Changes
Ensure trivy docker image runs as a non root user (#519)
This change has been reverted in v0.10.1.
Trivy runs as a non-root user in the docker image. If you run Trivy in the docker image and specify the root directory as a cache directory as follows, it may fail due to permission denied.
$ docker run --rm -v $PWD:/root/.cache/ aquasec/trivy:latest --cache-dir /root/.cache image centos:7
In that case, you can try a different directory like
$ docker run --rm -v $PWD:/tmp/.cache/ aquasec/trivy:latest --cache-dir /tmp/.cache image centos:7
See also: https://github.com/aquasecurity/trivy#others
Only show severity total from filter flags (#559)
$ trivy image --severity MEDIUM alpine:3.10.2
2020-07-30T16:16:37.890+0300 INFO Detecting Alpine vulnerabilities...
alpine:3.10.2 (alpine 3.10.2)
=============================
Total: 4 (MEDIUM: 4)
New features
Support OPA to filter vulnerabilities (#562)
Trivy supports Open Policy Agent (OPA) to filter vulnerabilities. You can specify a Rego file with --ignore-policy option.
$ trivy image --policy contrib/example_filter/basic.rego centos:7
For more details: https://github.com/aquasecurity/trivy#filter-the-vulnerabilities-by-open-policy-agent-policy
Add CWE-ID (#561)
$ trivy image -f json alpine:3.10.2
[
{
"Target": "alpine:3.10.2 (alpine 3.10.2)",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1549",
"CweIDs": [
"CWE-330"
],
...
Add --list-all-pkgs option (#574)
--list-all-pkgs
option outputs all the installed packages/libraries even though there are no vulnerabilities.
$ trivy image -f json --list-all-pkgs alpine:3.10.2
[
{
"Target": "alpine:3.10.2 (alpine 3.10.2)",
"Type": "alpine",
"Packages": [
{
"Name": "alpine-baselayout",
"Version": "3.1.2-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
}
},
{
"Name": "alpine-keys",
"Version": "2.1-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
}
},
...
Add sarif template (#558)
Fixes
- improve ruby comparison version check. (#552)
- Fix --timeout flag (#569)
- rpc: Add CVSS information to client/server (#564)
Changelog
20f2bae Fix non-root directory permission denied error (#578)
8eb9df8 .circleci: Add code coverage (#572)
88aaffa Added support of list-all-packages (#574)
469c0b4 fix: only show severity total from filter flags (#559)
4a34f72 Update README.md (#575)
4d721e1 SARIF: Tweak format for GitHub UI (#571)
9c91da8 Add non root user (#570)
5b9d942 rpc: Add CVSS information to client/server (#564)
d6b37cb Fix --timeout flag (#569)
9c6f077 feat(report): support OPA to filter vulnerabilities (#562)
0b5d936 Fixed case when pre-release is in suffix (#565)
6eebed3 improve ruby comparison version check. (#552)
43085a8 Added sarif template (#558)
4f90b11 feat(vulnerability): add CWE-ID (#561)
Docker images
docker pull docker.io/aquasec/trivy:0.10.0
docker pull docker.io/aquasec/trivy:latest