Vulnerability Scanning

Overview

This section describes the overview of vulnerability scanning. Trivy detects known vulnerabilities according to the versions of installed packages.

The following packages are supported.

• OS packages
• Language-specific packages

Trivy downloads the vulnerabillity database every 6 hours.

Database

Trivy uses two types of databases for vulnerability detection:

• Vulnerability Database
• Java Index Database

This page provides detailed information about these databases.

Vulnerability Database

Trivy utilizes a database containing vulnerability information. This database is built every six hours on GitHub and is distributed via GitHub Container registry (GHCR). The database is cached and updated as needed. As Trivy updates the database automatically during execution, users don't need to be concerned about it.

For CLI flags related to the database, please refer to this page.

Private Hosting

If you host the database on your own OCI registry, you can specify a different repository with the --db-repository flag. The default is ghcr.io/aquasecurity/trivy-db.

$ trivy image --db-repository YOUR_REPO YOUR_IMAGE

If authentication is required, it can be configured in the same way as for private images. Please refer to the documentation for more details.

Java Index Database

This database is only downloaded when scanning JAR files so that Trivy can identify the groupId, artifactId, and version of JAR files. It is built once a day on GitHub and distributed via GitHub Container registry (GHCR). Like the vulnerability database, it is automatically downloaded and updated when needed, so users don't need to worry about it.

Private Hosting

If you host the database on your own OCI registry, you can specify a different repository with the --java-db-repository flag. The default is ghcr.io/aquasecurity/trivy-java-db.

If authentication is required, you need to run docker login YOUR_REGISTRY. Currently, specifying a username and password is not supported.