Skip to content

Reporting

Format

Trivy supports the following formats:

  • Table
  • JSON
  • SARIF
  • Template
  • SBOM
  • GitHub dependency snapshot

Table (Default)

Scanner Supported
Vulnerability
Misconfiguration
Secret
License
$ trivy image -f table golang:1.12-alpine

Show origins of vulnerable dependencies

Scanner Supported
Vulnerability
Misconfiguration
Secret
License

EXPERIMENTAL

This feature might change without preserving backwards compatibility.

Modern software development relies on the use of third-party libraries. Third-party dependencies also depend on others so a list of dependencies can be represented as a dependency graph. In some cases, vulnerable dependencies are not linked directly, and it requires analyses of the tree. To make this task simpler Trivy can show a dependency origin tree with the --dependency-tree flag. This flag is only available with the --format table flag.

The following OS package managers are currently supported:

OS Package Managers
apk
dpkg
rpm

The following languages are currently supported:

Language File
Node.js package-lock.json
pnpm-lock.yaml
yarn.lock
.NET packages.lock.json
Python poetry.lock
Ruby Gemfile.lock
Rust cargo-auditable binaries
Go go.mod
PHP composer.lock
Java pom.xml
*gradle.lockfile
Dart pubspec.lock

This tree is the reverse of the dependency graph. However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.

In table output, it looks like:

$ trivy fs --severity HIGH,CRITICAL --dependency-tree /path/to/your_node_project

package-lock.json (npm)
=======================
Total: 2 (HIGH: 1, CRITICAL: 1)

┌──────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├──────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ follow-redirects │ CVE-2022-0155  │ HIGH     │ 1.14.6            │ 1.14.7        │ follow-redirects: Exposure of Private Personal Information │
│                  │                │          │                   │               │ to an Unauthorized Actor                                   │
│                  │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-0155                  │
├──────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ glob-parent      │ CVE-2020-28469 │ CRITICAL │ 3.1.0             │ 5.1.2         │ nodejs-glob-parent: Regular expression denial of service   │
│                  │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-28469                 │
└──────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

Dependency Origin Tree (Reversed)
=================================
package-lock.json
├── follow-redirects@1.14.6, (HIGH: 1, CRITICAL: 0)
│   └── axios@0.21.4
└── glob-parent@3.1.0, (HIGH: 0, CRITICAL: 1)
    └── chokidar@2.1.8
        └── watchpack-chokidar2@2.0.1
            └── watchpack@1.7.5
                └── webpack@4.46.0
                    └── cra-append-sw@2.7.0

Vulnerable dependencies are shown in the top level of the tree. Lower levels show how those vulnerabilities are introduced. In the example above axios@0.21.4 included in the project directly depends on the vulnerable follow-redirects@1.14.6. Also, glob-parent@3.1.0 with some vulnerabilities is included through chain of dependencies that is added by cra-append-sw@2.7.0.

Then, you can try to update axios@0.21.4 and cra-append-sw@2.7.0 to resolve vulnerabilities in follow-redirects@1.14.6 and glob-parent@3.1.0.

JSON

Scanner Supported
Vulnerability
Misconfiguration
Secret
License
$ trivy image -f json -o results.json golang:1.12-alpine
Result
2019-05-16T01:46:31.777+0900    INFO    Updating vulnerability database...
2019-05-16T01:47:03.007+0900    INFO    Detecting Alpine vulnerabilities...
JSON
[
  {
    "Target": "php-app/composer.lock",
    "Vulnerabilities": null
  },
  {
    "Target": "node-app/package-lock.json",
    "Vulnerabilities": [
      {
        "VulnerabilityID": "CVE-2018-16487",
        "PkgName": "lodash",
        "InstalledVersion": "4.17.4",
        "FixedVersion": "\u003e=4.17.11",
        "Title": "lodash: Prototype pollution in utilities function",
        "Description": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.",
        "Severity": "HIGH",
        "References": [
          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487",
        ]
      }
    ]
  },
  {
    "Target": "trivy-ci-test (alpine 3.7.1)",
    "Vulnerabilities": [
      {
        "VulnerabilityID": "CVE-2018-16840",
        "PkgName": "curl",
        "InstalledVersion": "7.61.0-r0",
        "FixedVersion": "7.61.1-r1",
        "Title": "curl: Use-after-free when closing \"easy\" handle in Curl_close()",
        "Description": "A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. ",
        "Severity": "HIGH",
        "References": [
          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16840",
        ]
      },
      {
        "VulnerabilityID": "CVE-2019-3822",
        "PkgName": "curl",
        "InstalledVersion": "7.61.0-r0",
        "FixedVersion": "7.61.1-r2",
        "Title": "curl: NTLMv2 type-3 header stack buffer overflow",
        "Description": "libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. ",
        "Severity": "HIGH",
        "References": [
          "https://curl.haxx.se/docs/CVE-2019-3822.html",
          "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E"
        ]
      },
      {
        "VulnerabilityID": "CVE-2018-16839",
        "PkgName": "curl",
        "InstalledVersion": "7.61.0-r0",
        "FixedVersion": "7.61.1-r1",
        "Title": "curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message()",
        "Description": "Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.",
        "Severity": "HIGH",
        "References": [
          "https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5",
        ]
      },
      {
        "VulnerabilityID": "CVE-2018-19486",
        "PkgName": "git",
        "InstalledVersion": "2.15.2-r0",
        "FixedVersion": "2.15.3-r0",
        "Title": "git: Improper handling of PATH allows for commands to be executed from the current directory",
        "Description": "Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.",
        "Severity": "HIGH",
        "References": [
          "https://usn.ubuntu.com/3829-1/",
        ]
      },
      {
        "VulnerabilityID": "CVE-2018-17456",
        "PkgName": "git",
        "InstalledVersion": "2.15.2-r0",
        "FixedVersion": "2.15.3-r0",
        "Title": "git: arbitrary code execution via .gitmodules",
        "Description": "Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \"git clone\" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.",
        "Severity": "HIGH",
        "References": [
          "http://www.securitytracker.com/id/1041811",
        ]
      }
    ]
  },
  {
    "Target": "python-app/Pipfile.lock",
    "Vulnerabilities": null
  },
  {
    "Target": "ruby-app/Gemfile.lock",
    "Vulnerabilities": null
  },
  {
    "Target": "rust-app/Cargo.lock",
    "Vulnerabilities": null
  }
]

VulnerabilityID, PkgName, InstalledVersion, and Severity in Vulnerabilities are always filled with values, but other fields might be empty.

SARIF

Scanner Supported
Vulnerability
Misconfiguration
Secret
License

SARIF can be generated with the --format sarif flag.

$ trivy image --format sarif -o report.sarif  golang:1.12-alpine

This SARIF file can be uploaded to GitHub code scanning results, and there is a Trivy GitHub Action for automating this process.

GitHub dependency snapshot

Trivy supports the following packages.

GitHub dependency snapshots can be generated with the --format github flag.

$ trivy image --format github -o report.gsbom alpine

This snapshot file can be submitted to your GitHub repository.

Template

Scanner Supported
Vulnerability
Misconfiguration
Secret
License

Custom Template

$ trivy image --format template --template "{{ range . }} {{ .Target }} {{ end }}" golang:1.12-alpine
Result
2020-01-02T18:02:32.856+0100    INFO    Detecting Alpine vulnerabilities...
 golang:1.12-alpine (alpine 3.10.2)

You can compute different figures within the template using sprig functions. As an example you can summarize the different classes of issues:

$ trivy image --format template --template '{{- $critical := 0 }}{{- $high := 0 }}{{- range . }}{{- range .Vulnerabilities }}{{- if  eq .Severity "CRITICAL" }}{{- $critical = add $critical 1 }}{{- end }}{{- if  eq .Severity "HIGH" }}{{- $high = add $high 1 }}{{- end }}{{- end }}{{- end }}Critical: {{ $critical }}, High: {{ $high }}' golang:1.12-alpine
Result
Critical: 0, High: 2

For other features of sprig, see the official sprig documentation.

Load templates from a file

You can load templates from a file prefixing the template path with an @.

$ trivy image --format template --template "@/path/to/template" golang:1.12-alpine

Default Templates

If Trivy is installed using rpm then default templates can be found at /usr/local/share/trivy/templates.

JUnit
Scanner Supported
Vulnerability
Misconfiguration
Secret
License

In the following example using the template junit.tpl XML can be generated.

$ trivy image --format template --template "@contrib/junit.tpl" -o junit-report.xml  golang:1.12-alpine

ASFF
Scanner Supported
Vulnerability
Misconfiguration
Secret
License

Trivy also supports an ASFF template for reporting findings to AWS Security Hub

HTML
Scanner Supported
Vulnerability
Misconfiguration
Secret
License
$ trivy image --format template --template "@contrib/html.tpl" -o report.html golang:1.12-alpine

The following example shows use of default HTML template when Trivy is installed using rpm.

$ trivy image --format template --template "@/usr/local/share/trivy/templates/html.tpl" -o report.html golang:1.12-alpine

SBOM

See here for details.

Output

Trivy supports the following output destinations:

  • File
  • Plugin

File

By specifying --output <file_path>, you can output the results to a file. Here is an example:

$ trivy image --format json --output result.json debian:12

Plugin

EXPERIMENTAL

This feature might change without preserving backwards compatibility.

Plugins capable of receiving Trivy's results via standard input, called "output plugin", can be seamlessly invoked using the --output flag.

$ trivy <target> [--format <format>] --output plugin=<plugin_name> [--output-plugin-arg <plugin_flags>] <target_name>

This is useful for cases where you want to convert the output into a custom format, or when you want to send the output somewhere. For more details, please check here.

Converting

To generate multiple reports, you can generate the JSON report first and convert it to other formats with the convert subcommand.

$ trivy image --format json -o result.json --list-all-pkgs debian:11
$ trivy convert --format cyclonedx --output result.cdx result.json

Note

Please note that if you want to convert to a format that requires a list of packages, such as SBOM, you need to add the --list-all-pkgs flag when outputting in JSON.

Filtering options such as --severity are also available with convert.

# Output all severities in JSON
$ trivy image --format json -o result.json --list-all-pkgs debian:11

# Output only critical issues in table format
$ trivy convert --format table --severity CRITICAL result.json

Note

JSON reports from "trivy aws" and "trivy k8s" are not yet supported.