Skip to content

Vulnerability Scanning

Trivy detects known vulnerabilities in software components that it finds in the scan target.

The following are supported:

OS Packages

Trivy is capable of automatically detecting installed OS packages when scanning container images, VM images and running hosts.

Note

Trivy doesn't support third-party/self-compiled packages/binaries, but official packages provided by vendors such as Red Hat and Debian.

Supported OS

See here for the supported OSes.

Data Sources

OS Source
Arch Linux Vulnerable Issues
Alpine Linux secdb
Wolfi Linux secdb
Chainguard secdb
Amazon Linux Amazon Linux Security Center
Debian Security Bug Tracker / OVAL
Ubuntu Ubuntu CVE Tracker
RHEL/CentOS OVAL / Security Data
AlmaLinux AlmaLinux Product Errata
Rocky Linux Rocky Linux UpdateInfo
Oracle Linux OVAL
CBL-Mariner OVAL
OpenSUSE/SLES CVRF
Photon OS Photon Security Advisory

Data Source Selection

Trivy only consumes security advisories from the sources listed in the above table.

As for packages installed from OS package managers (dpkg, yum, apk, etc.), Trivy uses the advisory database from the appropriate OS vendor.

For example: for a python package installed from yum (Amazon linux), Trivy will only get advisories from ALAS. But for a python package installed from another source (e.g. pip), Trivy will get advisories from the GitLab and GitHub databases.

This advisory selection is essential to avoid getting false positives because OS vendors usually backport upstream fixes, and the fixed version can be different from the upstream fixed version.

Severity Selection

The severity is taken from the selected data source since the severity from vendors is more accurate. Using CVE-2023-0464 as an example, while it is rated as "HIGH" in NVD, Red Hat has marked its 'Impact' as "Low". As a result, Trivy will display it as "Low".

The severity depends on the compile option, the default configuration, etc. NVD doesn't know how the vendor distributes the software. Red Hat evaluates the severity more accurately. That's why Trivy prefers vendor scores over NVD.

If the data source does not provide a severity, the severity is determined based on the CVSS score as follows:

Base Score Range Severity
0.1-3.9 Low
4.0-6.9 Medium
7.0-8.9 High
9.0-10.0 Critical

If the CVSS score is also not provided, it falls back to NVD.

NVD and some vendors may delay severity analysis, while other vendors, such as Red Hat, are able to quickly evaluate and announce the severity of vulnerabilities. To avoid marking too many vulnerabilities as "UNKNOWN" severity, Trivy uses severity ratings from other vendors when the NVD information is not yet available. The order of preference for vendor severity data can be found here.

You can reference SeveritySource in the JSON reporting format to see from where the severity is taken for a given vulnerability.

"SeveritySource": "debian",

In addition, you can see all the vendor severity ratings.

"VendorSeverity": {
  "amazon": 2,
  "cbl-mariner": 4,
  "ghsa": 4,
  "nvd": 4,
  "photon": 4,
  "redhat": 2,
  "ubuntu": 2
}

Here is the severity mapping in Trivy:

Number Severity
0 Unknown
1 Low
2 Medium
3 High
4 Critical

If no vendor has a severity, the UNKNOWN severity will be used.

Unfixed Vulnerabilities

The unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution. To hide unfixed/unfixable vulnerabilities, you can use the --ignore-unfixed flag.

Language-specific Packages

Supported Languages

See here for the supported languages.

Data Sources

Language Source Commercial Use Delay1
PHP PHP Security Advisories Database -
GitHub Advisory Database (Composer) -
Python GitHub Advisory Database (pip) -
Open Source Vulnerabilities (PyPI) -
Ruby Ruby Advisory Database -
GitHub Advisory Database (RubyGems) -
Node.js Ecosystem Security Working Group -
GitHub Advisory Database (npm) -
Java GitHub Advisory Database (Maven) -
Go GitHub Advisory Database (Go) -
Go Vulnerability Database -
Rust Open Source Vulnerabilities (crates.io) -
.NET GitHub Advisory Database (NuGet) -
C/C++ GitLab Advisories Community 1 month
Dart GitHub Advisory Database (Pub) -
Elixir GitHub Advisory Database (Erlang) -
Swift GitHub Advisory Database (Swift) -

Non-packaged software

If you have software that is not managed by a package manager, Trivy can still detect vulnerabilities in it in some cases:

Kubernetes

Trivy can detect vulnerabilities in Kubernetes clusters and components by scanning a Kubernetes Cluster, or a KBOM (Kubernetes bill of Material). To learn more, see the documentation for Kubernetes scanning.

Data Sources

Vendor Source
Kubernetes Kubernetes Official CVE feed1

Database

Trivy downloads the vulnerability database every 6 hours. Trivy uses two types of databases for vulnerability detection:

  • Vulnerability Database
  • Java Index Database

This page provides detailed information about these databases.

Vulnerability Database

Trivy utilizes a database containing vulnerability information. This database is built every six hours on GitHub and is distributed via GitHub Container registry (GHCR). The database is cached and updated as needed. As Trivy updates the database automatically during execution, users don't need to be concerned about it.

For CLI flags related to the database, please refer to this page.

Private Hosting

If you host the database on your own OCI registry, you can specify a different repository with the --db-repository flag. The default is ghcr.io/aquasecurity/trivy-db.

$ trivy image --db-repository YOUR_REPO YOUR_IMAGE

If authentication is required, it can be configured in the same way as for private images. Please refer to the documentation for more details.

Java Index Database

This database is only downloaded when scanning JAR files so that Trivy can identify the groupId, artifactId, and version of JAR files. It is built once a day on GitHub and distributed via GitHub Container registry (GHCR). Like the vulnerability database, it is automatically downloaded and updated when needed, so users don't need to worry about it.

Private Hosting

If you host the database on your own OCI registry, you can specify a different repository with the --java-db-repository flag. The default is ghcr.io/aquasecurity/trivy-java-db.

If authentication is required, you need to run docker login YOUR_REGISTRY. Currently, specifying a username and password is not supported.

Configuration

This section describes vulnerability-specific configuration. Other common options are documented here.

Enabling a subset of package types

It's possible to only enable certain package types if you prefer. You can do so by passing the --pkg-types option. This flag takes a comma-separated list of package types.

Available values:

  • os
    • Scan OS packages managed by the OS package manager (e.g. dpkg, yum, apk).
  • library
    • Scan language-specific packages (e.g. packages installed by pip, npm, or gem).
$ trivy image --pkg-types os ruby:2.4.0
Result
2019-05-22T19:36:50.530+0200    INFO    Updating vulnerability database...
2019-05-22T19:36:51.681+0200    INFO    Detecting Alpine vulnerabilities...
2019-05-22T19:36:51.685+0200    INFO    Updating npm Security DB...
2019-05-22T19:36:52.389+0200    INFO    Detecting npm vulnerabilities...
2019-05-22T19:36:52.390+0200    INFO    Updating pipenv Security DB...
2019-05-22T19:36:53.406+0200    INFO    Detecting pipenv vulnerabilities...

ruby:2.4.0 (debian 8.7)
=======================
Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)

+---------+------------------+----------+-------------------+---------------+----------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |              TITLE               |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| curl    | CVE-2018-14618   | CRITICAL | 7.61.0-r0         | 7.61.1-r0     | curl: NTLM password overflow     |
|         |                  |          |                   |               | via integer overflow             |
+         +------------------+----------+                   +---------------+----------------------------------+
|         | CVE-2018-16839   | HIGH     |                   | 7.61.1-r1     | curl: Integer overflow leading   |
|         |                  |          |                   |               | to heap-based buffer overflow in |
|         |                  |          |                   |               | Curl_sasl_create_plain_message() |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| git     | CVE-2018-17456   | HIGH     | 2.15.2-r0         | 2.15.3-r0     | git: arbitrary code execution    |
|         |                  |          |                   |               | via .gitmodules                  |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2018-19486   |          |                   |               | git: Improper handling of        |
|         |                  |          |                   |               | PATH allows for commands to be   |
|         |                  |          |                   |               | executed from...                 |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| libssh2 | CVE-2019-3855    | CRITICAL | 1.8.0-r2          | 1.8.1-r0      | libssh2: Integer overflow in     |
|         |                  |          |                   |               | transport read resulting in      |
|         |                  |          |                   |               | out of bounds write...           |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| sqlite  | CVE-2018-20346   | MEDIUM   | 3.21.0-r1         | 3.25.3-r0     | CVE-2018-20505 CVE-2018-20506    |
|         |                  |          |                   |               | sqlite: Multiple flaws in        |
|         |                  |          |                   |               | sqlite which can be triggered    |
|         |                  |          |                   |               | via...                           |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| tar     | CVE-2018-20482   | LOW      | 1.29-r1           | 1.31-r0       | tar: Infinite read loop in       |
|         |                  |          |                   |               | sparse_dump_region function in   |
|         |                  |          |                   |               | sparse.c                         |
+---------+------------------+----------+-------------------+---------------+----------------------------------+

  1. https://github.com/GoogleContainerTools/distroless