repository and filesystem scan (#503)
03ad8a3 Add GHSA support (#467)
1218e11 refactor: define common options and embed them into the option for subcommand (#502)

Docker images

• docker pull docker.io/aquasec/trivy:0.9.0
• docker pull docker.io/aquasec/trivy:latest

v0.8.0

New Feature

Add image subcommand (#493)

We deprecated $ trivy IMAGE_NAME and introduced image subcommand.

$ trivy image alpine:3.11

Add CVSS Vectors to JSON output. (#484)

You can see CVSS vectors in a result JSON.

$ trivy image --format=json alpine=3.10.4
[...output snipped...]
        "VendorVectors": {
          "nvd": {
            "v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "redhat": {
            "v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          }
        },
[...output snipped...]

Support registry token (#482)

To scan a private image, you can pass a registry token instead of ID/PW. This is useful when you develop a registry integration such as Harbor and Quay.

$ export TRIVY_REGISTRY_TOKEN=$(curl -u "username:password" "https://auth.docker.io/token?service=registry.docker.io&scope=repository:org/private_image:pull")
$ trivy org/private_image:latest

Changelog

78b7529 Add image subcommand (#493)
e2bcb44 fix: remove help template (#500)
a57c27e vulnerability: Add CVSS Vectors to JSON output. (#484)
926f323 feat: support registry token (#482)
aa20adb chore: bump up urfave/cli to v2 (#499)
3e0779a chore(doc): update README (#490)

Docker images

• docker pull docker.io/aquasec/trivy:0.8.0
• docker pull docker.io/aquasec/trivy:latest

v0.7.0

New Feature

Support OCI Image Format

An image directory compliant with "Open Container Image Layout Specification".

Buildah:

$ buildah push docker.io/library/alpine:3.11 oci:/path/to/alpine
$ trivy --input /path/to/alpine

Skopeo:

$ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine
$ trivy --input /path/to/alpine

[BREAKING] Override severity with vendor score if exists

Trivy displayed a severity from NVD, which is generic, but it's more accurate to use the severity from vendor such as Red Hat and Debian. Currently, the vendor's severity is preferred than NVD's severity.

NOTE If you filter vulnerabilities with --severity option, the result may be different because v0.7.0 uses vendor severity.

Bugs

rpc: fix output to use templates when in client/server mode. (#469)

A template didn't work in client/server mode.

fix: handle a scratch/busybox/DockerSlim image gracefully (#476)

Trivy can't detect vulnerabilities of OS packages for an image based on scratch/busybox because those images don't have any package manager such as yum and apt. But it should detect vulnerabilities of library dependencies according to lock files such as package-lock.json. This commit enables it.

Changelog

09442d6 chore(ci): move integration tests to GitHub Actions (#485)
415b99d feat: support OCI Image Format (#475)
35b038e chore(github): fix issue templates (#483)
34a95c1 contrib/gitlab.tpl: Add new id field (#468)
b282142 chore(docs): add triage.md (#473)
216a33b fix: handle a scratch/busybox/DockerSlim image gracefully (#476)
ad0bb7c rpc: Fix output to use templates when in client server mode. (#469)
17b84f6 Override with Vendor score if exists (#433)
7629f7f docs: Update installation docs for pointing to Trivy Releases. (#463)

Docker images

• docker pull docker.io/aquasec/trivy:0.7.0
• docker pull docker.io/aquasec/trivy:latest

v0.6.0

Changelog

ac5f313 feat(db): store metadata as a file (#464)
329f245 fix: replace containers/image with google/go-containerregistry (#456)
d6595ad add ubuntu 20.04 (#460)
114df7a using STDIN for docker login command (#458)

Docker images

• docker pull docker.io/aquasec/trivy:0.6.0
• docker pull docker.io/aquasec/trivy:latest

v0.5.4

Bug fixes

Crash following interrupted DB download (#288)

Changelog

e5ff5ec Fix CircleCI example in README.md (#451)
1bc02f9 fix(db): retry downloading the database if it is broken (#452)
05fa779 chore(release): add all supported versions (#445)

Docker images

• docker pull docker.io/aquasec/trivy:0.5.4
• docker pull docker.io/aquasec/trivy:latest

v0.5.3

Changelog

6fbdec6 app: Fix a few edge cases with version flag (#443)
94eb7cc Expose Trivy and VulnDB version through --version (#435)
b847e57 feat: show origin layer for vulnerabilities (#439)
07a731c Fix filepath separators on Windows (#414)
4ee7a1e fix circleci example (#431)
ede778f Merge pull request #434 from aquasecurity/license
64a07da Merge branch 'master' into license
623eb79 Remove outdated license section from README
51b8fd8 Change license to Apache 2.0, continued
6f7776e Change license to Apache 2.0
a70cee9 chore(ci): add cross-compile test (#425)

Docker images

• docker pull docker.io/aquasec/trivy:0.5.3
• docker pull docker.io/aquasec/trivy:latest

v0.5.2

Changelog

5e36cb9 fix(rpm): make it possible to scan non-RHEL images without rpm (#429)

Docker images

• docker pull docker.io/aquasec/trivy:0.5.2
• docker pull docker.io/aquasec/trivy:latest

v0.5.1

Changelog

74bf99b fix(token): use the credential from enviroment variable (#427)

Docker images

• docker pull docker.io/aquasec/trivy:0.5.1
• docker pull docker.io/aquasec/trivy:latest

v0.5.0

Changelog

3ed0cfb chore(goreleaser): drop BSD support temporarily (#424)
aca31df detector: Add LayerID to detect vulns (#419)
18b80e3 feat(cache): based on JSON (#398)
b83174f chore(README): add explanation for self-compiled binaries/packages (#413)
80bbe47 fix(gitlab): fix json generation on loop (#409)
7726963 fix(scanner): pass docker options as an argument (#408)
db2136b doc: Add Alpine Linux 3.11 to supported OS docs (#407)

Docker images

• docker pull docker.io/aquasec/trivy:0.5.0
• docker pull docker.io/aquasec/trivy:latest