Trivy 是一个简单而且功能完整的容器漏洞扫描工具，特别使用用于持续集成。

准确性比较

在 Alpine Linux 中检测的漏洞 (2019/05/12)

详细的比较请看 Comparison with other scanners 

特性

• 全面检测漏洞
  • 操作系统 (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Debian and Ubuntu)
  • 应用依赖 (Bundler, Composer, Pipenv, npm, yarn and Cargo)
• 简单
  • Specify only an image name
  • 详情请看 Quick Start 和 Examples
• 易于安装
  • No need for prerequirements such as installation of DB, libraries, etc.
  • apt-get install ,  yum install  and  brew install  is possible (See Installation)
• 准确度高
  • Especially Alpine Linux and RHEL/CentOS (See Comparison with other scanners)
  • Other OSes are also high
• DevSecOps
  • Suitable for CI such as Travis CI, CircleCI, Jenkins, etc.
  • See CI Example

安装

RHEL/CentOS

Add repository setting to  /etc/yum.repos.d .

 $ sudo vim /etc/yum.repos.d/trivy.repo [trivy] name=Trivy repository baseurl=https://knqyf263.github.io/trivy-repo/rpm/releases/$releasever/$basearch/ gpgcheck=0 enabled=1 $ sudo yum -y update $ sudo yum -y install trivy  

or

 $ rpm -ivh https://github.com/knqyf263/trivy/releases/download/v0.0.13/trivy_0.0.13_Linux-64bit.rpm  

Debian/Ubuntu

Replace  [CODE_NAME]  with your code name

CODE_NAME: wheezy, jessie, stretch, buster, trusty, xenial, bionic

 $ sudo apt-get install apt-transport-https gnupg $ wget -qO - https://knqyf263.github.io/trivy-repo/deb/public.key | sudo apt-key add - $ echo deb https://knqyf263.github.io/trivy-repo/deb [CODE_NAME] main | sudo tee -a /etc/apt/sources.list.d/trivy.list $ sudo apt-get update $ sudo apt-get install trivy  

or

 $ sudo apt-get install rpm $ wget https://github.com/knqyf263/trivy/releases/download/v0.0.13/trivy_0.0.13_Linux-64bit.deb $ sudo dpkg -i trivy_0.0.13_Linux-64bit.deb  

Mac OS X / Homebrew

You can use homebrew on OS X.

 $ brew tap knqyf263/trivy $ brew install knqyf263/trivy/trivy  

二进制 (包括 Windows)

进入 releases 页面，找到相应的把柄，解压并增加可执行权限。

从源码安装

 $ go get -u github.com/knqyf263/trivy