trivy-db
Overview
trivy-db
is a CLI tool and a library to manipulate Trivy DB.
Library
Trivy uses trivy-db
internally to manipulate vulnerability DB. This DB has vulnerability information from NVD, Red Hat, Debian, etc.
CLI
The trivy-db
CLI tool builds vulnerability DBs. A GitHub Actions workflow
periodically builds a fresh version of the vulnerability DB using trivy-db
and uploads it to the GitHub
Container Registry (see Download the vulnerability database below).
NAME:
trivy-db - Trivy DB builder
USAGE:
main [global options] command [command options] image_name
VERSION:
0.0.1
COMMANDS:
build build a database file
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--help, -h show help
--version, -v print the version
Building the DB
You can utilize make db-all
to build the database, the DB artifact is outputted to the assets folder.
Alternatively Docker is supported, you can run docker build . -t trivy-db
.
If you want to build a trivy integration test DB, please run make create-test-db
Update interval
Every 6 hours
Download the vulnerability database
version 1 (deprecated)
Trivy DB v1 reached the end of support on February 2023. Please upgrade Trivy to v0.23.0 or later.
Read more about the Trivy DB v1 deprecation in the discussion.
version 2
Trivy DB v2 is hosted on GHCR.
Although GitHub displays the docker pull
command by default, please note that it cannot be downloaded using docker pull
as it is not a container image.
You can download the actual compiled database via Trivy or Oras CLI.
Trivy:
TRIVY_TEMP_DIR=$(mktemp -d)
trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
rm -rf $TRIVY_TEMP_DIR
oras >= v0.13.0:
$ oras pull ghcr.io/aquasecurity/trivy-db:2
oras < v0.13.0:
$ oras pull -a ghcr.io/aquasecurity/trivy-db:2
The database can be used for Air-Gapped Environment.