{"id":1621,"date":"2022-04-27T02:04:41","date_gmt":"2022-04-27T02:04:41","guid":{"rendered":"https:\/\/www.ipcpu.com\/?p=1621"},"modified":"2022-07-27T02:11:29","modified_gmt":"2022-07-27T02:11:29","slug":"docker-trivy","status":"publish","type":"post","link":"https:\/\/c.ipcpu.com\/2022\/04\/docker-trivy\/","title":{"rendered":"Docker\u955c\u50cf\u6f0f\u6d1e\u626b\u63cf\u5de5\u5177Trivy"},"content":{"rendered":"
<\/div>\n

\u4e00\u3001\u6982\u8981<\/a>
\u4e8c\u3001Trivy\u7684\u5b89\u88c5<\/a>
\u4e09\u3001Trivy\u7684\u4f7f\u7528\u547d\u4ee4<\/a>
\u56db\u3001C\/S\u6a21\u5f0f<\/a>
\u4e94\u3001\u6570\u636e\u5e93\u66f4\u65b0\u95ee\u9898<\/a>
\u516d\u3001\u9519\u8bef\u8fd4\u56de\u7801\u548cGitlab CICD\u96c6\u6210<\/a><\/div>\n

toc<\/a><\/p>\n

\u4e00\u3001\u6982\u8981<\/h2>\n

Trivy\u662f\u4e00\u4e2a\u7b80\u5355\u6613\u7528\u5e76\u4e14\u5168\u9762\u7684\u5bb9\u5668\u6f0f\u6d1e\u626b\u63cf<\/strong>\u7a0b\u5e8f\u3002
\nTrivy\u53ef\u68c0\u6d4b\u64cd\u4f5c\u7cfb\u7edf\u8f6f\u4ef6\u5305\uff08Alpine\uff0cRHEL\uff0cCentOS\u7b49\uff09\u548c\u5e94\u7528\u7a0b\u5e8f\u4f9d\u8d56\u9879\uff08Bundler\uff0cComposer\uff0cnpm\uff0cyarn\u7b49\uff09\u7684\u6f0f\u6d1e\u3002
\nTrivy\u5f88\u5bb9\u6613\u4f7f\u7528\uff0c\u53ea\u8981\u5b89\u88c5\u4e8c\u8fdb\u5236\u6587\u4ef6\uff0c\u5c31\u53ef\u4ee5\u626b\u63cf\u4e86\u3002\u626b\u63cf\u53ea\u9700\u6307\u5b9a\u5bb9\u5668\u7684\u955c\u50cf\u540d\u79f0\u3002\u4e0e\u5176\u4ed6\u955c\u50cf\u626b\u63cf\u5de5\u5177\u76f8\u6bd4\uff0c\u4f8b\u5982Clair\uff0cAnchore Engine\uff0cQuay\u76f8\u6bd4\uff0cTrivy\u5728\u51c6\u786e\u6027\u3001\u65b9\u4fbf\u6027\u548c\u5bf9CI\u7684\u652f\u6301\u7b49\u65b9\u9762\u90fd\u6709\u7740\u660e\u663e\u7684\u4f18\u52bf\u3002<\/p>\n

\u4e8c\u3001Trivy\u7684\u5b89\u88c5<\/h2>\n

\u4ece\u5b98\u65b9\u7f51\u7ad9\u4e0b\u8f7dRPM\u5305\u5b89\u88c5\uff0c\u6216\u8005\u76f4\u63a5\u62c9\u53d6docker\u955c\u50cf\u5b89\u88c5
\nhttps:\/\/github.com\/aquasecurity\/trivy<\/a><\/p>\n

\u4e09\u3001Trivy\u7684\u4f7f\u7528\u547d\u4ee4<\/h2>\n

\u76f4\u63a5\u626b\u63cf\u955c\u50cf<\/p>\n

\n
trivy elasticsearch:7.10<\/code><\/pre>\n<\/div>\n
\u8f93\u51fa\u5982\u4e0b 
\n<\/p>\n
\u6309\u4e25\u91cd\u6027\u7ea7\u522b\u7b5b\u9009\u6f0f\u6d1e<\/p>\n
\n
trivy --severity HIGH,CRITICAL ruby:2.3.0<\/code><\/pre>\n<\/div>\n
\u6309\u6f0f\u6d1e\u7c7b\u578b\u7b5b\u9009\u6f0f\u6d1e<\/p>\n
\n
trivy --vuln-type os ruby:2.3.0<\/code><\/pre>\n<\/div>\n
\u5ffd\u7565\u6307\u5b9a\u7684\u6f0f\u6d1e(\u4f7f\u7528.trivyignore\u6587\u4ef6)<\/p>\n
\n
$ cat .trivyignore\nCVE-2018-14618\nCVE-2019-1543<\/code><\/pre>\n<\/div>\n
\u7ed3\u679c\u8f93\u51fa\u4e3ajson\u6587\u4ef6<\/p>\n
\n
trivy -f json -o results.json golang:1.12-alpine<\/code><\/pre>\n<\/div>\n
\u6307\u5b9a\u7f13\u5b58\u76ee\u5f55<\/p>\n
\n
trivy --cache-dir \/tmp\/trivy\/ python:3.4-alpine3.9<\/code><\/pre>\n<\/div>\n
\u6e05\u9664\u955c\u50cf\u7f13\u5b58 
\n\u5220\u9664\u955c\u50cf\u7f13\u5b58\u3002\u5982\u679c\u66f4\u65b0\u5177\u6709\u76f8\u540ctag\u7684\u56fe\u50cf\uff08\u4f8b\u5982\u4f7f\u7528\u6700\u65b0tag\u65f6\uff09\uff0c\u6b64\u9009\u9879\u975e\u5e38\u6709\u7528\u3002<\/p>\n
\n
trivy --clear-cache<\/code><\/pre>\n<\/div>\n
\u5220\u9664\u6240\u6709\u7f13\u5b58\u548c\u6570\u636e\u5e93<\/p>\n
\n
trivy --reset<\/code><\/pre>\n<\/div>\n
\u4f7f\u7528\u8f7b\u91cf\u7ea7\u6570\u636e\u5e93<\/p>\n
\n
trivy --light alpine:3.10<\/code><\/pre>\n<\/div>\n
\u8f7b\u91cf\u7ea7\u6570\u636e\u5e93\u4e0d\u5305\u542b\u8bf8\u5982\u63cf\u8ff0\u548c\u5f15\u7528\u4e4b\u7c7b\u7684\u6f0f\u6d1e\u8be6\u7ec6\u4fe1\u606f\u3002\u56e0\u6b64\uff0c\u6570\u636e\u5e93\u7684\u5927\u5c0f\u66f4\u5c0f\uff0c\u4e0b\u8f7d\u901f\u5ea6\u66f4\u5feb\u3002 
\n\u5f53\u60a8\u4e0d\u9700\u8981\u6f0f\u6d1e\u8be6\u7ec6\u4fe1\u606f\u65f6\uff0c\u6b64\u9009\u9879\u975e\u5e38\u6709\u7528\uff0c\u5e76\u4e14\u9002\u7528\u4e8eCI\/CD\u3002<\/p>\n
\u56db\u3001C\/S\u6a21\u5f0f<\/h2>\n
\u4e0a\u9762\u6211\u4eec\u5c55\u793a\u7684\u662f\u5355\u673a\u6a21\u5f0f\u7684\u60c5\u51b5\uff0c\u5982\u679c\u4e00\u4e9b\u5ba2\u6237\u7aef\u4f8b\u5982\uff0cCICD runner\u7b49\u53ef\u4ee5\u4ee5C\/S\u6a21\u5f0f\u8fd0\u884c\u3002\u8fd9\u6837\u5c31\u4e0d\u9700\u8981\u53bb\u4e0b\u8f7d\u6f0f\u6d1e\u6570\u636e\u5e93\u4e86\u3002<\/p>\n
\u670d\u52a1\u5668\u7aefServer\u9700\u8981\u4f7f\u7528\u5982\u4e0b\u547d\u4ee4\u5f00\u542f\uff0c\u5e76\u6307\u5b9a\u7aef\u53e3\u548cTOKEN<\/p>\n
\n
\/usr\/local\/bin\/trivy server --listen 0.0.0.0:8080 --token ipcpuchines<\/code><\/pre>\n<\/div>\n
\u5ba2\u6237\u7aefClient\u5728\u8c03\u7528\u65f6\u6307\u5b9a\u670d\u52a1\u5668\u5730\u5740\u548cTOKEN\u5c31\u53ef\u4ee5\u4e86<\/p>\n
\n
trivy client --remote http:\/\/aq.ipcpu.com:8080 --token ipcpuchines  alpine:3.10<\/code><\/pre>\n<\/div>\n
\u4e94\u3001\u6570\u636e\u5e93\u66f4\u65b0\u95ee\u9898<\/h2>\n
Trivy\u542f\u52a8\u4ee5\u540e\u4f1a\u53bbgithub\u52a0\u8f7d\u6f0f\u6d1e\u5e93\u6570\u636e\uff0c\u5e76\u4e14\u6bcf\u4e2a\u4e00\u6bb5\u65f6\u95f4(6\u5c0f\u65f6)\u4f1a\u81ea\u52a8\u66f4\u65b0\u3002\u4f46\u662f\u5f88\u591a\u65f6\u5019\u6211\u4eec\u8fde\u4e0d\u4e0agithub\u3002 
\n\u4f1a\u51fa\u73b0\u4e0b\u9762\u7684\u62a5\u9519\uff1a<\/p>\n
\n
2021-12-14T13:57:17.606+0800    FATAL DB error: failed to download vulnerability DB: failed to download vulnerability DB: failed to list releases: Get \"https:\/\/api.github.com\/repos\/aquasecurity\/trivy-db\/releases\": dial tcp 192.30.255.117:443: connect: connection timed out<\/code><\/pre>\n<\/div>\n
\u4e0b\u9762\u6709\u4e24\u4e2a\u529e\u6cd5\u7ed9\u5927\u5bb6\uff1a 
\n\u7b2c\u4e00\u4e2a\u662f\u4f7f\u7528\u79bb\u7ebf\u6a21\u5f0f 
\n\u4ece\u4e0b\u9762\u7684\u5730\u5740\u4e0b\u8f7d\u79bb\u7ebf\u6570\u636e\u5305\uff0c\u89e3\u538b\u4ee5\u540e\u653e\u7f6e\u5230\u7f13\u5b58\u76ee\u5f55\u4e2d(\u9ed8\u8ba4\u662f\"\/root\/.cache\/trivy\") 
\nhttps:\/\/github.com\/aquasecurity\/trivy-db\/releases\/<\/a> 
\n\u542f\u52a8Trivy\u626b\u63cf\u65f6\u8fd8\u8981\u52a0\u4e0a--skip-update \u53c2\u6570\u3002 
\n\u8fd9\u4e2a\u540e\u671f\u8fd8\u662f\u6709\u4e9b\u590d\u6742\uff0c\u8fc7\u6bb5\u65f6\u95f4--skip-update\u4e5f\u4e0d\u884c\u4e86\uff0c\u9700\u8981\u624b\u52a8\u66f4\u65b0\u4e0b\u79bb\u7ebf\u6570\u636e\u5305\u3002 
\n\u7b2c\u4e8c\u4e2a\u5c31\u662f\u76f4\u63a5\u7ed9Trivy\u8bbe\u7f6e\u4ee3\u7406 
\n\u4f8b\u5982\u6211\u7684systemd\u6587\u4ef6\u5c31\u662f\u8fd9\u6837\u8bbe\u7f6e\u7684<\/p>\n
\n
[Service]\nType=simple\nEnvironment=\"HTTP_PROXY=http:\/\/172.28.9.46:10802\/\"\nEnvironment=\"HTTPS_PROXY=http:\/\/172.28.9.46:10802\/\"\nEnvironment=\"NO_PROXY=localhost,127.0.0.1,.ipcpu.com\"\nExecStart=\/usr\/local\/bin\/trivy server --listen 0.0.0.0:8080 --token ipcpuchines<\/code><\/pre>\n<\/div>\n
\u516d\u3001\u9519\u8bef\u8fd4\u56de\u7801\u548cGitlab CICD\u96c6\u6210<\/h2>\n
\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0c\u5373\u4f7f\u68c0\u6d4b\u5230\u6f0f\u6d1e\uff0cTrivy \u4e5f\u4f1a\u4ee5\u4ee3\u7801 0 \u9000\u51fa\u3002\u5982\u679c\u8981\u4f7f\u7528\u975e\u96f6\u9000\u51fa\u4ee3\u7801\u9000\u51fa\uff0c\u9700\u8981\u4f7f\u7528 --exit code \u9009\u9879\u3002\u6b64\u9009\u9879\u5bf9 CI\/CD \u5f88\u6709\u7528\u3002\u6211\u4eec\u4ee5GitlabCICD\u4e3a\u4f8b\uff0c\u4ec5\u5f53\u53d1\u73b0\u5173\u952e\u6f0f\u6d1e\u65f6\uff0c\u6d4b\u8bd5\u624d\u4f1a\u5931\u8d25\u3002<\/p>\n
\n
# Fail on severe vulnerabilities\n    - .\/trivy client --remote http:\/\/10.140.100.35:8080 --token ipcpuchines --exit-code 1 --no-progress --severity CRITICAL  $IMAGE<\/code><\/pre>\n<\/div>\n
\u8f6c\u8f7d\u8bf7\u6ce8\u660e\uff1aIPCPU-\u7f51\u7edc\u4e4b\u8def<\/a> » Docker\u955c\u50cf\u6f0f\u6d1e\u626b\u63cf\u5de5\u5177Trivy<\/a><\/p>","protected":false},"excerpt":{"rendered":"
\u4e00\u3001\u6982\u8981\u4e8c\u3001Trivy\u7684\u5b89\u88c5\u4e09\u3001Trivy\u7684\u4f7f\u7528\u547d\u4ee4\u56db\u3001C\/S\u6a21\u5f0f\u4e94\u3001\u6570\u636e\u5e93\u66f4\u65b0\u95ee\u9898\u516d\u3001\u9519\u8bef\u8fd4\u56de\u7801\u548cGitlab CICD\u96c6\u6210 toc \u4e00\u3001\u6982\u8981 Trivy\u662f\u4e00\u4e2a\u7b80\u5355\u6613\u7528\u5e76\u4e14\u5168\u9762\u7684\u5bb9\u5668\u6f0f\u6d1e\u626b\u63cf\u7a0b\u5e8f\u3002 Trivy\u53ef\u68c0\u6d4b\u64cd\u4f5c\u7cfb\u7edf\u8f6f\u4ef6\u5305\uff08Alpine\uff0cRHEL\uff0cCentOS\u7b49\uff09\u548c\u5e94\u7528\u7a0b\u5e8f\u4f9d\u8d56\u9879\uff08Bundler\uff0cComposer\uff0cnpm\uff0cyarn\u7b49\uff09\u7684\u6f0f\u6d1e\u3002 Trivy\u5f88\u5bb9\u6613\u4f7f\u7528\uff0c\u53ea\u8981\u5b89\u88c5\u4e8c\u8fdb\u5236\u6587\u4ef6\uff0c\u5c31\u53ef\u4ee5\u626b\u63cf\u4e86\u3002\u626b\u63cf\u53ea\u9700\u6307\u5b9a\u5bb9\u5668\u7684\u955c\u50cf\u540d\u79f0\u3002\u4e0e\u5176\u4ed6\u955c\u50cf\u626b\u63cf\u5de5\u5177\u76f8\u6bd4\uff0c\u4f8b\u5982Clair\uff0cAnchore Engine\uff0cQuay\u76f8\u6bd4\uff0cTrivy\u5728\u51c6\u786e\u6027\u3001\u65b9\u4fbf\u6027\u548c\u5bf9CI\u7684\u652f\u6301\u7b49\u65b9\u9762\u90fd\u6709\u7740\u660e\u663e\u7684\u4f18\u52bf\u3002 \u4e8c\u3001Trivy\u7684\u5b89\u88c5 \u4ece\u5b98\u65b9\u7f51\u7ad9\u4e0b\u8f7dRPM\u5305\u5b89\u88c5\uff0c\u6216\u8005\u76f4\u63a5\u62c9\u53d6docker\u955c\u50cf\u5b89\u88c5 https:\/\/github.com\/aquasecurity\/trivy \u4e09\u3001Trivy\u7684\u4f7f\u7528\u547d\u4ee4 \u76f4\u63a5\u626b\u63cf\u955c\u50cf trivy elasticsearch:7.10 \u8f93\u51fa\u5982\u4e0b \u6309\u4e25\u91cd\u6027\u7ea7\u522b\u7b5b\u9009\u6f0f\u6d1e trivy –severity HIGH,CRITICAL ruby:2.3.0 \u6309\u6f0f\u6d1e\u7c7b\u578b\u7b5b\u9009\u6f0f\u6d1e trivy –vuln-type os ruby:2.3.0 \u5ffd\u7565\u6307\u5b9a\u7684\u6f0f\u6d1e(\u4f7f\u7528.trivyignore\u6587\u4ef6) $ cat .trivyignore CVE-2018-14618 CVE-2019-1543 \u7ed3\u679c\u8f93\u51fa\u4e3ajson\u6587\u4ef6 trivy -f json -o results.json golang:1.12-alpine \u6307\u5b9a\u7f13\u5b58\u76ee\u5f55 trivy –cache-dir \/tmp\/trivy\/ python:3.4-alpine3.9 \u6e05\u9664\u955c\u50cf\u7f13\u5b58 \u5220\u9664\u955c\u50cf\u7f13\u5b58\u3002\u5982\u679c\u66f4\u65b0\u5177\u6709\u76f8\u540ctag\u7684\u56fe\u50cf\uff08\u4f8b\u5982\u4f7f\u7528\u6700\u65b0tag\u65f6\uff09\uff0c\u6b64\u9009\u9879\u975e\u5e38\u6709\u7528\u3002 trivy –clear-cache \u5220\u9664\u6240\u6709\u7f13\u5b58\u548c\u6570\u636e\u5e93 trivy –reset \u4f7f\u7528\u8f7b\u91cf\u7ea7\u6570\u636e\u5e93 trivy –light alpine:3.10 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[68,15],"_links":{"self":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts\/1621"}],"collection":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/comments?post=1621"}],"version-history":[{"count":1,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts\/1621\/revisions"}],"predecessor-version":[{"id":1622,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts\/1621\/revisions\/1622"}],"wp:attachment":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/media?parent=1621"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/categories?post=1621"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/tags?post=1621"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}