2021年12月6日 星期一

安全 | Trivy使用方法

        Trivy是一套免費的弱掃軟體,除了基本的弱掃外還可以掃描Docker image與檔案系統,最近也支援掃描python,並可以產出各種報表與支援雲端,有興趣可以直接去官網註冊帳號試用雲端功能,地端也可以掃描雲端的東西只要安裝好Cloudspolit就可以,以下記錄Trivy的使用方法。

步驟一:安裝Trivy


RHEL/CentOS

Add repository setting to /etc/yum.repos.d.

$ sudo vim /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/
gpgcheck=0
enabled=1
$ sudo yum -y update
$ sudo yum -y install trivy

or

rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.17.0/trivy_0.17.0_Linux-64bit.rpm

Debian/Ubuntu

Add repository to /etc/apt/sources.list.d.

sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy

or

wget https://github.com/aquasecurity/trivy/releases/download/v0.17.0/trivy_0.17.0_Linux-64bit.deb
sudo dpkg -i trivy_0.17.0_Linux-64bit.deb

免安裝
export VERSION=$(curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz
tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz


步驟二:掃描Docker image


trivy image mariadb



步驟三:產出報表


trivy image --format template --template "contrib/html.tpl" -o report.html python:3.9
trivy client --remote http://192.168.3.205:8080 --format template --template "contrib/html.tpl" -o report.html python:3.9

步驟四:掃描檔案


trivy fs /tmp
trivy fs --security-checks vuln,config --severity HIGH,CRITICAL  /tmp

步驟五:Server Client Mode,安裝版本要一致




Server side
trivy server --listen 0.0.0.:8080

Client side
trivy server --listen 0.0.0.:8080

Command
trivy server --listen 0.0.0.0:8080
trivy client --remote http://192.168.1.1:8080 --format template --template "contrib/html.tpl" -o report.html python:3.9




參考:



沒有留言: