Skip to content

Git Repository

Scan your remote git repositories for

  • Vulnerabilities
  • Misconfigurations
  • Secrets
  • Licenses

By default, vulnerability and secret scanning are enabled, and you can configure that with --scanners.

$ trivy repo [YOUR_REPO_URL]

Scanners

Vulnerabilities

It is enabled by default. Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json. See here for the detail.

$ trivy repo https://github.com/knqyf263/trivy-ci-test
Result
2021-03-09T15:04:19.003+0200    INFO    Detecting cargo vulnerabilities...
2021-03-09T15:04:19.005+0200    INFO    Detecting pipenv vulnerabilities...

Cargo.lock
==========
Total: 7 (UNKNOWN: 7, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

+----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+
| LIBRARY  | VULNERABILITY ID  | SEVERITY | INSTALLED VERSION |        FIXED VERSION         |                    TITLE                    |
+----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+
| ammonia  | RUSTSEC-2019-0001 | UNKNOWN  | 1.9.0             | >= 2.1.0                     | Uncontrolled recursion leads                |
|          |                   |          |                   |                              | to abort in HTML serialization              |
|          |                   |          |                   |                              | -->rustsec.org/advisories/RUSTSEC-2019-0001 |
+----------+-------------------+          +-------------------+------------------------------+---------------------------------------------+
| openssl  | RUSTSEC-2016-0001 |          | 0.8.3             | >= 0.9.0                     | SSL/TLS MitM vulnerability                  |
|          |                   |          |                   |                              | due to insecure defaults                    |
|          |                   |          |                   |                              | -->rustsec.org/advisories/RUSTSEC-2016-0001 |
+----------+-------------------+          +-------------------+------------------------------+---------------------------------------------+
| smallvec | RUSTSEC-2018-0018 |          | 0.6.9             | >= 0.6.13                    | smallvec creates uninitialized              |
|          |                   |          |                   |                              | value of any type                           |
|          |                   |          |                   |                              | -->rustsec.org/advisories/RUSTSEC-2018-0018 |
+          +-------------------+          +                   +------------------------------+---------------------------------------------+
|          | RUSTSEC-2019-0009 |          |                   | >= 0.6.10                    | Double-free and use-after-free              |
|          |                   |          |                   |                              | in SmallVec::grow()                         |
|          |                   |          |                   |                              | -->rustsec.org/advisories/RUSTSEC-2019-0009 |
+          +-------------------+          +                   +                              +---------------------------------------------+
|          | RUSTSEC-2019-0012 |          |                   |                              | Memory corruption in SmallVec::grow()       |
|          |                   |          |                   |                              | -->rustsec.org/advisories/RUSTSEC-2019-0012 |
+          +-------------------+          +                   +------------------------------+---------------------------------------------+
|          | RUSTSEC-2021-0003 |          |                   | >= 0.6.14, < 1.0.0, >= 1.6.1 | Buffer overflow in SmallVec::insert_many    |
|          |                   |          |                   |                              | -->rustsec.org/advisories/RUSTSEC-2021-0003 |
+----------+-------------------+          +-------------------+------------------------------+---------------------------------------------+
| tempdir  | RUSTSEC-2018-0017 |          | 0.3.7             |                              | `tempdir` crate has been                    |
|          |                   |          |                   |                              | deprecated; use `tempfile` instead          |
|          |                   |          |                   |                              | -->rustsec.org/advisories/RUSTSEC-2018-0017 |
+----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+

Pipfile.lock
============
Total: 20 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 5, CRITICAL: 5)

+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
|       LIBRARY       | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |     FIXED VERSION      |                 TITLE                 |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| django              | CVE-2019-19844   | CRITICAL | 2.0.9             | 3.0.1, 2.2.9, 1.11.27  | Django: crafted email address         |
|                     |                  |          |                   |                        | allows account takeover               |
|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2019-19844 |
+                     +------------------+          +                   +------------------------+---------------------------------------+
|                     | CVE-2020-7471    |          |                   | 3.0.3, 2.2.10, 1.11.28 | django: potential SQL injection       |
|                     |                  |          |                   |                        | via StringAgg(delimiter)              |
|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-7471  |
+                     +------------------+----------+                   +------------------------+---------------------------------------+
|                     | CVE-2019-6975    | HIGH     |                   | 2.1.6, 2.0.11, 1.11.19 | python-django: memory exhaustion in   |
|                     |                  |          |                   |                        | django.utils.numberformat.format()    |
|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2019-6975  |
+                     +------------------+          +                   +------------------------+---------------------------------------+
|                     | CVE-2020-9402    |          |                   | 3.0.4, 2.2.11, 1.11.29 | django: potential SQL injection       |
|                     |                  |          |                   |                        | via "tolerance" parameter in          |
|                     |                  |          |                   |                        | GIS functions and aggregates...       |
|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-9402  |
+                     +------------------+----------+                   +------------------------+---------------------------------------+
|                     | CVE-2019-3498    | MEDIUM   |                   | 2.1.5, 2.0.10, 1.11.18 | python-django: Content spoofing       |
|                     |                  |          |                   |                        | via URL path in default 404 page      |
|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2019-3498  |
+                     +------------------+          +                   +------------------------+---------------------------------------+
|                     | CVE-2020-13254   |          |                   | 3.0.7, 2.2.13          | django: potential data leakage        |
|                     |                  |          |                   |                        | via malformed memcached keys          |
|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-13254 |
+                     +------------------+          +                   +                        +---------------------------------------+
|                     | CVE-2020-13596   |          |                   |                        | django: possible XSS via              |
|                     |                  |          |                   |                        | admin ForeignKeyRawIdWidget           |
|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-13596 |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| django-cors-headers | pyup.io-37132    | UNKNOWN  | 2.5.2             | 3.0.0                  | In django-cors-headers                |
|                     |                  |          |                   |                        | version 3.0.0,                        |
|                     |                  |          |                   |                        | ``CORS_ORIGIN_WHITELIST``             |
|                     |                  |          |                   |                        | requires URI schemes, and             |
|                     |                  |          |                   |                        | optionally ports. This...             |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| djangorestframework | CVE-2020-25626   | MEDIUM   | 3.9.2             | 3.11.2                 | django-rest-framework: XSS            |
|                     |                  |          |                   |                        | Vulnerability in API viewer           |
|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-25626 |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| httplib2            | CVE-2021-21240   | HIGH     | 0.12.1            | 0.19.0                 | python-httplib2: Regular              |
|                     |                  |          |                   |                        | expression denial of                  |
|                     |                  |          |                   |                        | service via malicious header          |
|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2021-21240 |
+                     +------------------+----------+                   +------------------------+---------------------------------------+
|                     | CVE-2020-11078   | MEDIUM   |                   | 0.18.0                 | python-httplib2: CRLF injection       |
|                     |                  |          |                   |                        | via an attacker controlled            |
|                     |                  |          |                   |                        | unescaped part of uri for...          |
|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-11078 |
+                     +------------------+----------+                   +                        +---------------------------------------+
|                     | pyup.io-38303    | UNKNOWN  |                   |                        | Httplib2 0.18.0 is an                 |
|                     |                  |          |                   |                        | important security update to          |
|                     |                  |          |                   |                        | patch a CWE-93 CRLF...                |
+---------------------+------------------+          +-------------------+------------------------+---------------------------------------+
| jinja2              | pyup.io-39525    |          | 2.10.1            | 2.11.3                 | This affects the package              |
|                     |                  |          |                   |                        | jinja2 from 0.0.0 and before          |
|                     |                  |          |                   |                        | 2.11.3. The ReDOS...                  |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| py                  | CVE-2020-29651   | HIGH     | 1.8.0             |                        | python-py: ReDoS in the py.path.svnwc |
|                     |                  |          |                   |                        | component via malicious input         |
|                     |                  |          |                   |                        | to blame functionality...             |
|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-29651 |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| pyyaml              | CVE-2019-20477   | CRITICAL |               5.1 |                        | PyYAML: command execution             |
|                     |                  |          |                   |                        | through python/object/apply           |
|                     |                  |          |                   |                        | constructor in FullLoader             |
|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2019-20477 |
+                     +------------------+          +                   +------------------------+---------------------------------------+
|                     | CVE-2020-14343   |          |                   |                    5.4 | PyYAML: incomplete                    |
|                     |                  |          |                   |                        | fix for CVE-2020-1747                 |
|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-14343 |
+                     +------------------+          +                   +------------------------+---------------------------------------+
|                     | CVE-2020-1747    |          |                   | 5.3.1                  | PyYAML: arbitrary command             |
|                     |                  |          |                   |                        | execution through python/object/new   |
|                     |                  |          |                   |                        | when FullLoader is used               |
|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-1747  |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| urllib3             | CVE-2019-11324   | HIGH     | 1.24.1            | 1.24.2                 | python-urllib3: Certification         |
|                     |                  |          |                   |                        | mishandle when error should be thrown |
|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2019-11324 |
+                     +------------------+----------+                   +------------------------+---------------------------------------+
|                     | CVE-2019-11236   | MEDIUM   |                   |                        | python-urllib3: CRLF injection        |
|                     |                  |          |                   |                        | due to not encoding the               |
|                     |                  |          |                   |                        | '\r\n' sequence leading to...         |
|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2019-11236 |
+                     +------------------+          +                   +------------------------+---------------------------------------+
|                     | CVE-2020-26137   |          |                   | 1.25.9                 | python-urllib3: CRLF injection        |
|                     |                  |          |                   |                        | via HTTP request method               |
|                     |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-26137 |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+

Misconfigurations

It is disabled by default and can be enabled with --scanners config. See here for the detail.

$ trivy repo --scanners config [YOUR_REPO_URL]

Secrets

It is enabled by default. See here for the detail.

$ trivy repo [YOUR_REPO_URL]

Licenses

It is disabled by default. See here for the detail.

$ trivy repo --scanners license [YOUR_REPO_URL]

SBOM generation

Trivy can generate SBOM for git repositories. See here for the detail.

References

Scanning a Branch

Pass a --branch argument with a valid branch name on the remote repository provided:

$ trivy repo --branch <branch-name> <repo-name>

Scanning upto a Commit

Pass a --commit argument with a valid commit hash on the remote repository provided:

$ trivy repo --commit <commit-hash> <repo-name>

Scanning a Tag

Pass a --tag argument with a valid tag on the remote repository provided:

$ trivy repo --tag <tag-name> <repo-name>

Scanning Private Repositories

In order to scan private GitHub or GitLab repositories, the environment variable GITHUB_TOKEN or GITLAB_TOKEN must be set, respectively, with a valid token that has access to the private repository being scanned.

The GITHUB_TOKEN environment variable will take precedence over GITLAB_TOKEN, so if a private GitLab repository will be scanned, then GITHUB_TOKEN must be unset.

You can find how to generate your GitHub Token in the following GitHub documentation.

For example:

$ export GITHUB_TOKEN="your_private_github_token"
$ trivy repo <your private GitHub repo URL>
$
$ # or
$ export GITLAB_TOKEN="your_private_gitlab_token"
$ trivy repo <your private GitLab repo URL>