Generating scan reports with Trivy

Aqua Security Open Source

4 May 202311:25

Summary

TLDRIn this Aqua Open Source video, Anais, an open source developer advocate at Aqua Security, demonstrates how to generate various reports using the Trivy CLI. She explains the process of storing scan results for long-term analysis and showcases different report formats, including table, JSON, SARIF, custom templates, and S-BOMs. The tutorial also covers the installation and upgrading of Trivy, and highlights the use of JLS for viewing JSON output. Anais encourages viewers to contribute to the project on GitHub and explore additional tools for enhanced scanning capabilities.

Takeaways

😀 Anais, an open source developer advocate at Aqua Security, introduces the video on generating reports with Trivy CLI.
🔍 Trivy CLI is used for scanning resources and typically provides results in the terminal or CI/CD pipeline.
💾 The video demonstrates how to store Trivy scan reports long-term, such as in S3 buckets for historical analysis and comparison.
🛠️ The tutorial requires Trivy to be installed or updated to the latest version using the provided installation instructions.
📊 Trivy supports various report formats including table, JSON, SARIF, custom templates, and SPDX.
📝 The default report format is table, which is easy to read and supported across vulnerability, misconfiguration, secret, and license scans.
📄 JSON format can be displayed in the terminal and saved to an output file, facilitating further processing and analysis.
📈 JLS (JSON Lines - Less) is highlighted as a tool for viewing JSON output neatly and filtering through results.
📑 SARIF format is suitable for uploading to GitHub Code Scanning and can be generated using Trivy with a specific command.
🛠️ Custom templates can be used to tailor the report output to specific needs, with examples like JUnit, ASFF, and HTML provided.
🔗 S-BOM (Software Bill of Materials) can be generated in formats like SPDX and CycloneDX, useful for sharing component lists and integrating with container registries.

Q & A

What is the main topic of the video?
-The main topic of the video is demonstrating how to generate different types of reports through the Trivy CLI for various scans.
Who is the presenter of the video?
-Anais is the presenter of the video and the open source developer advocate at Aqua Security.
Why might someone want to store Trivy scan reports long-term?
-Storing Trivy scan reports long-term allows for historical analysis, comparison over time, and reference in case of issues arising after application upgrades.
What are some of the formats supported for Trivy scan reports?
-Trivy supports report formats such as table, JSON, SARIF, custom templates, and S-BOMs (Software Bill of Materials).
How can one check the version of Trivy installed in their environment?
-To check the version of Trivy, one can use the command 'trivy version' in their terminal.
What does the table format in Trivy provide?
-The table format provides an easy-to-read display of security issues or vulnerabilities found during a scan.
How can one view the JSON output of a Trivy scan in a more user-friendly manner?
-One can pipe the JSON output into a tool like JLS (JSON Lines -l), which allows for a more organized and navigable view of the scan results.
What is the purpose of the SARIF format in Trivy scans?
-The SARIF (Static Analysis Results Interchange Format) is used for integrating Trivy scan results into other tools and platforms that support this format for security analysis.
How can Trivy scan results be shared or used in GitHub code scanning?
-Trivy scan results can be saved in SARIF format and uploaded to GitHub code scanning, and there is a Trivy GitHub action available for this purpose.
What does S-BOM stand for and what information does it provide?
-S-BOM stands for Software Bill of Materials, and it provides a list of all the different components within a container image or software package.
How can one contribute to the Trivy project or get support?
-One can contribute to the Trivy project by starring the repository on GitHub, joining the Slack community, or starting a GitHub discussion for support and feedback.