devsecops on Astroicers Bloghttps://astroicers.link/tags/devsecops.htmlRecent content in devsecops on Astroicers BlogHugo -- gohugo.ioenFri, 22 May 2026 00:00:00 +0000Grype 容器漏洞掃描工具https://astroicers.link/p/grype-%E5%AE%B9%E5%99%A8%E6%BC%8F%E6%B4%9E%E6%8E%83%E6%8F%8F%E5%B7%A5%E5%85%B7.htmlFri, 22 May 2026 00:00:00 +0000https://astroicers.link/p/grype-%E5%AE%B9%E5%99%A8%E6%BC%8F%E6%B4%9E%E6%8E%83%E6%8F%8F%E5%B7%A5%E5%85%B7.html<h2 id="專案簡介">專案簡介</h2> <p><a class="link" href="https://github.com/anchore/grype" target="_blank" rel="noopener" >Grype</a> 是 Anchore 開發的容器映像漏洞掃描工具,可掃描容器映像、檔案系統、SBOM 中的已知漏洞。與 Syft 整合使用,是容器安全的重要工具。</p> <p><strong>GitHub Stars</strong>: 11K+</p> <h2 id="主要功能">主要功能</h2> <ul> <li><strong>容器掃描</strong> - 掃描 Docker/OCI 映像</li> <li><strong>檔案系統</strong> - 掃描本地目錄</li> <li><strong>SBOM 掃描</strong> - 掃描 SBOM 檔案</li> <li><strong>多資料庫</strong> - CVE、NVD、GitHub Advisory</li> <li><strong>CI/CD 整合</strong> - 易於自動化</li> </ul> <h2 id="安裝">安裝</h2> <h3 id="快速安裝">快速安裝</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh <span class="p">|</span> sh -s -- -b /usr/local/bin </span></span></code></pre></td></tr></table> </div> </div><h3 id="homebrew">Homebrew</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">brew install grype </span></span></code></pre></td></tr></table> </div> </div><h3 id="docker">Docker</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker run --rm anchore/grype:latest --help </span></span></code></pre></td></tr></table> </div> </div><h2 id="基本使用">基本使用</h2> <h3 id="掃描容器映像">掃描容器映像</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 從 Registry</span> </span></span><span class="line"><span class="cl">grype nginx:latest </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 從本地 Docker</span> </span></span><span class="line"><span class="cl">grype docker:nginx:latest </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 從 tar 檔案</span> </span></span><span class="line"><span class="cl">grype docker-archive:image.tar </span></span></code></pre></td></tr></table> </div> </div><h3 id="掃描目錄">掃描目錄</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">grype dir:/path/to/project </span></span></code></pre></td></tr></table> </div> </div><h3 id="掃描-sbom">掃描 SBOM</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 先產生 SBOM</span> </span></span><span class="line"><span class="cl">syft nginx:latest -o json &gt; sbom.json </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 掃描 SBOM</span> </span></span><span class="line"><span class="cl">grype sbom:sbom.json </span></span></code></pre></td></tr></table> </div> </div><h2 id="輸出格式">輸出格式</h2> <h3 id="表格預設">表格(預設)</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">grype nginx:latest </span></span></code></pre></td></tr></table> </div> </div><p>輸出範例:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY </span></span><span class="line"><span class="cl">libssl3 3.0.2 3.0.7 deb CVE-2022-3786 High </span></span><span class="line"><span class="cl">zlib1g 1:1.2.11 1:1.2.13 deb CVE-2022-37434 Critical </span></span></code></pre></td></tr></table> </div> </div><h3 id="json">JSON</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">grype nginx:latest -o json &gt; results.json </span></span></code></pre></td></tr></table> </div> </div><h3 id="sarif">SARIF</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">grype nginx:latest -o sarif &gt; results.sarif </span></span></code></pre></td></tr></table> </div> </div><h3 id="cyclonedx">CycloneDX</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">grype nginx:latest -o cyclonedx &gt; results.xml </span></span></code></pre></td></tr></table> </div> </div><h2 id="過濾和忽略">過濾和忽略</h2> <h3 id="嚴重程度過濾">嚴重程度過濾</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 只顯示 High 和 Critical</span> </span></span><span class="line"><span class="cl">grype nginx:latest --only-fixed --fail-on high </span></span></code></pre></td></tr></table> </div> </div><h3 id="忽略規則">忽略規則</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># .grype.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">ignore</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">vulnerability</span><span class="p">:</span><span class="w"> </span><span class="l">CVE-2022-12345</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">vulnerability</span><span class="p">:</span><span class="w"> </span><span class="l">CVE-2022-67890</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fix-state</span><span class="p">:</span><span class="w"> </span><span class="l">not-fixed</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">package</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">openssl</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">deb</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="使用忽略檔">使用忽略檔</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">grype nginx:latest --config .grype.yaml </span></span></code></pre></td></tr></table> </div> </div><h2 id="cicd-整合">CI/CD 整合</h2> <h3 id="github-actions">GitHub Actions</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Security Scan</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">on</span><span class="p">:</span><span class="w"> </span><span class="l">push</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">jobs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">scan</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Build Image</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="l">docker build -t myapp:${{ github.sha }} .</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Scan Image</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">anchore/scan-action@v3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">myapp:${{ github.sha }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fail-build</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">severity-cutoff</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Upload SARIF</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">github/codeql-action/upload-sarif@v2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sarif_file</span><span class="p">:</span><span class="w"> </span><span class="l">results.sarif</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="gitlab-ci">GitLab CI</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">security-scan</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">security</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">anchore/grype:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">grype $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA --fail-on high -o json &gt; grype-report.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">grype-report.json</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="jenkins">Jenkins</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-groovy" data-lang="groovy"><span class="line"><span class="cl"><span class="n">pipeline</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="n">agent</span> <span class="n">any</span> </span></span><span class="line"><span class="cl"> <span class="n">stages</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="n">stage</span><span class="o">(</span><span class="s1">&#39;Security Scan&#39;</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="n">steps</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="n">sh</span> <span class="s1">&#39;&#39;&#39; </span></span></span><span class="line"><span class="cl"><span class="s1"> docker run --rm \ </span></span></span><span class="line"><span class="cl"><span class="s1"> -v /var/run/docker.sock:/var/run/docker.sock \ </span></span></span><span class="line"><span class="cl"><span class="s1"> anchore/grype:latest \ </span></span></span><span class="line"><span class="cl"><span class="s1"> docker:myapp:latest \ </span></span></span><span class="line"><span class="cl"><span class="s1"> --fail-on high </span></span></span><span class="line"><span class="cl"><span class="s1"> &#39;&#39;&#39;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="與-syft-整合">與 Syft 整合</h2> <h3 id="產生和掃描-sbom">產生和掃描 SBOM</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 產生 SBOM</span> </span></span><span class="line"><span class="cl">syft nginx:latest -o spdx-json &gt; sbom.json </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 掃描 SBOM</span> </span></span><span class="line"><span class="cl">grype sbom:sbom.json </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 或一行完成</span> </span></span><span class="line"><span class="cl">syft nginx:latest -o json <span class="p">|</span> grype </span></span></code></pre></td></tr></table> </div> </div><h3 id="工作流程">工作流程</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Image → Syft → SBOM → Grype → Vulnerabilities </span></span></code></pre></td></tr></table> </div> </div><h2 id="資料庫管理">資料庫管理</h2> <h3 id="更新資料庫">更新資料庫</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">grype db update </span></span></code></pre></td></tr></table> </div> </div><h3 id="檢查狀態">檢查狀態</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">grype db status </span></span></code></pre></td></tr></table> </div> </div><h3 id="資料庫位置">資料庫位置</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 預設</span> </span></span><span class="line"><span class="cl">~/.cache/grype/db </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 自訂</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">GRYPE_DB_CACHE_DIR</span><span class="o">=</span>/custom/path </span></span></code></pre></td></tr></table> </div> </div><h2 id="進階設定">進階設定</h2> <h3 id="設定檔">設定檔</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># .grype.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">check-for-app-update</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">fail-on-severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">only-fixed</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">scope</span><span class="p">:</span><span class="w"> </span><span class="l">all-layers</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">output</span><span class="p">:</span><span class="w"> </span><span class="l">json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">db</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">auto-update</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cache-dir</span><span class="p">:</span><span class="w"> </span><span class="l">/custom/cache</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">log</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">warn</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="掃描範圍">掃描範圍</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 所有層(預設)</span> </span></span><span class="line"><span class="cl">grype nginx:latest --scope all-layers </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 只掃描最終層</span> </span></span><span class="line"><span class="cl">grype nginx:latest --scope squashed </span></span></code></pre></td></tr></table> </div> </div><h2 id="漏洞資料來源">漏洞資料來源</h2> <h3 id="支援的資料庫">支援的資料庫</h3> <table> <thead> <tr> <th>來源</th> <th>涵蓋範圍</th> </tr> </thead> <tbody> <tr> <td>Alpine SecDB</td> <td>Alpine 套件</td> </tr> <tr> <td>Amazon Linux Security</td> <td>Amazon Linux</td> </tr> <tr> <td>Debian Security</td> <td>Debian 套件</td> </tr> <tr> <td>GitHub Advisories</td> <td>各語言套件</td> </tr> <tr> <td>NVD</td> <td>全面 CVE</td> </tr> <tr> <td>Red Hat Security</td> <td>RHEL/CentOS</td> </tr> <tr> <td>Ubuntu Security</td> <td>Ubuntu 套件</td> </tr> </tbody> </table> <h2 id="最佳實踐">最佳實踐</h2> <h3 id="建置流程整合">建置流程整合</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="cp">#!/bin/bash </span></span></span><span class="line"><span class="cl"><span class="cp"></span><span class="nb">set</span> -e </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 建置映像</span> </span></span><span class="line"><span class="cl">docker build -t myapp:latest . </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 產生 SBOM</span> </span></span><span class="line"><span class="cl">syft myapp:latest -o spdx-json &gt; sbom.json </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 掃描漏洞</span> </span></span><span class="line"><span class="cl">grype sbom:sbom.json --fail-on high </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 通過後推送</span> </span></span><span class="line"><span class="cl">docker push myapp:latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="定期掃描">定期掃描</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Cron job</span> </span></span><span class="line"><span class="cl"><span class="m">0</span> <span class="m">0</span> * * * grype docker:production-app:latest --fail-on critical -o json &gt;&gt; /var/log/grype-scans.log </span></span></code></pre></td></tr></table> </div> </div><h2 id="相關連結">相關連結</h2> <ul> <li><a class="link" href="https://github.com/anchore/grype" target="_blank" rel="noopener" >GitHub Repository</a></li> <li><a class="link" href="https://github.com/anchore/syft" target="_blank" rel="noopener" >Syft SBOM 工具</a></li> <li><a class="link" href="https://github.com/anchore/grype#readme" target="_blank" rel="noopener" >官方文件</a></li> </ul> <h2 id="延伸閱讀">延伸閱讀</h2> <ul> <li><a class="link" href="https://astroicers.link/p/trivy-container-security/" >Trivy 容器安全掃描</a></li> <li><a class="link" href="https://astroicers.link/p/docker-scout/" >Docker Scout 安全掃描</a></li> <li><a class="link" href="https://astroicers.link/p/docker-security-best-practices/" >Docker 安全最佳實踐</a></li> </ul>Trivy 容器安全掃描工具https://astroicers.link/p/trivy-%E5%AE%B9%E5%99%A8%E5%AE%89%E5%85%A8%E6%8E%83%E6%8F%8F%E5%B7%A5%E5%85%B7.htmlThu, 26 Mar 2026 00:00:00 +0000https://astroicers.link/p/trivy-%E5%AE%B9%E5%99%A8%E5%AE%89%E5%85%A8%E6%8E%83%E6%8F%8F%E5%B7%A5%E5%85%B7.html<h2 id="專案簡介">專案簡介</h2> <p><a class="link" href="https://github.com/aquasecurity/trivy" target="_blank" rel="noopener" >Trivy</a> 是 Aqua Security 開發的全方位安全掃描工具。支援容器映像、檔案系統、Git 儲存庫、Kubernetes 等多種目標,可檢測漏洞、錯誤設定和機密資訊。</p> <p><strong>GitHub Stars</strong>: 31K+</p> <h2 id="主要功能">主要功能</h2> <ul> <li><strong>漏洞掃描</strong> - CVE、安全公告</li> <li><strong>錯誤設定檢測</strong> - Dockerfile、K8s、Terraform</li> <li><strong>機密掃描</strong> - API 金鑰、密碼、憑證</li> <li><strong>SBOM 生成</strong> - 軟體物料清單</li> <li><strong>授權合規</strong> - 開源授權檢查</li> </ul> <h2 id="安裝">安裝</h2> <h3 id="homebrew">Homebrew</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">brew install trivy </span></span></code></pre></td></tr></table> </div> </div><h3 id="apt">APT</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo apt-get install wget apt-transport-https gnupg lsb-release </span></span><span class="line"><span class="cl">wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key <span class="p">|</span> sudo apt-key add - </span></span><span class="line"><span class="cl"><span class="nb">echo</span> deb https://aquasecurity.github.io/trivy-repo/deb <span class="k">$(</span>lsb_release -sc<span class="k">)</span> main <span class="p">|</span> sudo tee -a /etc/apt/sources.list.d/trivy.list </span></span><span class="line"><span class="cl">sudo apt-get update </span></span><span class="line"><span class="cl">sudo apt-get install trivy </span></span></code></pre></td></tr></table> </div> </div><h3 id="docker">Docker</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker pull aquasec/trivy </span></span></code></pre></td></tr></table> </div> </div><h2 id="容器映像掃描">容器映像掃描</h2> <h3 id="基本掃描">基本掃描</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image nginx:latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="指定嚴重度">指定嚴重度</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image --severity CRITICAL,HIGH nginx:latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="忽略未修復漏洞">忽略未修復漏洞</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image --ignore-unfixed nginx:latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="掃描本地映像">掃描本地映像</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image --input image.tar </span></span></code></pre></td></tr></table> </div> </div><h3 id="掃描私有-registry">掃描私有 Registry</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 使用環境變數認證</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TRIVY_USERNAME</span><span class="o">=</span>user </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TRIVY_PASSWORD</span><span class="o">=</span>password </span></span><span class="line"><span class="cl">trivy image private-registry.com/image:tag </span></span></code></pre></td></tr></table> </div> </div><h2 id="檔案系統掃描">檔案系統掃描</h2> <h3 id="掃描目錄">掃描目錄</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy fs /path/to/project </span></span></code></pre></td></tr></table> </div> </div><h3 id="掃描-git-儲存庫">掃描 Git 儲存庫</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy repo https://github.com/user/repo </span></span></code></pre></td></tr></table> </div> </div><h3 id="掃描-rootfs">掃描 Rootfs</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy rootfs / </span></span></code></pre></td></tr></table> </div> </div><h2 id="iac-掃描">IaC 掃描</h2> <h3 id="terraform">Terraform</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy config /path/to/terraform </span></span></code></pre></td></tr></table> </div> </div><h3 id="kubernetes">Kubernetes</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy config /path/to/k8s-manifests </span></span></code></pre></td></tr></table> </div> </div><h3 id="dockerfile">Dockerfile</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy config --file-patterns <span class="s2">&#34;Dockerfile:dockerfile&#34;</span> /path/to/project </span></span></code></pre></td></tr></table> </div> </div><h3 id="常見錯誤設定">常見錯誤設定</h3> <ul> <li>以 root 運行容器</li> <li>使用 latest 標籤</li> <li>缺少資源限制</li> <li>暴露敏感端口</li> </ul> <h2 id="機密掃描">機密掃描</h2> <h3 id="啟用機密掃描">啟用機密掃描</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy fs --scanners secret /path/to/project </span></span></code></pre></td></tr></table> </div> </div><h3 id="自訂規則">自訂規則</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># trivy-secret.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">id</span><span class="p">:</span><span class="w"> </span><span class="l">custom-api-key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">category</span><span class="p">:</span><span class="w"> </span><span class="l">general</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">title</span><span class="p">:</span><span class="w"> </span><span class="l">Custom API Key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">severity</span><span class="p">:</span><span class="w"> </span><span class="l">HIGH</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">regex</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;CUSTOM_API_KEY\s*=\s*[&#34;\&#39;]([^&#34;\&#39;]+)[&#34;\&#39;]&#39;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy fs --secret-config trivy-secret.yaml /path/to/project </span></span></code></pre></td></tr></table> </div> </div><h2 id="sbom-生成">SBOM 生成</h2> <h3 id="cyclonedx-格式">CycloneDX 格式</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image --format cyclonedx -o sbom.json nginx:latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="spdx-格式">SPDX 格式</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image --format spdx-json -o sbom.json nginx:latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="掃描-sbom">掃描 SBOM</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy sbom sbom.json </span></span></code></pre></td></tr></table> </div> </div><h2 id="cicd-整合">CI/CD 整合</h2> <h3 id="github-actions">GitHub Actions</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Security Scan</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">on</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">push, pull_request]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">jobs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">trivy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Build image</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="l">docker build -t myapp:${{ github.sha }} .</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Run Trivy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">aquasecurity/trivy-action@master</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image-ref</span><span class="p">:</span><span class="w"> </span><span class="l">myapp:${{ github.sha }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">format</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;sarif&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">output</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;trivy-results.sarif&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">severity</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;CRITICAL,HIGH&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Upload to GitHub Security</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">github/codeql-action/upload-sarif@v3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sarif_file</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;trivy-results.sarif&#39;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="gitlab-ci">GitLab CI</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">trivy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">aquasec/trivy:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">trivy image --exit-code 1 --severity CRITICAL $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allow_failure</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="jenkins">Jenkins</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-groovy" data-lang="groovy"><span class="line"><span class="cl"><span class="n">pipeline</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="n">agent</span> <span class="n">any</span> </span></span><span class="line"><span class="cl"> <span class="n">stages</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="n">stage</span><span class="o">(</span><span class="s1">&#39;Security Scan&#39;</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="n">steps</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="n">sh</span> <span class="s1">&#39;&#39;&#39; </span></span></span><span class="line"><span class="cl"><span class="s1"> trivy image \ </span></span></span><span class="line"><span class="cl"><span class="s1"> --format json \ </span></span></span><span class="line"><span class="cl"><span class="s1"> --output trivy-report.json \ </span></span></span><span class="line"><span class="cl"><span class="s1"> --severity CRITICAL,HIGH \ </span></span></span><span class="line"><span class="cl"><span class="s1"> myapp:latest </span></span></span><span class="line"><span class="cl"><span class="s1"> &#39;&#39;&#39;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="kubernetes-掃描">Kubernetes 掃描</h2> <h3 id="掃描叢集">掃描叢集</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy k8s --report summary cluster </span></span></code></pre></td></tr></table> </div> </div><h3 id="掃描特定-namespace">掃描特定 Namespace</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy k8s --namespace default --report all </span></span></code></pre></td></tr></table> </div> </div><h3 id="掃描-workloads">掃描 Workloads</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy k8s --report summary deployments,pods </span></span></code></pre></td></tr></table> </div> </div><h2 id="輸出格式">輸出格式</h2> <h3 id="json">JSON</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image --format json -o results.json nginx:latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="table預設">Table(預設)</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image --format table nginx:latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="sarif">SARIF</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image --format sarif -o results.sarif nginx:latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="template">Template</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image --format template --template <span class="s2">&#34;@contrib/html.tpl&#34;</span> -o report.html nginx:latest </span></span></code></pre></td></tr></table> </div> </div><h2 id="忽略漏洞">忽略漏洞</h2> <h3 id="trivyignore">.trivyignore</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"># 忽略特定 CVE </span></span><span class="line"><span class="cl">CVE-2023-12345 </span></span><span class="line"><span class="cl">CVE-2023-67890 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"># 忽略整個套件 </span></span><span class="line"><span class="cl">pkg:npm/lodash </span></span></code></pre></td></tr></table> </div> </div><h3 id="內聯忽略">內聯忽略</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># trivy:ignore:CVE-2023-12345</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="l">FROM nginx:latest</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="相關連結">相關連結</h2> <ul> <li><a class="link" href="https://github.com/aquasecurity/trivy" target="_blank" rel="noopener" >GitHub Repository</a></li> <li><a class="link" href="https://aquasecurity.github.io/trivy/" target="_blank" rel="noopener" >官方文件</a></li> <li><a class="link" href="https://aquasecurity.github.io/trivy/latest/docs/vulnerability/detection/data-source/" target="_blank" rel="noopener" >漏洞資料庫</a></li> </ul> <h2 id="延伸閱讀">延伸閱讀</h2> <ul> <li><a class="link" href="https://astroicers.link/p/docker-scout/" >Docker Scout 容器安全</a></li> <li><a class="link" href="https://astroicers.link/p/harbor-container-registry/" >Harbor 容器映像倉庫</a></li> <li><a class="link" href="https://astroicers.link/p/kubernetes-pod-security-standards/" >Kubernetes Pod Security Standards</a></li> </ul>