trivy on Astroicers Bloghttps://astroicers.link/tags/trivy.htmlRecent content in trivy on Astroicers BlogHugo -- gohugo.ioenThu, 26 Mar 2026 00:00:00 +0000Trivy 容器安全掃描工具https://astroicers.link/p/trivy-%E5%AE%B9%E5%99%A8%E5%AE%89%E5%85%A8%E6%8E%83%E6%8F%8F%E5%B7%A5%E5%85%B7.htmlThu, 26 Mar 2026 00:00:00 +0000https://astroicers.link/p/trivy-%E5%AE%B9%E5%99%A8%E5%AE%89%E5%85%A8%E6%8E%83%E6%8F%8F%E5%B7%A5%E5%85%B7.html<h2 id="專案簡介">專案簡介</h2> <p><a class="link" href="https://github.com/aquasecurity/trivy" target="_blank" rel="noopener" >Trivy</a> 是 Aqua Security 開發的全方位安全掃描工具。支援容器映像、檔案系統、Git 儲存庫、Kubernetes 等多種目標,可檢測漏洞、錯誤設定和機密資訊。</p> <p><strong>GitHub Stars</strong>: 31K+</p> <h2 id="主要功能">主要功能</h2> <ul> <li><strong>漏洞掃描</strong> - CVE、安全公告</li> <li><strong>錯誤設定檢測</strong> - Dockerfile、K8s、Terraform</li> <li><strong>機密掃描</strong> - API 金鑰、密碼、憑證</li> <li><strong>SBOM 生成</strong> - 軟體物料清單</li> <li><strong>授權合規</strong> - 開源授權檢查</li> </ul> <h2 id="安裝">安裝</h2> <h3 id="homebrew">Homebrew</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">brew install trivy </span></span></code></pre></td></tr></table> </div> </div><h3 id="apt">APT</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo apt-get install wget apt-transport-https gnupg lsb-release </span></span><span class="line"><span class="cl">wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key <span class="p">|</span> sudo apt-key add - </span></span><span class="line"><span class="cl"><span class="nb">echo</span> deb https://aquasecurity.github.io/trivy-repo/deb <span class="k">$(</span>lsb_release -sc<span class="k">)</span> main <span class="p">|</span> sudo tee -a /etc/apt/sources.list.d/trivy.list </span></span><span class="line"><span class="cl">sudo apt-get update </span></span><span class="line"><span class="cl">sudo apt-get install trivy </span></span></code></pre></td></tr></table> </div> </div><h3 id="docker">Docker</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker pull aquasec/trivy </span></span></code></pre></td></tr></table> </div> </div><h2 id="容器映像掃描">容器映像掃描</h2> <h3 id="基本掃描">基本掃描</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image nginx:latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="指定嚴重度">指定嚴重度</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image --severity CRITICAL,HIGH nginx:latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="忽略未修復漏洞">忽略未修復漏洞</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image --ignore-unfixed nginx:latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="掃描本地映像">掃描本地映像</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image --input image.tar </span></span></code></pre></td></tr></table> </div> </div><h3 id="掃描私有-registry">掃描私有 Registry</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 使用環境變數認證</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TRIVY_USERNAME</span><span class="o">=</span>user </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TRIVY_PASSWORD</span><span class="o">=</span>password </span></span><span class="line"><span class="cl">trivy image private-registry.com/image:tag </span></span></code></pre></td></tr></table> </div> </div><h2 id="檔案系統掃描">檔案系統掃描</h2> <h3 id="掃描目錄">掃描目錄</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy fs /path/to/project </span></span></code></pre></td></tr></table> </div> </div><h3 id="掃描-git-儲存庫">掃描 Git 儲存庫</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy repo https://github.com/user/repo </span></span></code></pre></td></tr></table> </div> </div><h3 id="掃描-rootfs">掃描 Rootfs</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy rootfs / </span></span></code></pre></td></tr></table> </div> </div><h2 id="iac-掃描">IaC 掃描</h2> <h3 id="terraform">Terraform</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy config /path/to/terraform </span></span></code></pre></td></tr></table> </div> </div><h3 id="kubernetes">Kubernetes</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy config /path/to/k8s-manifests </span></span></code></pre></td></tr></table> </div> </div><h3 id="dockerfile">Dockerfile</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy config --file-patterns <span class="s2">&#34;Dockerfile:dockerfile&#34;</span> /path/to/project </span></span></code></pre></td></tr></table> </div> </div><h3 id="常見錯誤設定">常見錯誤設定</h3> <ul> <li>以 root 運行容器</li> <li>使用 latest 標籤</li> <li>缺少資源限制</li> <li>暴露敏感端口</li> </ul> <h2 id="機密掃描">機密掃描</h2> <h3 id="啟用機密掃描">啟用機密掃描</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy fs --scanners secret /path/to/project </span></span></code></pre></td></tr></table> </div> </div><h3 id="自訂規則">自訂規則</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># trivy-secret.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">id</span><span class="p">:</span><span class="w"> </span><span class="l">custom-api-key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">category</span><span class="p">:</span><span class="w"> </span><span class="l">general</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">title</span><span class="p">:</span><span class="w"> </span><span class="l">Custom API Key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">severity</span><span class="p">:</span><span class="w"> </span><span class="l">HIGH</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">regex</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;CUSTOM_API_KEY\s*=\s*[&#34;\&#39;]([^&#34;\&#39;]+)[&#34;\&#39;]&#39;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy fs --secret-config trivy-secret.yaml /path/to/project </span></span></code></pre></td></tr></table> </div> </div><h2 id="sbom-生成">SBOM 生成</h2> <h3 id="cyclonedx-格式">CycloneDX 格式</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image --format cyclonedx -o sbom.json nginx:latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="spdx-格式">SPDX 格式</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image --format spdx-json -o sbom.json nginx:latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="掃描-sbom">掃描 SBOM</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy sbom sbom.json </span></span></code></pre></td></tr></table> </div> </div><h2 id="cicd-整合">CI/CD 整合</h2> <h3 id="github-actions">GitHub Actions</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Security Scan</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">on</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">push, pull_request]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">jobs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">trivy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Build image</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="l">docker build -t myapp:${{ github.sha }} .</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Run Trivy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">aquasecurity/trivy-action@master</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image-ref</span><span class="p">:</span><span class="w"> </span><span class="l">myapp:${{ github.sha }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">format</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;sarif&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">output</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;trivy-results.sarif&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">severity</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;CRITICAL,HIGH&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Upload to GitHub Security</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">github/codeql-action/upload-sarif@v3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sarif_file</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;trivy-results.sarif&#39;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="gitlab-ci">GitLab CI</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">trivy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">aquasec/trivy:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">trivy image --exit-code 1 --severity CRITICAL $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allow_failure</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="jenkins">Jenkins</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-groovy" data-lang="groovy"><span class="line"><span class="cl"><span class="n">pipeline</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="n">agent</span> <span class="n">any</span> </span></span><span class="line"><span class="cl"> <span class="n">stages</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="n">stage</span><span class="o">(</span><span class="s1">&#39;Security Scan&#39;</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="n">steps</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="n">sh</span> <span class="s1">&#39;&#39;&#39; </span></span></span><span class="line"><span class="cl"><span class="s1"> trivy image \ </span></span></span><span class="line"><span class="cl"><span class="s1"> --format json \ </span></span></span><span class="line"><span class="cl"><span class="s1"> --output trivy-report.json \ </span></span></span><span class="line"><span class="cl"><span class="s1"> --severity CRITICAL,HIGH \ </span></span></span><span class="line"><span class="cl"><span class="s1"> myapp:latest </span></span></span><span class="line"><span class="cl"><span class="s1"> &#39;&#39;&#39;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="kubernetes-掃描">Kubernetes 掃描</h2> <h3 id="掃描叢集">掃描叢集</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy k8s --report summary cluster </span></span></code></pre></td></tr></table> </div> </div><h3 id="掃描特定-namespace">掃描特定 Namespace</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy k8s --namespace default --report all </span></span></code></pre></td></tr></table> </div> </div><h3 id="掃描-workloads">掃描 Workloads</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy k8s --report summary deployments,pods </span></span></code></pre></td></tr></table> </div> </div><h2 id="輸出格式">輸出格式</h2> <h3 id="json">JSON</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image --format json -o results.json nginx:latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="table預設">Table(預設)</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image --format table nginx:latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="sarif">SARIF</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image --format sarif -o results.sarif nginx:latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="template">Template</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image --format template --template <span class="s2">&#34;@contrib/html.tpl&#34;</span> -o report.html nginx:latest </span></span></code></pre></td></tr></table> </div> </div><h2 id="忽略漏洞">忽略漏洞</h2> <h3 id="trivyignore">.trivyignore</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"># 忽略特定 CVE </span></span><span class="line"><span class="cl">CVE-2023-12345 </span></span><span class="line"><span class="cl">CVE-2023-67890 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"># 忽略整個套件 </span></span><span class="line"><span class="cl">pkg:npm/lodash </span></span></code></pre></td></tr></table> </div> </div><h3 id="內聯忽略">內聯忽略</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># trivy:ignore:CVE-2023-12345</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="l">FROM nginx:latest</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="相關連結">相關連結</h2> <ul> <li><a class="link" href="https://github.com/aquasecurity/trivy" target="_blank" rel="noopener" >GitHub Repository</a></li> <li><a class="link" href="https://aquasecurity.github.io/trivy/" target="_blank" rel="noopener" >官方文件</a></li> <li><a class="link" href="https://aquasecurity.github.io/trivy/latest/docs/vulnerability/detection/data-source/" target="_blank" rel="noopener" >漏洞資料庫</a></li> </ul> <h2 id="延伸閱讀">延伸閱讀</h2> <ul> <li><a class="link" href="https://astroicers.link/p/docker-scout/" >Docker Scout 容器安全</a></li> <li><a class="link" href="https://astroicers.link/p/harbor-container-registry/" >Harbor 容器映像倉庫</a></li> <li><a class="link" href="https://astroicers.link/p/kubernetes-pod-security-standards/" >Kubernetes Pod Security Standards</a></li> </ul>