Security

Trivy 容器安全掃描工具

使用 Aqua Trivy 掃描容器映像、檔案系統、Git 儲存庫的漏洞、錯誤設定和機密資訊

專案簡介

Trivy 是 Aqua Security 開發的全方位安全掃描工具。支援容器映像、檔案系統、Git 儲存庫、Kubernetes 等多種目標,可檢測漏洞、錯誤設定和機密資訊。

GitHub Stars: 31K+

主要功能

  • 漏洞掃描 - CVE、安全公告
  • 錯誤設定檢測 - Dockerfile、K8s、Terraform
  • 機密掃描 - API 金鑰、密碼、憑證
  • SBOM 生成 - 軟體物料清單
  • 授權合規 - 開源授權檢查

安裝

Homebrew

1

brew install trivy

APT

1
2
3
4
5

sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy

Docker

1

docker pull aquasec/trivy

容器映像掃描

基本掃描

1

trivy image nginx:latest

指定嚴重度

1

trivy image --severity CRITICAL,HIGH nginx:latest

忽略未修復漏洞

1

trivy image --ignore-unfixed nginx:latest

掃描本地映像

1

trivy image --input image.tar

掃描私有 Registry

1
2
3
4

# 使用環境變數認證
export TRIVY_USERNAME=user
export TRIVY_PASSWORD=password
trivy image private-registry.com/image:tag

檔案系統掃描

掃描目錄

1

trivy fs /path/to/project

掃描 Git 儲存庫

1

trivy repo https://github.com/user/repo

掃描 Rootfs

1

trivy rootfs /

IaC 掃描

Terraform

1

trivy config /path/to/terraform

Kubernetes

1

trivy config /path/to/k8s-manifests

Dockerfile

1

trivy config --file-patterns "Dockerfile:dockerfile" /path/to/project

常見錯誤設定

  • 以 root 運行容器
  • 使用 latest 標籤
  • 缺少資源限制
  • 暴露敏感端口

機密掃描

啟用機密掃描

1

trivy fs --scanners secret /path/to/project

自訂規則

1
2
3
4
5
6
7

# trivy-secret.yaml
rules:
  - id: custom-api-key
    category: general
    title: Custom API Key
    severity: HIGH
    regex: 'CUSTOM_API_KEY\s*=\s*["\']([^"\']+)["\']'

1

trivy fs --secret-config trivy-secret.yaml /path/to/project

SBOM 生成

CycloneDX 格式

1

trivy image --format cyclonedx -o sbom.json nginx:latest

SPDX 格式

1

trivy image --format spdx-json -o sbom.json nginx:latest

掃描 SBOM

1

trivy sbom sbom.json

CI/CD 整合

GitHub Actions

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

name: Security Scan
on: [push, pull_request]
jobs:
  trivy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build image
        run: docker build -t myapp:${{ github.sha }} .

      - name: Run Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: myapp:${{ github.sha }}
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'

      - name: Upload to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'

GitLab CI

1
2
3
4
5

trivy:
  image: aquasec/trivy:latest
  script:
    - trivy image --exit-code 1 --severity CRITICAL $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
  allow_failure: true

Jenkins

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

pipeline {
    agent any
    stages {
        stage('Security Scan') {
            steps {
                sh '''
                trivy image \
                    --format json \
                    --output trivy-report.json \
                    --severity CRITICAL,HIGH \
                    myapp:latest
                '''
            }
        }
    }
}

Kubernetes 掃描

掃描叢集

1

trivy k8s --report summary cluster

掃描特定 Namespace

1

trivy k8s --namespace default --report all

掃描 Workloads

1

trivy k8s --report summary deployments,pods

輸出格式

JSON

1

trivy image --format json -o results.json nginx:latest

Table(預設)

1

trivy image --format table nginx:latest

SARIF

1

trivy image --format sarif -o results.sarif nginx:latest

Template

1

trivy image --format template --template "@contrib/html.tpl" -o report.html nginx:latest

忽略漏洞

.trivyignore

1
2
3
4
5
6

# 忽略特定 CVE
CVE-2023-12345
CVE-2023-67890

# 忽略整個套件
pkg:npm/lodash

內聯忽略

1
2

# trivy:ignore:CVE-2023-12345
FROM nginx:latest

相關連結

延伸閱讀

comments powered by Disqus
© 2020 - 2026 Astroicers Blog
Built with Hugo
Theme Stack designed by Jimmy