Trivy Security Scanning Procedure

Overview

Trivy is a comprehensive security scanner from Aqua Security that detects:

Installation Procedure

Step 1: Download Trivy

# Get latest version
curl -sL "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep -o '"tag_name": "[^"]*' | cut -d'"' -f4

# Download using install script
curl -sLs https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /tmp/trivy

# Move to user bin
mv /tmp/trivy/trivy ~/.local/bin/
chmod +x ~/.local/bin/trivy

# Verify
trivy --version

Scanning Commands

1. Vulnerability Scan (SCA)

Scans for known vulnerabilities in dependencies.

trivy fs --scanners vuln \
  --format json \
  --output trivy_results/vulnerabilities.json \
  /usr/src/ragflow

Results: 6 files with vulnerabilities detected

2. Secrets Scan

Scans for exposed secrets, API keys, passwords, and tokens.

trivy fs --scanners secret \
  --format json \
  --output trivy_results/secrets.json \
  /usr/src/ragflow

Results: 6 files with secrets detected

3. Misconfiguration Scan

Scans for misconfigurations in configuration files (Dockerfile, Kubernetes YAML, Terraform, etc.).

trivy fs --scanners misconfig \
  --format json \
  --output trivy_results/misconfig.json \
  /usr/src/ragflow

Results: 19 files with misconfigurations detected

4. Combined Scan (All)

Run all scanners at once:

trivy fs --scanners vuln,secret,misconfig \
  --format json \
  --output trivy_results/combined.json \
  /usr/src/ragflow

Output Files

All results are saved to /usr/src/ragflow/trivy_results/:

trivyvsmc_ueiorlcsmenrcbseeoiurtnnlasfetb.idsijg./ls.jiojstnsoionens.json####DECAexolppnleofnsifdegiedunnrdcsaiyetncigvrosuenlt(nsiiesfrsaurbeuisnlniitnigescombined)

Usage Examples

View Results Summary

# Text format
trivy fs /usr/src/ragflow

# JSON format for parsing
trivy fs --format json /usr/src/ragflow > results.json

Filter by Severity

# Only critical and high
trivy fs --severity CRITICAL,HIGH /usr/src/ragflow

Ignore Files

# Ignore specific paths
trivy fs --ignorepath .git --ignorepath node_modules /usr/src/ragflow

Scan Results Summary

Scan TypeFiles with Issues
Vulnerabilities6
Secrets6
Misconfigurations19

Additional Trivy Capabilities

Container Image Scanning

trivy image nginx:latest

Git Repository Scanning

trivy repo https://github.com/aquasecurity/trivy

Kubernetes Cluster Scanning

trivy k8s --report summary

Filesystem with Custom Policies

trivy fs --policy ./custom-policies /usr/src/ragflow

Recommendations

  1. Run regularly: Add to CI/CD pipeline for automated scanning
  2. Review JSON output: Parse for automated ticket creation
  3. Update DB regularly: trivy db update for latest vulnerabilities
  4. Filter false positives: Use --ignore-unfixed or custom ignore files
  5. Combine with other tools: Use alongside Semgrep, OSV Scanner, and TruffleHog for comprehensive coverage