Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn etc.). Trivy is easy to use. Just install the binary and you're ready to scan. All you need to do for scanning is to specify an image name of container.
https://github.com/knqyf263/trivy
I just gave it a test run and I’m pretty impressed. Probably the least-useless security scanner I’ve played with.
I think we should be more worried about the container breaking out of its sandbox to access the host.
This is really cool and great to see more tools in this space.
Particularly interesting is that this tool goes into a bit more detail on *how* it gets its results and also does some comparisons against other existing tools, which is interesting.
One of the problems looking at this space, is understanding what will and what won’t be covered with a scan.
Any advice on how to run this on coreos? More generically, since it would likely have to be inside a container: how can I make docker images available to another container?
This is legit! I tried it out and it works well. This binary can integrate into the CI process.