trivy 命令

常用示例

说明

Trivy is a comprehensive security scanner developed by Aqua Security. It detects vulnerabilities in OS packages and application dependencies, infrastructure misconfigurations, exposed secrets, and software license issues. Trivy supports multiple targets including container images, filesystems, git repositories, virtual machine images, and Kubernetes clusters. It integrates with CI/CD pipelines and can output results in various formats for different tools and platforms. The vulnerability database is automatically downloaded and cached. Trivy can generate Software Bill of Materials (SBOM) in CycloneDX and SPDX formats, and can also scan existing SBOM files for known vulnerabilities.

参数

image, i

Scan a container image for vulnerabilities.

filesystem, fs

Scan a local filesystem or directory.

repository, repo

Scan a remote git repository.

config, conf

Scan configuration files for misconfigurations.

kubernetes, k8s

Scan a Kubernetes cluster.

rootfs

Scan a root filesystem (e.g., extracted container image).

sbom

Scan an SBOM file for vulnerabilities.

server, s

Run Trivy in server mode.

plugin, p

Manage Trivy plugins.

--severity _levels_

Comma-separated list of severity levels to show: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL.

--format _format_

Output format: table, json, sarif, template, cyclonedx, spdx, spdx-json, github.

--output _file_

Write results to a file.

--ignore-unfixed

Only show vulnerabilities that have a fix available.

--pkg-types _types_

Comma-separated list of package types to scan.

--scanners _scanners_

Comma-separated list of scanners: vuln, misconfig, secret, license.

--cache-dir _dir_

Specify cache directory for database.

-q, --quiet

Suppress progress bar and log output.

-d, --debug

Enable debug mode.

-v, --version

Display version information.

-h, --help

Display help message.