工具列表

  • CVE https://cve.mitre.org/
  • 代码扫描 https://snyk.io/
    https://github.com/aquasecurity/trivy

  • 镜像扫描 https://github.com/aquasecurity/trivy#os-packages

    trivy使用

    官方文档

  • 安装

    1. $ sudo vim /etc/yum.repos.d/trivy.repo
    2. [trivy]
    3. name=Trivy repository
    4. baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/
    5. gpgcheck=0
    6. enabled=1
    7. $ sudo yum -y update
    8. $ sudo yum -y install trivy

  • 扫描镜像
    trivy image [image-name:tag]
    三、容器安全-代码和镜像的漏洞扫描 - 图1

  • 常用命令
    1. [root@localhost compose-healthcheck-redis]# trivy
    2. 2022-01-06T21:58:06.457+0800    WARN    The root command will be removed. Please migrate to 'trivy image' command. See https://github.com/aquasecurity/trivy/discussions/1515
    3. NAME:
    4.  trivy - A simple and comprehensive vulnerability scanner for containers
    5. USAGE:
    6.  trivy command [command options] target
    7. COMMANDS:
    8.  image, i          scan an image
    9.  filesystem, fs    scan local filesystem for language-specific dependencies and config files
    10.  rootfs            scan rootfs
    11.  repository, repo  scan remote repository
    12.  client, c         client mode
    13.  server, s         server mode
    14.  config, conf      scan config files
    15.  plugin, p         manage plugins
    16.  help, h           Shows a list of commands or help for one command
    17. OPTIONS:
    18.  --quiet, -q        suppress progress bar and log output (default: false) [$TRIVY_QUIET]
    19.  --debug, -d        debug mode (default: false) [$TRIVY_DEBUG]
    20.  --cache-dir value  cache directory (default: "/root/.cache/trivy") [$TRIVY_CACHE_DIR]
    21.  --help, -h         show help (default: false)
    22.  --version, -v      print the version (default: false)