Skip to content
  • v0.18.3
  • 85e45ca
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.18.3
  • 85e45ca
  • Compare
    Choose a tag to compare
    Search for a tag

@aqua-bot aqua-bot released this May 24, 2021

Changelog

85e45ca chore(ci): change to more granular tokens (#1014)
9fa512a chore(ci): add Go scanning and update dependencies (#1001)
349371b docs: Add HIGH severity to Trivy command in GitLab CI example to match comment (#1013)

Docker images

  • docker pull aquasec/trivy:0.18.3
  • docker pull ghcr.io/aquasecurity/trivy:0.18.3
  • docker pull public.ecr.aws/aquasecurity/trivy:0.18.3
  • docker pull aquasec/trivy:latest
  • docker pull ghcr.io/aquasecurity/trivy:latest
  • docker pull public.ecr.aws/aquasecurity/trivy:latest
Assets 28
  • v0.18.2
  • 4446961
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.18.2
  • 4446961
  • Compare
    Choose a tag to compare
    Search for a tag

@aqua-bot aqua-bot released this May 20, 2021

Changelog

4446961 fix(image): disable go.sum scanning (#1007)
04473ad fix(gomod): handle go.sum with an empty line (#1006)
1b66b77 feat: prepare for config scanning (#1005)
8fc6ea6 Clarify that dev dependencies are excluded (#986)

Docker images

  • docker pull aquasec/trivy:0.18.2
  • docker pull ghcr.io/aquasecurity/trivy:0.18.2
  • docker pull public.ecr.aws/aquasecurity/trivy:0.18.2
  • docker pull aquasec/trivy:latest
  • docker pull ghcr.io/aquasecurity/trivy:latest
  • docker pull public.ecr.aws/aquasecurity/trivy:latest
Assets 28
  • v0.18.1
  • eaf2da2
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.18.1
  • eaf2da2
  • Compare
    Choose a tag to compare
    Search for a tag

@aqua-bot aqua-bot released this May 13, 2021

Changelog

eaf2da2 Include target value in Sarif template ruleID (#991)
083c157 chore(mkdocs): allow workflow_dispatch (#989)

Docker images

  • docker pull aquasec/trivy:0.18.1
  • docker pull ghcr.io/aquasecurity/trivy:0.18.1
  • docker pull public.ecr.aws/aquasecurity/trivy:0.18.1
  • docker pull aquasec/trivy:latest
  • docker pull ghcr.io/aquasecurity/trivy:latest
  • docker pull public.ecr.aws/aquasecurity/trivy:latest
Assets 28
  • v0.18.0
  • e26e39a
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.18.0
  • e26e39a
  • Compare
    Choose a tag to compare
    Search for a tag

@aqua-bot aqua-bot released this May 12, 2021

Release Note

#990

Changelog

e26e39a fix(vuln) unique vulnerabilities from different data sources (#984)
04e7cca feat(go): added support of gomod analyzer (#978)

Docker images

  • docker pull aquasec/trivy:0.18.0
  • docker pull ghcr.io/aquasecurity/trivy:0.18.0
  • docker pull public.ecr.aws/aquasecurity/trivy:0.18.0
  • docker pull aquasec/trivy:latest
  • docker pull ghcr.io/aquasecurity/trivy:latest
  • docker pull public.ecr.aws/aquasecurity/trivy:latest
Assets 28
  • v0.17.2
  • 415e1d8
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.17.2
  • 415e1d8
  • Compare
    Choose a tag to compare
    Search for a tag

@aqua-bot aqua-bot released this May 1, 2021

Changelog

415e1d8 fix: scan only regular files (#976)
3bb8852 docs: mention upx binaries (#974)
c0fddd9 chore: upgrade alpine to fix git and libcurl vulnerabilities in trivy docker image scan (#971)

Docker images

  • docker pull aquasec/trivy:0.17.2
  • docker pull ghcr.io/aquasecurity/trivy:0.17.2
  • docker pull public.ecr.aws/aquasecurity/trivy:0.17.2
  • docker pull aquasec/trivy:latest
  • docker pull ghcr.io/aquasecurity/trivy:latest
  • docker pull public.ecr.aws/aquasecurity/trivy:latest
Assets 28
  • v0.17.1
  • 41c066d
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.17.1
  • 41c066d
  • Compare
    Choose a tag to compare
    Search for a tag

@aqua-bot aqua-bot released this Apr 30, 2021

Changelog

41c066d fix(fs): skip dirs (#969)

Docker images

  • docker pull aquasec/trivy:0.17.1
  • docker pull ghcr.io/aquasecurity/trivy:0.17.1
  • docker pull public.ecr.aws/aquasecurity/trivy:0.17.1
  • docker pull aquasec/trivy:latest
  • docker pull ghcr.io/aquasecurity/trivy:latest
  • docker pull public.ecr.aws/aquasecurity/trivy:latest
Assets 28
  • v0.17.0
  • 2316931
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.17.0
  • 2316931
  • Compare
    Choose a tag to compare
    Search for a tag

@aqua-bot aqua-bot released this Apr 29, 2021

Release Note

#966

Changelog

2316931 chore(ci): replace GITHUB_TOKEN with ORG_GITHUB_TOKEN (#965)
77f3d55 chore(ci): clone trivy-repo after releasing binaries (#963)
b319579 docs: add golang support (#962)
0c0febe fix(table): skip zero vulnerabilities on java (#961)
d41736b chore(ci): create a release discussion (#959)
c88bbbd feat(go): support binary scan (#948)
d88b7cf feat(java): support GitLab Advisory Database (#917)
1385fa4 feat: show help message when the context's deadline passes (#955)
0346a10 chore(mkdocs): replace github token (#954)
60a4e7e Update SARIF report template (#935)
39ab6bd Update install docs to make commands consistent (#933)
0518d27 Docker multi-platform image build with buildx, using Goreleaser (#915)
a6b8ec3 Fix JUnit template for AWS CodeBuild compatibility (#904)
6d22387 break(cli): use StringSliceFlag for skip-dirs/files (#916)
7221579 docs: add white logo (#914)
ee29ffa add package name in ruleID (#913)
8935aa6 feat: gh-action for stale issues (#908)
288481f chore(triage): add lifecycle/active label (#909)
f961e99 feat: publish helm repository (#888)
0edf73b Fix Documentation Typo (#901)
f5b060a docs: migrate README to MkDocs (#884)
c26a3e4 refactor(internal): export internal packages (#887)
8b3b5d0 feat: support plugins (#878)
37edc66 chore(ci): deploy dev docs only for the main branch (#882)
becd508 add MkDocs implementation (#870)
e517bef docs(README): update ubuntu versions (#877)
da2b28a support Ubuntu 20.10 (#876)
965bb6d feat(cache): introduce versioned cache (#865)
0497286 chore: bump up Go to 1.16 (#861)
fcb9a93 fix: allow the latest tag (#864)
425eaf8 feat: disable analyzers (#846)
47ce996 chore(ci): push the official image to public ECR (#855)
e890ae0 chore(ci): migrate CircleCI to GitHub Actions (#850)
9bc3565 adds example with multistage build (#853)
a0cd5d7 remove SARIF helpUri if empty (#841) (#845)
3170dc3 Add Sprig to Template Engine (#832)
10ad2ed Fix "GitLab CI using Trivy container" usage example (fixes #843) (#844)
c9f22f4 feat(java): support jar/war/ear (#837)
3047c52 fix(app): increase the default value of timeout (#842)
89e5295 Update README.md (#838)

Docker images

  • docker pull aquasec/trivy:0.17.0
  • docker pull ghcr.io/aquasecurity/trivy:0.17.0
  • docker pull public.ecr.aws/aquasecurity/trivy:0.17.0
  • docker pull aquasec/trivy:latest
  • docker pull ghcr.io/aquasecurity/trivy:latest
  • docker pull public.ecr.aws/aquasecurity/trivy:latest
Assets 28
  • v0.16.0
  • cdabe7f
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.16.0
  • cdabe7f
  • Compare
    Choose a tag to compare
    Search for a tag

@knqyf263 knqyf263 released this Feb 8, 2021

Features

Support Podman (#825)

[EXPERIMENTAL] This feature might change without preserving backwards compatibility.

Scan your image in Podman (>=2.0) running locally. The remote Podman is not supported. Before performing Trivy commands, you must enable the podman.sock systemd service on your machine. For more details, see here

$ systemctl --user enable --now podman.socket

Then, you can scan your image in Podman.

$ cat Dockerfile
FROM alpine:3.12
RUN apk add --no-cache bash
$ podman build -t test .
$ podman images
REPOSITORY                TAG     IMAGE ID      CREATED      SIZE
localhost/test            latest  efc372d4e0de  About a minute ago  7.94 MB
$ trivy image test

Support modular packages in RHEL 8/CentOS 8 (#790)

Trivy is able to scan RHEL 8/CentOS 8 more accurately now.

Add redis cache backend configuration options in the Helm chart (#784)

Trivy can be deployed to Kubernetes with Redis cache.

Thanks, @czunker!

Support PEP 440 (#816)

Trivy is able to scan Python vulnerabilities more accurately now.

Support alpine 3.13 (#819)

Trivy is able to scan Alpine Linux 3.13 now.

Fixes

  • Fix compatibility for Jenkins xunit plugin (#820)
  • Update EOL dates (#824)
  • Parse redis backend url (#804)
  • Fix errors in SARIF format (#801)
  • Fix env variable for github token (#796)
  • Set unknown severity for empty values (#793)
  • Remove global flags from filesystem command (#772)
  • Fix formatting of log message (#785)

Changelog

cdabe7f Fix compatibility for Jenkins xunit plugin (#820)
b0fe439 README: add Gitlab job that uses a container with trivy (#823)
6685cd4 feat: support Podman (#825)
7a683bd fix(eol): update EOL dates (#824)
6ed03a8 fix(python): follow PEP 440 (#816)
182cb80 Support alpine 3.13 (#819)
2acd1ca Changed the output string to "Using your github token". (#814)
dd35bfd Align comment with code (#812)
1f17e71 Parse redis backend url (#804)
0954f6b Update README.md (#810)
6b29bf1 Added nodeSelector, affinity and tolerations to helm chart (#803)
f6afdf0 Fix readme typo in policy flag (#805)
412847d Fix errors in SARIF format (#801)
5b27862 Fix env variable for github token (#796)
6ed25c1 fix(vulnerability): set unknown severity for empty values (#793)
e2c483f Remove global flags from filesystem command (#772)
5c5e0cb Add imagePullSecrets to helm Chart (#789)
b9b84cd Add redis cache backend configuration options (#784)
e517bcc Update README.md (#735)
7f5a6d4 feat(redhat): support modular packages (#790)
8de09dd Fix formatting of log message (#785)
e08ae8d chore(ci): migrate unit tests to GitHub Actions (#779)
a00d719 shifted: brews.github to brews.tap (#780)

Docker images

  • docker pull docker.io/aquasec/trivy:0.16.0
  • docker pull docker.io/aquasec/trivy:latest
  • docker pull ghcr.io/aquasecurity/trivy:0.16.0
  • docker pull ghcr.io/aquasecurity/trivy:latest
Assets 27
  • v0.15.0
  • 08ca1b0
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.15.0
  • 08ca1b0
  • Compare
    Choose a tag to compare
    Search for a tag

@knqyf263 knqyf263 released this Dec 21, 2020

Features

NuGet Scanner (#686)

Trivy now supports a lock file packages.lock.json of NuGet.

packages.lock.json
==================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+-------------+------------------+----------+-------------------+----------------+--------------------------------------+
|   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION  |                TITLE                 |
+-------------+------------------+----------+-------------------+----------------+--------------------------------------+
| MessagePack | CVE-2020-5234    | MEDIUM   | 1.9.10            | 2.1.90, 1.9.11 | Untrusted data can lead to DoS       |
|             |                  |          |                   |                | attack due to hash collisions and... |
|             |                  |          |                   |                | -->avd.aquasec.com/nvd/cve-2020-5234 |
+-------------+------------------+----------+-------------------+----------------+--------------------------------------+

Thanks to @Johannestegner

Redis support as the cache backend (#770)

For the detail, see here

$ docker run -d --name redis -p 6379:6379 redis:5.0
$ trivy server --cache-backend redis://localhost:6379
$ trivy client alpine:3.11

HTML template (#567)

$ trivy image -f template --template "@contrib/html.tpl" -o report.html alpine:3.12 

Thanks to @irrandon

Helm chart (#751, #769)

For the detail, see here

$ cd helm/trivy
$ helm install my-release .

Thanks to @czunker

Fixes

redhat: skip modular packages (#776)

Close #771 and #741

Thanks to @masahiro331

Make the table output less wide. (#763)

alpine:3.10 (alpine 3.10.5)
===========================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2020-1971    | MEDIUM   | 1.1.1g-r0         | 1.1.1i-r0     | openssl: EDIPARTYNAME                 |
|              |                  |          |                   |               | NULL pointer de-reference             |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1971  |
+--------------+                  +          +                   +               +                                       +
| libssl1.1    |                  |          |                   |               |                                       |
|              |                  |          |                   |               |                                       |
|              |                  |          |                   |               |                                       |
+--------------+------------------+          +-------------------+---------------+---------------------------------------+
| musl         | CVE-2020-28928   |          | 1.1.22-r3         | 1.1.22-r4     | In musl libc through 1.2.1,           |
|              |                  |          |                   |               | wcsnrtombs mishandles particular      |
|              |                  |          |                   |               | combinations of destination buffer... |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-28928 |
+--------------+                  +          +                   +               +                                       +
| musl-utils   |                  |          |                   |               |                                       |
|              |                  |          |                   |               |                                       |
|              |                  |          |                   |               |                                       |
|              |                  |          |                   |               |                                       |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+

Changelog

08ca1b0 Feat: NuGet Scanner (#686)
7b86f81 feat(cache): support Redis (#770)
8cd4afe fix(redhat): skip module packages (#776)
b606b62 chore: migrate from master to main (#778)
5c2b14b chore(circleci): remove gofmt (#777)
a19a023 chore(README): remove experimental (#775)
e6cef75 NVD: Add timestamps. (#761)
1371f72 (fix): Make the table output less wide. (#763)
8ecaa2f Add gitHubToken to prevent rate limit problems (#769)
8132174 Add helm chart to install trivy in server mode. (#751)
bcc2850 chore(docs): add nix install (#762)
cb36972 HTML template (#567)

Docker images

  • docker pull docker.io/aquasec/trivy:0.15.0
  • docker pull docker.io/aquasec/trivy:latest
  • docker pull ghcr.io/aquasecurity/trivy:0.15.0
  • docker pull ghcr.io/aquasecurity/trivy:latest
Assets 25
  • v0.14.0
  • 9bdbeab
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.14.0
  • 9bdbeab
  • Compare
    Choose a tag to compare
    Search for a tag

@knqyf263 knqyf263 released this Dec 2, 2020

Features

Add primary URLs (#752)

Trivy shows a primary URL in the result as follows.

alpine:3.10 (alpine 3.10.5)
===========================
Total: 2 (UNKNOWN: 2, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

+------------+------------------+----------+-------------------+---------------+--------------------------------+------------------------------------+
|  LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |                URL                 |
+------------+------------------+----------+-------------------+---------------+--------------------------------+------------------------------------+
| musl       | CVE-2020-28928   | UNKNOWN  | 1.1.22-r3         | 1.1.22-r4     | In musl libc through 1.2.1,    | avd.aquasec.com/nvd/cve-2020-28928 |
|            |                  |          |                   |               | wcsnrtombs mishandles          |                                    |
|            |                  |          |                   |               | particular combinations of     |                                    |
|            |                  |          |                   |               | destination buffer...          |                                    |
+------------+                  +          +                   +               +                                +                                    +
| musl-utils |                  |          |                   |               |                                |                                    |
|            |                  |          |                   |               |                                |                                    |
|            |                  |          |                   |               |                                |                                    |
|            |                  |          |                   |               |                                |                                    |
+------------+------------------+----------+-------------------+---------------+--------------------------------+------------------------------------+
[
  {
    "Target": "alpine:3.10 (alpine 3.10.5)",
    "Type": "alpine",
    "Vulnerabilities": [
      {
        "VulnerabilityID": "CVE-2020-28928",
        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28928",
        ...
      }
    ]
  }
]

In these cases, you can see https://avd.aquasec.com/nvd/cve-2020-28928 as a primary URL.

Remove rpm dependency (#753)

Trivy no longer requires the rpm command on the host. You can scan a RHEL-based image without rpm.

$ rpm
bash: rpm: command not found
$ trivy image -o /dev/null centos:7

centos:7 (centos 7.9.2009)
==========================
Total: 601 (UNKNOWN: 0, LOW: 358, MEDIUM: 240, HIGH: 3, CRITICAL: 0)

Bug fixes

--light shows less results (#755)

There was a bug where vulnerabilities with unknown severity do not appear in the result when using the --light option.

Changelog

9bdbeab feat: remove rpm dependency (#753)
d85cb77 fix(vulnerability): make an empty severity UNKNOWN (#759)
1bee83c chore(README): add TRIVY_INSECURE (#760)
4d18943 feat(vulnerability): add primary URLs (#752)

Docker images

  • docker pull docker.io/aquasec/trivy:0.14.0
  • docker pull docker.io/aquasec/trivy:latest
  • docker pull ghcr.io/aquasecurity/trivy:0.14.0
  • docker pull ghcr.io/aquasecurity/trivy:latest
Assets 25