我的书签
添加书签
移除书签Filesystem
You have to specify to enable misconfiguration detection.
Vulnerability and Misconfiguration scanning
The difference between fs and config subcommand is that fs can detect both vulnerabilities and misconfiguration at the same time.
$ ls myapp/Dockerfile Pipfile.lock$ trivy fs --security-checks vuln,config --severity HIGH,CRITICAL myapp/2021-07-09T12:03:27.564+0300 INFO Detected OS: unknown2021-07-09T12:03:27.564+0300 INFO Number of language-specific files: 12021-07-09T12:03:27.564+0300 INFO Detecting pipenv vulnerabilities...2021-07-09T12:03:27.566+0300 INFO Detected config files: 1Pipfile.lock (pipenv)Total: 1 (HIGH: 1, CRITICAL: 0)+----------+------------------+----------+-------------------+---------------+---------------------------------------+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |+----------+------------------+----------+-------------------+---------------+---------------------------------------+| httplib2 | CVE-2021-21240 | HIGH | 0.12.1 | 0.19.0 | python-httplib2: Regular || | | | | | expression denial of || | | | | | service via malicious header || | | | | | -->avd.aquasec.com/nvd/cve-2021-21240 |=======================Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)Failures: 1 (HIGH: 1, CRITICAL: 0)+---------------------------+------------+----------------------+----------+------------------------------------------+| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |+---------------------------+------------+----------------------+----------+------------------------------------------+| Dockerfile Security Check | DS002 | Image user is 'root' | HIGH | Last USER command in || | | | | Dockerfile should not be 'root' |+---------------------------+------------+----------------------+----------+------------------------------------------+
In the above example, Trivy detected vulnerabilities of Python dependencies and misconfigurations in Dockerfile.
