Filesystem Scanning: Uncovering Vulnerabilities and Secrets with Trivy
Filesystem scanning is crucial for maintaining security in your applications. With the rise of complex dependencies, vulnerabilities and misconfigurations can easily slip through the cracks. Trivy addresses this by scanning local projects for vulnerabilities, misconfigurations, secrets, and licenses, helping you catch these issues before they become a problem.
Trivy operates with a simple command: $trivy fs/path/to/project. By default, it scans for vulnerabilities and secrets, while misconfigurations and licenses are disabled. If you want to enable misconfiguration scanning, you can do so with the parameter --scanners misconfig. Similarly, to check for licenses, use --scanners license/path/to/project. Trivy also supports caching; however, it doesn't use the cache by default unless your local project is a git repository with a clean status and a cache backend other than memory is enabled.
In production, remember that while Trivy's vulnerability and secret scanning is enabled by default, you must actively enable misconfigurations and licenses. A common gotcha is that if the OS isn't detected, vulnerabilities in OS packages won't be identified. Always ensure your environment is properly configured to get the most out of Trivy's scanning capabilities.
Key takeaways
- →Enable misconfiguration scanning with `--scanners misconfig` to catch potential issues.
- →Use `$trivy fs/path/to/project` to initiate a full filesystem scan.
- →Check for licenses by using `--scanners license/path/to/project`.
- →Be aware that OS detection issues can lead to missed vulnerabilities.
- →Utilize caching effectively by setting a proper cache backend for git repositories.
Why it matters
In production, unaddressed vulnerabilities and misconfigurations can lead to severe security breaches. Regularly scanning your filesystem helps mitigate these risks and ensures compliance with licensing requirements.
Code examples
$trivy fs/path/to/project$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test/Pipfile.lock$trivy fs --scanners misconfig/path/to/projectWhen NOT to use this
The official docs don't call out specific anti-patterns here. Use your judgment based on your scale and requirements.
Want the complete reference?
Read official docsSimple, affordable cloud — VMs, Kubernetes, and managed databases in minutes. Trusted by 600,000+ developers. Spin up a Droplet in 60 seconds.
Try DigitalOcean →Snyk Open Source: Elevate Your Vulnerability Management Game
Snyk Open Source empowers developers to tackle vulnerabilities in open-source libraries head-on. With actionable fix advice and integration into your workflows, it streamlines the security process throughout the software development lifecycle.
Securing Cloud Infrastructure with Snyk IaC: A Practical Approach
In today's cloud-first world, misconfigurations can lead to severe security vulnerabilities. Snyk IaC allows you to secure configurations for tools like HashiCorp Terraform and AWS CloudFormation, ensuring your infrastructure is safe before it even reaches production.
Securing Your Containers: The Power of Snyk Container Scanning
Container security is non-negotiable in today's DevOps landscape. Snyk Container empowers you to find and fix vulnerabilities in your container images, ensuring security is baked in from the start. Discover how this tool can streamline your security workflow.
Get the daily digest
One email. 5 articles. Every morning.
No spam. Unsubscribe anytime.