-
Notifications
You must be signed in to change notification settings - Fork 146
/
README.md
89 lines (69 loc) · 3.34 KB
/
README.md
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# trivy-db
[![GitHub Release][release-img]][release]
![Downloads][download]
[![Go Report Card][report-card-img]][report-card]
[![Go Doc][go-doc-img]][go-doc]
[![License][license-img]][license]
[download]: https://img.shields.io/github/downloads/aquasecurity/trivy-db/total?logo=github
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-db.svg?logo=github
[release]: https://github.com/aquasecurity/trivy-db/releases
[report-card-img]: https://goreportcard.com/badge/github.com/aquasecurity/trivy-db
[report-card]: https://goreportcard.com/report/github.com/aquasecurity/trivy-db
[go-doc-img]: https://godoc.org/github.com/aquasecurity/trivy-db?status.svg
[go-doc]: https://godoc.org/github.com/aquasecurity/trivy-db
[code-cov]: https://codecov.io/gh/aquasecurity/trivy-db/branch/main/graph/badge.svg
[license-img]: https://img.shields.io/badge/License-Apache%202.0-blue.svg
[license]: https://github.com/aquasecurity/trivy-db/blob/main/LICENSE
## Overview
`trivy-db` is a CLI tool and a library to manipulate Trivy DB.
### Library
Trivy uses `trivy-db` internally to manipulate vulnerability DB. This DB has vulnerability information from NVD, Red Hat, Debian, etc.
### CLI
The `trivy-db` CLI tool builds vulnerability DBs. A [GitHub Actions workflow](.github/workflows/cron.yml)
periodically builds a fresh version of the vulnerability DB using `trivy-db` and uploads it to the GitHub
Container Registry (see [Download the vulnerability database](#download-the-vulnerability-database) below).
```
NAME:
trivy-db - Trivy DB builder
USAGE:
main [global options] command [command options] image_name
VERSION:
0.0.1
COMMANDS:
build build a database file
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--help, -h show help
--version, -v print the version
```
### Building the DB
You can utilize `make db-all` to build the database, the DB artifact is outputted to the assets folder.
Alternatively Docker is supported, you can run `docker build . -t trivy-db`.
If you want to build a trivy integration test DB, please run `make create-test-db`
## Update interval
Every 6 hours
## Download the vulnerability database
### version 1 (deprecated)
Trivy DB v1 reached the end of support on February 2023. Please upgrade Trivy to v0.23.0 or later.
Read more about the Trivy DB v1 deprecation in [the discussion](https://github.com/aquasecurity/trivy/discussions/1653).
### version 2
Trivy DB v2 is hosted on [GHCR](https://github.com/orgs/aquasecurity/packages/container/package/trivy-db).
Although GitHub displays the `docker pull` command by default, please note that it cannot be downloaded using `docker pull` as it is not a container image.
You can download the actual compiled database via [Trivy](https://aquasecurity.github.io/trivy/) or [Oras CLI](https://oras.land/cli/).
Trivy:
```sh
TRIVY_TEMP_DIR=$(mktemp -d)
trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
rm -rf $TRIVY_TEMP_DIR
```
oras >= v0.13.0:
```sh
$ oras pull ghcr.io/aquasecurity/trivy-db:2
```
oras < v0.13.0:
```sh
$ oras pull -a ghcr.io/aquasecurity/trivy-db:2
```
The database can be used for [Air-Gapped Environment](https://aquasecurity.github.io/trivy/latest/docs/advanced/air-gap/).