Releases: aquasecurity/trivy
v0.9.1
v0.9.0
New Features
[IMPORTANT] Support GitHub Advisory Database (#467)
Trivy supports GitHub Advisory Database to detect vulnerabilities of programming language libraries. It uses multiple data sources for each language as show below.
https://github.com/aquasecurity/trivy#data-source
This allows Trivy to be more accurate and affects the number of vulnerabilities Trivy detects.
Thank you for the contribution, @masahiro331!
Filesystem scan
Scan a filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem).
When you specify the path to your project, Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.
$ trivy fs /path/to/project
Also, Trivy can scan your container from inside the container.
$ docker run --rm -it alpine:3.11
/ # apk add curl
/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin
/ # trivy fs /
Embed in Dockerfile 🎉
Scan your image as part of the build process by embedding Trivy in the Dockerfile. This approach can be used to update Dockerfiles currently using Aqua’s Microscanner
$ cat Dockerfile
FROM alpine:3.7
RUN apk add --no-cache curl \
&& curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin \
&& trivy filesystem --exit-code 1 --no-progress / \
&& trivy --reset && rm -f /usr/loca/bin/trivy && apk del curl
$ docker build -t vulnerable-image .
Git Repository scan
Scan your remote git repository.
$ trivy repo https://github.com/aquasecurity/trivy-ci-test
Only public repositories are supported.
Bug fixes
CVE duplication in scanning result
Close aquasecurity/harbor-scanner-trivy#114
When Trivy scans an image containing multiple lock files regardless of OS and packages, it sometimes has false positives.
Changelog
020c4a3 fix(app): add ArgsUsage (#508)
2f2d1a9 feat: support repository and filesystem scan (#503)
03ad8a3 Add GHSA support (#467)
1218e11 refactor: define common options and embed them into the option for subcommand (#502)
Docker images
docker pull docker.io/aquasec/trivy:0.9.0
docker pull docker.io/aquasec/trivy:latest
v0.8.0
New Feature
Add image subcommand (#493)
We deprecated $ trivy IMAGE_NAME
and introduced image
subcommand.
$ trivy image alpine:3.11
Add CVSS Vectors to JSON output. (#484)
You can see CVSS vectors in a result JSON.
$ trivy image --format=json alpine=3.10.4
[...output snipped...]
"VendorVectors": {
"nvd": {
"v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"redhat": {
"v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
},
[...output snipped...]
Support registry token (#482)
To scan a private image, you can pass a registry token instead of ID/PW. This is useful when you develop a registry integration such as Harbor and Quay.
$ export TRIVY_REGISTRY_TOKEN=$(curl -u "username:password" "https://auth.docker.io/token?service=registry.docker.io&scope=repository:org/private_image:pull")
$ trivy org/private_image:latest
Changelog
78b7529 Add image subcommand (#493)
e2bcb44 fix: remove help template (#500)
a57c27e vulnerability: Add CVSS Vectors to JSON output. (#484)
926f323 feat: support registry token (#482)
aa20adb chore: bump up urfave/cli to v2 (#499)
3e0779a chore(doc): update README (#490)
Docker images
docker pull docker.io/aquasec/trivy:0.8.0
docker pull docker.io/aquasec/trivy:latest
v0.7.0
New Feature
Support OCI Image Format
An image directory compliant with "Open Container Image Layout Specification".
Buildah:
$ buildah push docker.io/library/alpine:3.11 oci:/path/to/alpine
$ trivy --input /path/to/alpine
Skopeo:
$ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine
$ trivy --input /path/to/alpine
[BREAKING] Override severity with vendor score if exists
Trivy displayed a severity from NVD, which is generic, but it's more accurate to use the severity from vendor such as Red Hat and Debian. Currently, the vendor's severity is preferred than NVD's severity.
NOTE If you filter vulnerabilities with --severity
option, the result may be different because v0.7.0 uses vendor severity.
Bugs
rpc: fix output to use templates when in client/server mode. (#469)
A template didn't work in client/server mode.
fix: handle a scratch/busybox/DockerSlim image gracefully (#476)
Trivy can't detect vulnerabilities of OS packages for an image based on scratch/busybox because those images don't have any package manager such as yum
and apt
. But it should detect vulnerabilities of library dependencies according to lock files such as package-lock.json. This commit enables it.
Changelog
09442d6 chore(ci): move integration tests to GitHub Actions (#485)
415b99d feat: support OCI Image Format (#475)
35b038e chore(github): fix issue templates (#483)
34a95c1 contrib/gitlab.tpl: Add new id field (#468)
b282142 chore(docs): add triage.md (#473)
216a33b fix: handle a scratch/busybox/DockerSlim image gracefully (#476)
ad0bb7c rpc: Fix output to use templates when in client server mode. (#469)
17b84f6 Override with Vendor score if exists (#433)
7629f7f docs: Update installation docs for pointing to Trivy Releases. (#463)
Docker images
docker pull docker.io/aquasec/trivy:0.7.0
docker pull docker.io/aquasec/trivy:latest
v0.6.0
Changelog
ac5f313 feat(db): store metadata as a file (#464)
329f245 fix: replace containers/image with google/go-containerregistry (#456)
d6595ad add ubuntu 20.04 (#460)
114df7a using STDIN for docker login command (#458)
Docker images
docker pull docker.io/aquasec/trivy:0.6.0
docker pull docker.io/aquasec/trivy:latest
v0.5.4
Bug fixes
Crash following interrupted DB download (#288)
Changelog
e5ff5ec Fix CircleCI example in README.md (#451)
1bc02f9 fix(db): retry downloading the database if it is broken (#452)
05fa779 chore(release): add all supported versions (#445)
Docker images
docker pull docker.io/aquasec/trivy:0.5.4
docker pull docker.io/aquasec/trivy:latest
v0.5.3
Changelog
6fbdec6 app: Fix a few edge cases with version flag (#443)
94eb7cc Expose Trivy and VulnDB version through --version (#435)
b847e57 feat: show origin layer for vulnerabilities (#439)
07a731c Fix filepath separators on Windows (#414)
4ee7a1e fix circleci example (#431)
ede778f Merge pull request #434 from aquasecurity/license
64a07da Merge branch 'master' into license
623eb79 Remove outdated license section from README
51b8fd8 Change license to Apache 2.0, continued
6f7776e Change license to Apache 2.0
a70cee9 chore(ci): add cross-compile test (#425)
Docker images
docker pull docker.io/aquasec/trivy:0.5.3
docker pull docker.io/aquasec/trivy:latest
v0.5.2
v0.5.1
v0.5.0
Changelog
3ed0cfb chore(goreleaser): drop BSD support temporarily (#424)
aca31df detector: Add LayerID to detect vulns (#419)
18b80e3 feat(cache): based on JSON (#398)
b83174f chore(README): add explanation for self-compiled binaries/packages (#413)
80bbe47 fix(gitlab): fix json generation on loop (#409)
7726963 fix(scanner): pass docker options as an argument (#408)
db2136b doc: Add Alpine Linux 3.11 to supported OS docs (#407)
Docker images
docker pull docker.io/aquasec/trivy:0.5.0
docker pull docker.io/aquasec/trivy:latest