Database
Trivy uses two types of databases for vulnerability detection:
- Vulnerability Database
- Java Index Database
This page provides detailed information about these databases.
Vulnerability Database
Trivy utilizes a database containing vulnerability information. This database is built every six hours on GitHub and is distributed via GitHub Container registry (GHCR). The database is cached and updated as needed. As Trivy updates the database automatically during execution, users don't need to be concerned about it.
For CLI flags related to the database, please refer to this page.
Private Hosting
If you host the database on your own OCI registry, you can specify a different repository with the --db-repository
flag.
The default is ghcr.io/aquasecurity/trivy-db
.
$ trivy image --db-repository YOUR_REPO YOUR_IMAGE
If authentication is required, it can be configured in the same way as for private images. Please refer to the documentation for more details.
Java Index Database
This database is only downloaded when scanning JAR files so that Trivy can identify the groupId, artifactId, and version of JAR files. It is built once a day on GitHub and distributed via GitHub Container registry (GHCR). Like the vulnerability database, it is automatically downloaded and updated when needed, so users don't need to worry about it.
Private Hosting
If you host the database on your own OCI registry, you can specify a different repository with the --java-db-repository
flag.
The default is ghcr.io/aquasecurity/trivy-java-db
.
If authentication is required, you need to run docker login YOUR_REGISTRY
.
Currently, specifying a username and password is not supported.