Skip to content

aquasecurity/trivy-db

Folders and files

NameName
Last commit message
Last commit date
Jan 5, 2023
Jan 4, 2022
Jan 16, 2023
Jan 5, 2021
Jan 5, 2021
Dec 22, 2021
Mar 11, 2020
Jan 16, 2022
Mar 11, 2020
Oct 31, 2022
Jan 12, 2023
Jan 12, 2023

Repository files navigation

trivy-db

Build DB GitHub Release Downloads Go Report Card Go Doc License

Overview

trivy-db is a CLI tool and a library to manipulate Trivy DB.

Library

Trivy uses trivy-db internally to manipulate vulnerability DB. This DB has vulnerability information from NVD, Red Hat, Debian, etc.

CLI

trivy-db builds vulnerability DBs on GitHub Actions and uploads them to GitHub Release periodically.

NAME:
   trivy-db - Trivy DB builder

USAGE:
   main [global options] command [command options] image_name

VERSION:
   0.0.1

COMMANDS:
     build    build a database file
     upload   upload database files to GitHub Release
     help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --help, -h     show help
   --version, -v  print the version

Building the DB

You can utilize make db-all to build the database, the DB artifact is outputted to the assets folder.

Alternatively Docker is supported, you can run docker build . -t trivy-db.

If you want to build a trivy integration test DB, please run make create-test-db

Update interval

Every 6 hours

Download the vulnerability database

version 1 (deprecated)

Trivy DB v1 is for backwards compatibility only. You can download it from releases.

version 2

You can download the actual compiled database via Trivy or Oras CLI.

Trivy:

TRIVY_TEMP_DIR=$(mktemp -d)
trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
rm -rf $TRIVY_TEMP_DIR

oras >= v0.13.0:

$ oras pull ghcr.io/aquasecurity/trivy-db:2

oras < v0.13.0:

$ oras pull -a ghcr.io/aquasecurity/trivy-db:2

The database can be used for Air-Gapped Environment.