trivy

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

ABOUTME: Security vulnerability scanning skill using Trivy

ABOUTME: 使用Trivy的安全漏洞扫描技能

ABOUTME: Enforces CRITICAL/HIGH blocking before commits

ABOUTME: 提交代码前拦截CRITICAL/HIGH级别漏洞

Trivy Security Scanning Skill

Trivy安全扫描技能

Quick Reference

快速参考

Scan Type	Command	When
Dependencies	`trivy fs .`	package.json changes
Container	`trivy image <name>`	Dockerfile changes
IaC	`trivy config .`	Terraform changes

扫描类型	命令	触发时机
依赖项	`trivy fs .`	package.json变更时
容器	`trivy image <name>`	Dockerfile变更时
IaC	`trivy config .`	Terraform变更时

When to Scan

扫描触发时机

Trigger	Action
`package.json` changed	Scan filesystem
`package-lock.json` changed	Scan filesystem
`Dockerfile` modified	Scan config + image
`*.tf` files changed	Scan IaC config
Before commit with deps	MANDATORY scan

触发条件	操作
`package.json` 变更	扫描文件系统
`package-lock.json` 变更	扫描文件系统
`Dockerfile` 修改	扫描配置 + 镜像
`*.tf` 文件变更	扫描IaC配置
提交含新依赖的代码前	必须执行扫描

Scan Commands

扫描命令

Filesystem Scan (Dependencies)

文件系统扫描（依赖项）

bash

undefined

bash

undefined

Most common - scan Node.js dependencies

最常用 - 扫描Node.js依赖项

trivy fs
--severity CRITICAL,HIGH
--exit-code 1
--ignore-unfixed
--format table
.

undefined

trivy fs
--severity CRITICAL,HIGH
--exit-code 1
--ignore-unfixed
--format table
.

undefined

Container Image Scan

容器镜像扫描

bash

undefined

bash

undefined

Build image first

先构建镜像

docker build -t local-scan:latest .

Scan the image

扫描镜像

trivy image
--severity CRITICAL,HIGH
--exit-code 1
--ignore-unfixed
local-scan:latest

undefined

trivy image
--severity CRITICAL,HIGH
--exit-code 1
--ignore-unfixed
local-scan:latest

undefined

IaC Configuration Scan

IaC配置扫描

bash

undefined

bash

undefined

Scan Terraform files

扫描Terraform文件

trivy config
--severity CRITICAL,HIGH
--exit-code 1
infra/terraform/

---

trivy config
--severity CRITICAL,HIGH
--exit-code 1
infra/terraform/

---

Severity Policy

漏洞级别处理策略

Severity	Action	Commit Allowed
CRITICAL	BLOCK - Fix immediately	NO
HIGH	BLOCK - Fix or upgrade	NO
MEDIUM	WARN - Plan remediation	YES
LOW	INFO - Document	YES

级别	操作	是否允许提交
CRITICAL	拦截 - 立即修复	否
HIGH	拦截 - 修复或升级	否
MEDIUM	警告 - 制定修复计划	是
LOW	提示 - 记录文档	是

Remediation Strategies

漏洞修复策略

Strategy 1: Upgrade Package

策略1：升级依赖包

bash

undefined

bash

undefined

Check which version fixes the CVE

查看修复CVE的版本

npm audit

Upgrade specific package

升级指定包

npm install package@latest

Or use npm audit fix

或使用npm audit fix自动修复

npm audit fix

undefined

npm audit fix

undefined

Strategy 2: Find Fixed Version

策略2：查找已修复版本

bash

undefined

bash

undefined

Show fixed versions in JSON

以JSON格式显示已修复版本

trivy fs --severity CRITICAL,HIGH --format json . |
jq '.Results[].Vulnerabilities[] | {pkg: .PkgName, installed: .InstalledVersion, fixed: .FixedVersion}'

undefined

trivy fs --severity CRITICAL,HIGH --format json . |
jq '.Results[].Vulnerabilities[] | {pkg: .PkgName, installed: .InstalledVersion, fixed: .FixedVersion}'

undefined

Strategy 3: Override Transitive Dependency

策略3：覆盖传递依赖版本

json

// package.json
{
  "overrides": {
    "vulnerable-package": "^X.Y.Z"
  }
}

json

// package.json
{
  "overrides": {
    "vulnerable-package": "^X.Y.Z"
  }
}

Strategy 4: Exclude False Positive

策略4：排除误报

Create

.trivyignore

undefined

创建

.trivyignore

文件：

undefined

CVE-2023-XXXXX: Not exploitable - we don't use affected feature

CVE-2023-XXXXX: 无利用风险 - 未使用受影响功能

CVE-2023-XXXXX


**WARNING**: Every exclusion MUST have documented justification.

---

CVE-2023-XXXXX


**警告**：每一条排除规则都必须附带书面说明。

---

Ecommerce-Specific Patterns

电商项目专属扫描模式

Backend Scan

后端扫描

bash

cd apps/backend
trivy fs --severity CRITICAL,HIGH --exit-code 1 .

bash

cd apps/backend
trivy fs --severity CRITICAL,HIGH --exit-code 1 .

Frontend Scan

前端扫描

bash

cd apps/frontend
trivy fs --severity CRITICAL,HIGH --exit-code 1 .

bash

cd apps/frontend
trivy fs --severity CRITICAL,HIGH --exit-code 1 .

Docker Compose Scan

Docker Compose镜像扫描

bash

undefined

bash

undefined

Build all images

构建所有镜像

docker-compose -f docker-compose.full.yml build

Scan each

逐个扫描镜像

trivy image ecommerce-demo-backend:latest trivy image ecommerce-demo-frontend:latest

undefined

trivy image ecommerce-demo-backend:latest trivy image ecommerce-demo-frontend:latest

undefined

Terraform Scan

Terraform扫描

bash

trivy config --severity CRITICAL,HIGH infra/terraform/

bash

trivy config --severity CRITICAL,HIGH infra/terraform/

CI Integration

CI集成

The project has Trivy in CI (

.github/workflows/backend-ci.yml

yaml

- name: Run Trivy vulnerability scanner
  uses: aquasecurity/trivy-action@master
  with:
    scan-type: 'fs'
    scan-ref: 'apps/backend'
    format: 'json'
    output: 'security/reports/trivy-backend-${{ github.sha }}.json'

Reports saved to

security/reports/

for Claude CVE analysis.

项目已在CI中集成Trivy（配置文件：

.github/workflows/backend-ci.yml

）：

yaml

- name: Run Trivy vulnerability scanner
  uses: aquasecurity/trivy-action@master
  with:
    scan-type: 'fs'
    scan-ref: 'apps/backend'
    format: 'json'
    output: 'security/reports/trivy-backend-${{ github.sha }}.json'

扫描报告保存至

security/reports/

目录，用于Claude的CVE分析。

CVE Analysis Workflow

CVE分析流程

When Trivy finds vulnerabilities:

Get the report

bash

trivy fs --format json --output report.json .

Ask Claude to analyze

Analyze report.json for contextual CVE prioritization.
For each CVE:
- Search codebase for usage of affected library
- Evaluate if attack vector is exposed
- Provide remediation priority

Follow remediation plan

当Trivy检测到漏洞时：

获取扫描报告

bash

trivy fs --format json --output report.json .

请求Claude分析

分析report.json，针对CVE进行上下文优先级排序。
对每个CVE：
- 搜索代码库中受影响库的使用情况
- 评估攻击向量是否暴露
- 提供修复优先级建议

执行修复计划

Checklist

检查清单

Before committing with dependency changes:

Trivy installed (
```
brew install trivy
```
)

Ran

trivy fs --severity CRITICAL,HIGH --exit-code 1 .

No CRITICAL vulnerabilities
No HIGH vulnerabilities (or documented exception)
Any
```
.trivyignore
```
entries justified
Container images scanned (if Dockerfile changed)
IaC scanned (if Terraform changed)

提交含依赖变更的代码前：

已安装Trivy（执行
```
brew install trivy
```
）

已运行

trivy fs --severity CRITICAL,HIGH --exit-code 1 .

无CRITICAL级别漏洞
无HIGH级别漏洞（或已记录例外情况）
所有
```
.trivyignore
```
条目均有合理说明
若Dockerfile变更，已扫描容器镜像
若Terraform变更，已扫描IaC配置

Troubleshooting

故障排除

Issue	Solution
`trivy: command not found`	`brew install trivy`
Slow scan	Use `--skip-update` after first run
False positive	Add to `.trivyignore` with justification
Transitive dependency	Use `overrides` in package.json
Old DB	Run `trivy --download-db-only`

问题	解决方案
`trivy: command not found`	执行 `brew install trivy` 安装
扫描速度慢	首次扫描后使用 `--skip-update` 跳过数据库更新
误报	添加至 `.trivyignore` 并附带说明
传递依赖漏洞	在package.json中使用 `overrides` 覆盖版本
数据库版本过旧	执行 `trivy --download-db-only` 更新数据库