Trivy is a security scanning tool which we use to scan our images for vulnerabilities. You can run a trivy scan identical to CI on your own command line by installing trivy and running
trivy image --severity HIGH,CRITICAL quay.io/solo-io/<IMAGE>:<VERSION>
Using the utils here is as easy as using the CLI defined in the cli subdirectory. The snippet
below shows the output the said CLI's help
command.
The GITHUB_TOKEN
environment variable must be set for security scanning to work.
go-utils/securityscan % go run ./cli/main.go help
CLI for identifying CVEs in images
Usage:
cvectl [command]
Available Commands:
format-results Pull down security scan files from gcloud bucket and generate docs markdown file
help Help about any command
scan-repo Run Trivy scans against images for the repo specified and upload scan results to a google cloud bucket
scan-version Run Trivy scans against images for a single version
Flags:
-h, --help help for cvectl
-v, --verbose Enable verbose logging
Use "cvectl [command] --help" for more information about a command.