¶ Vulnerabilities with Trivy
¶ What is a Vulnerability?
In English, "vulnerability" refers to a weakness or flaw within a system that can be exploited by unauthorized parties to breach the system's security policies.
¶ What is Trivy and Why Are We Using It?
Trivy is an open-source tool used to detect security vulnerabilities in various software development environments, such as containers, code repositories, Docker images, file systems, and infrastructure configurations.
¶ Main Functions of Trivy:
- Detecting vulnerabilities in container images: Trivy can scan container images, such as those in Docker, for security vulnerabilities used within the container.
- Detecting vulnerabilities in file systems: Trivy can scan file systems on servers for vulnerabilities.
- Detecting vulnerabilities in application dependencies: Trivy can also check dependencies managed by package managers such as npm (Node.js), Maven (Java), and others.
- Scanning Git repositories: Trivy can detect vulnerabilities in the source code from Git repositories.
¶ Why Are We Using Trivy?
- Early detection of security vulnerabilities: Trivy allows us to discover vulnerabilities or weaknesses in applications and infrastructure early in the software development lifecycle, minimizing potential security risks before releasing the application.
- Easy to Use: One of Trivy's main advantages is its ease of use. With just a single simple command, we can scan containers, file systems, or dependencies to detect vulnerabilities.
- Fast and Efficient: Trivy quickly and efficiently scans using an integrated vulnerability database. It detects vulnerabilities in OS libraries (e.g., Alpine, Debian, Ubuntu).
- Open-Source and Free: Trivy is an open-source tool, meaning it is free to access and use by anyone.
- Ideal for CI/CD Pipelines: Trivy can be integrated into CI/CD pipelines to check for vulnerabilities before applications are published. This helps automate the security testing process and ensures that only secure applications are released.
¶ How to Install Trivy Locally on Windows ?
- Install Go (Golang) for Windows first, accessible through the link:[ Go installation guide](
Download and install - The Go Programming Language
- "").
- Visit Trivy GitHub releases to check for the latest version of Trivy.
- Clone the Trivy repository:
bashgit clone --depth 1 --branch v(version) https://github.com/aquasecurity/trivy
Remove the parentheses and replace (version) with the Trivy version, e.g., v0.55.1.
- After cloning, navigate to the Trivy folder:
bashcd trivy - Run the command:
bashgo install ./cmd/trivy - To verify the installation, runn:
bashtrivy -v - If the version appears, it indicates that Trivy has been successfully installed.
¶ How to Install Trivy Locally on Mac OS ?
- It is recommended to install Trivy using Homebrew. To do this, we can use the Homebrew package manager.
- Run the command:
bashbrew install trivy - To check if it has been installed properly, use:
bashtrivy version
¶ How to Scan for Issues ?
Displaying Only Issues with High and Critical Status:
trivy fs --severity HIGH,CRITICAL /path/to/your/repo
¶ Example result from scanning :
¶ How to Fix Issues?
To fix an issue found by Trivy, check the "title" column. In the example above, there is a vulnerability in the axios library in version 1.7.2, which has been fixed in version 1.7.4. To resolve the issue, update the axios library to version 1.7.4, and then rescan.
¶ Can All Issues Be Fixed?
No, as shown in the example above, Trivy reported a vulnerability in the xlsx library in version 0.18.5, stating that it is fixed in versions 0.19.3 and 0.20.2. However, on the official npm website, these versions (0.19.3 and 0.20.2) do not exist. This indicates that the issue with xlsx cannot be fixed, and we may need to wait for an update from the library’s developers.
¶ Unfixed scan results:
¶ Benefit Scanning Trivy On Local Before Pushing Into Repo ?
Performing a local Trivy scan before pushing code is important because:
- Early issue detection: You can find security vulnerabilities before the code enters the main branch.
- Prevent build failure: If vulnerabilities are found in the CI/CD pipeline, the build might fail. Scanning locally helps avoid this.
- Save time: Fixing issues early is faster than after the code is pushed.
- Follow security policies: Some projects have rules requiring scans before pushing.
In short, local scanning keeps the code safer and ensures smoother development.