Git Repository
Scan your remote git repositories for
- Vulnerabilities
- Misconfigurations
- Secrets
- Licenses
By default, vulnerability and secret scanning are enabled, and you can configure that with --scanners
.
$ trivy repo [YOUR_REPO_URL]
Scanners
Vulnerabilities
It is enabled by default. Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json. See here for the detail.
$ trivy repo https://github.com/knqyf263/trivy-ci-test
Result
2021-03-09T15:04:19.003+0200 INFO Detecting cargo vulnerabilities...
2021-03-09T15:04:19.005+0200 INFO Detecting pipenv vulnerabilities...
Cargo.lock
==========
Total: 7 (UNKNOWN: 7, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+
| ammonia | RUSTSEC-2019-0001 | UNKNOWN | 1.9.0 | >= 2.1.0 | Uncontrolled recursion leads |
| | | | | | to abort in HTML serialization |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2019-0001 |
+----------+-------------------+ +-------------------+------------------------------+---------------------------------------------+
| openssl | RUSTSEC-2016-0001 | | 0.8.3 | >= 0.9.0 | SSL/TLS MitM vulnerability |
| | | | | | due to insecure defaults |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2016-0001 |
+----------+-------------------+ +-------------------+------------------------------+---------------------------------------------+
| smallvec | RUSTSEC-2018-0018 | | 0.6.9 | >= 0.6.13 | smallvec creates uninitialized |
| | | | | | value of any type |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2018-0018 |
+ +-------------------+ + +------------------------------+---------------------------------------------+
| | RUSTSEC-2019-0009 | | | >= 0.6.10 | Double-free and use-after-free |
| | | | | | in SmallVec::grow() |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2019-0009 |
+ +-------------------+ + + +---------------------------------------------+
| | RUSTSEC-2019-0012 | | | | Memory corruption in SmallVec::grow() |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2019-0012 |
+ +-------------------+ + +------------------------------+---------------------------------------------+
| | RUSTSEC-2021-0003 | | | >= 0.6.14, < 1.0.0, >= 1.6.1 | Buffer overflow in SmallVec::insert_many |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2021-0003 |
+----------+-------------------+ +-------------------+------------------------------+---------------------------------------------+
| tempdir | RUSTSEC-2018-0017 | | 0.3.7 | | `tempdir` crate has been |
| | | | | | deprecated; use `tempfile` instead |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2018-0017 |
+----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+
Pipfile.lock
============
Total: 20 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 5, CRITICAL: 5)
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| django | CVE-2019-19844 | CRITICAL | 2.0.9 | 3.0.1, 2.2.9, 1.11.27 | Django: crafted email address |
| | | | | | allows account takeover |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-19844 |
+ +------------------+ + +------------------------+---------------------------------------+
| | CVE-2020-7471 | | | 3.0.3, 2.2.10, 1.11.28 | django: potential SQL injection |
| | | | | | via StringAgg(delimiter) |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7471 |
+ +------------------+----------+ +------------------------+---------------------------------------+
| | CVE-2019-6975 | HIGH | | 2.1.6, 2.0.11, 1.11.19 | python-django: memory exhaustion in |
| | | | | | django.utils.numberformat.format() |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-6975 |
+ +------------------+ + +------------------------+---------------------------------------+
| | CVE-2020-9402 | | | 3.0.4, 2.2.11, 1.11.29 | django: potential SQL injection |
| | | | | | via "tolerance" parameter in |
| | | | | | GIS functions and aggregates... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9402 |
+ +------------------+----------+ +------------------------+---------------------------------------+
| | CVE-2019-3498 | MEDIUM | | 2.1.5, 2.0.10, 1.11.18 | python-django: Content spoofing |
| | | | | | via URL path in default 404 page |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-3498 |
+ +------------------+ + +------------------------+---------------------------------------+
| | CVE-2020-13254 | | | 3.0.7, 2.2.13 | django: potential data leakage |
| | | | | | via malformed memcached keys |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-13254 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2020-13596 | | | | django: possible XSS via |
| | | | | | admin ForeignKeyRawIdWidget |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-13596 |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| django-cors-headers | pyup.io-37132 | UNKNOWN | 2.5.2 | 3.0.0 | In django-cors-headers |
| | | | | | version 3.0.0, |
| | | | | | ``CORS_ORIGIN_WHITELIST`` |
| | | | | | requires URI schemes, and |
| | | | | | optionally ports. This... |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| djangorestframework | CVE-2020-25626 | MEDIUM | 3.9.2 | 3.11.2 | django-rest-framework: XSS |
| | | | | | Vulnerability in API viewer |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-25626 |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| httplib2 | CVE-2021-21240 | HIGH | 0.12.1 | 0.19.0 | python-httplib2: Regular |
| | | | | | expression denial of |
| | | | | | service via malicious header |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-21240 |
+ +------------------+----------+ +------------------------+---------------------------------------+
| | CVE-2020-11078 | MEDIUM | | 0.18.0 | python-httplib2: CRLF injection |
| | | | | | via an attacker controlled |
| | | | | | unescaped part of uri for... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-11078 |
+ +------------------+----------+ + +---------------------------------------+
| | pyup.io-38303 | UNKNOWN | | | Httplib2 0.18.0 is an |
| | | | | | important security update to |
| | | | | | patch a CWE-93 CRLF... |
+---------------------+------------------+ +-------------------+------------------------+---------------------------------------+
| jinja2 | pyup.io-39525 | | 2.10.1 | 2.11.3 | This affects the package |
| | | | | | jinja2 from 0.0.0 and before |
| | | | | | 2.11.3. The ReDOS... |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| py | CVE-2020-29651 | HIGH | 1.8.0 | | python-py: ReDoS in the py.path.svnwc |
| | | | | | component via malicious input |
| | | | | | to blame functionality... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-29651 |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| pyyaml | CVE-2019-20477 | CRITICAL | 5.1 | | PyYAML: command execution |
| | | | | | through python/object/apply |
| | | | | | constructor in FullLoader |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-20477 |
+ +------------------+ + +------------------------+---------------------------------------+
| | CVE-2020-14343 | | | 5.4 | PyYAML: incomplete |
| | | | | | fix for CVE-2020-1747 |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-14343 |
+ +------------------+ + +------------------------+---------------------------------------+
| | CVE-2020-1747 | | | 5.3.1 | PyYAML: arbitrary command |
| | | | | | execution through python/object/new |
| | | | | | when FullLoader is used |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-1747 |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| urllib3 | CVE-2019-11324 | HIGH | 1.24.1 | 1.24.2 | python-urllib3: Certification |
| | | | | | mishandle when error should be thrown |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-11324 |
+ +------------------+----------+ +------------------------+---------------------------------------+
| | CVE-2019-11236 | MEDIUM | | | python-urllib3: CRLF injection |
| | | | | | due to not encoding the |
| | | | | | '\r\n' sequence leading to... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-11236 |
+ +------------------+ + +------------------------+---------------------------------------+
| | CVE-2020-26137 | | | 1.25.9 | python-urllib3: CRLF injection |
| | | | | | via HTTP request method |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-26137 |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
Misconfigurations
It is disabled by default and can be enabled with --scanners config
.
See here for the detail.
$ trivy repo --scanners config [YOUR_REPO_URL]
Secrets
It is enabled by default. See here for the detail.
$ trivy repo [YOUR_REPO_URL]
Licenses
It is disabled by default. See here for the detail.
$ trivy repo --scanners license [YOUR_REPO_URL]
SBOM generation
Trivy can generate SBOM for git repositories. See here for the detail.
References
Scanning a Branch
Pass a --branch
argument with a valid branch name on the remote repository provided:
$ trivy repo --branch <branch-name> <repo-name>
Scanning upto a Commit
Pass a --commit
argument with a valid commit hash on the remote repository provided:
$ trivy repo --commit <commit-hash> <repo-name>
Scanning a Tag
Pass a --tag
argument with a valid tag on the remote repository provided:
$ trivy repo --tag <tag-name> <repo-name>
Scanning Private Repositories
In order to scan private GitHub or GitLab repositories, the environment variable GITHUB_TOKEN
or GITLAB_TOKEN
must be set, respectively, with a valid token that has access to the private repository being scanned.
The GITHUB_TOKEN
environment variable will take precedence over GITLAB_TOKEN
, so if a private GitLab repository will be scanned, then GITHUB_TOKEN
must be unset.
You can find how to generate your GitHub Token in the following GitHub documentation.
For example:
$ export GITHUB_TOKEN="your_private_github_token"
$ trivy repo <your private GitHub repo URL>
$
$ # or
$ export GITLAB_TOKEN="your_private_gitlab_token"
$ trivy repo <your private GitLab repo URL>