Documentation ¶
Index ¶
- Constants
- Variables
- type BySeverity
- type Compliance
- type DetectedLicense
- type DetectedMisconfiguration
- type DetectedSecret
- type DetectedVulnerability
- type ExitError
- type FindingStatus
- type FindingType
- type Format
- type Library
- type Metadata
- type MisconfStatus
- type MisconfSummary
- type ModifiedFinding
- type Report
- type Result
- type ResultClass
- type Results
- type SBOM
- type SBOMSource
- type ScanOptions
- type ScanTarget
- type Scanner
- type Scanners
- type VulnType
Constants ¶
const ( FindingTypeVulnerability FindingType = "vulnerability" FindingTypeMisconfiguration FindingType = "misconfiguration" FindingTypeSecret FindingType = "secret" FindingTypeLicense FindingType = "license" FindingStatusIgnored FindingStatus = "ignored" // Trivy FindingStatusUnknown FindingStatus = "unknown" // Trivy FindingStatusNotAffected FindingStatus = "not_affected" // VEX FindingStatusAffected FindingStatus = "affected" // VEX FindingStatusFixed FindingStatus = "fixed" // VEX FindingStatusUnderInvestigation FindingStatus = "under_investigation" // VEX )
const ( ClassUnknown ResultClass = "unknown" ClassOSPkg ResultClass = "os-pkgs" // For detected packages and vulnerabilities in OS packages ClassLangPkg ResultClass = "lang-pkgs" // For detected packages and vulnerabilities in language-specific packages ClassConfig ResultClass = "config" // For detected misconfigurations ClassSecret ResultClass = "secret" // For detected secrets ClassLicense ResultClass = "license" // For detected package licenses ClassLicenseFile ResultClass = "license-file" // For detected licenses in files ClassCustom ResultClass = "custom" ComplianceK8sNsa = Compliance("k8s-nsa") ComplianceK8sCIS = Compliance("k8s-cis") ComplianceK8sPSSBaseline = Compliance("k8s-pss-baseline") ComplianceK8sPSSRestricted = Compliance("k8s-pss-restricted") ComplianceAWSCIS12 = Compliance("aws-cis-1.2") ComplianceAWSCIS14 = Compliance("aws-cis-1.4") ComplianceDockerCIS = Compliance("docker-cis") FormatTable Format = "table" FormatJSON Format = "json" FormatTemplate Format = "template" FormatSarif Format = "sarif" FormatCycloneDX Format = "cyclonedx" FormatSPDX Format = "spdx" FormatSPDXJSON Format = "spdx-json" FormatGitHub Format = "github" FormatCosignVuln Format = "cosign-vuln" )
const ( SBOMSourceOCI = SBOMSource("oci") SBOMSourceRekor = SBOMSource("rekor") )
const ( // VulnTypeUnknown is a vulnerability type of unknown VulnTypeUnknown = VulnType("unknown") // VulnTypeOS is a vulnerability type of OS packages VulnTypeOS = VulnType("os") // VulnTypeLibrary is a vulnerability type of programming language dependencies VulnTypeLibrary = VulnType("library") // UnknownScanner is the scanner of unknown UnknownScanner = Scanner("unknown") // NoneScanner is the scanner of none NoneScanner = Scanner("none") // SBOMScanner is the virtual scanner of SBOM, which cannot be enabled by the user SBOMScanner = Scanner("sbom") // VulnerabilityScanner is the scanner of vulnerabilities VulnerabilityScanner = Scanner("vuln") // MisconfigScanner is the scanner of misconfigurations MisconfigScanner = Scanner("misconfig") // SecretScanner is the scanner of secrets SecretScanner = Scanner("secret") // RBACScanner is the scanner of rbac assessment RBACScanner = Scanner("rbac") // LicenseScanner is the scanner of licenses LicenseScanner = Scanner("license") )
Variables ¶
var ( SupportedFormats = []Format{ FormatTable, FormatJSON, FormatTemplate, FormatSarif, FormatCycloneDX, FormatSPDX, FormatSPDXJSON, FormatGitHub, FormatCosignVuln, } SupportedSBOMFormats = []Format{ FormatCycloneDX, FormatSPDX, FormatSPDXJSON, FormatGitHub, } SupportedCompliances = []string{ ComplianceK8sNsa, ComplianceK8sCIS, ComplianceK8sPSSBaseline, ComplianceK8sPSSRestricted, ComplianceAWSCIS12, ComplianceAWSCIS14, ComplianceDockerCIS, } )
var ( VulnTypes = []string{ VulnTypeOS, VulnTypeLibrary, } AllScanners = Scanners{ VulnerabilityScanner, MisconfigScanner, RBACScanner, SecretScanner, LicenseScanner, NoneScanner, } // AllImageConfigScanners has a list of available scanners on container image config. // The container image in container registries consists of manifest, config and layers. // Trivy is also able to detect security issues on the image config. AllImageConfigScanners = Scanners{ MisconfigScanner, SecretScanner, NoneScanner, } )
var ( SBOMSources = []string{ SBOMSourceOCI, SBOMSourceRekor, } )
Functions ¶
This section is empty.
Types ¶
type BySeverity ¶ added in v0.13.0
type BySeverity []DetectedVulnerability
BySeverity implements sort.Interface based on the Severity field.
func (BySeverity) Len ¶ added in v0.13.0
func (v BySeverity) Len() int
Len returns the length of DetectedVulnerabilities
func (BySeverity) Less ¶ added in v0.13.0
func (v BySeverity) Less(i, j int) bool
Less compares 2 DetectedVulnerabilities based on package name, severity, vulnerabilityID and package path
func (BySeverity) Swap ¶ added in v0.13.0
func (v BySeverity) Swap(i, j int)
Swap swaps 2 vulnerability
type Compliance ¶ added in v0.33.0
type Compliance = string
type DetectedLicense ¶ added in v0.30.0
type DetectedLicense struct { // Severity is the consistent parameter indicating how severe the issue is Severity string // Category holds the license category such as "forbidden" Category types.LicenseCategory // PkgName holds a package name of the license. // It will be empty if FilePath is filled. PkgName string // PkgName holds a file path of the license. // It will be empty if PkgName is filled. FilePath string // for file license // Name holds a detected license name Name string // Confidence is level of the match. The confidence level is between 0.0 and 1.0, with 1.0 indicating an // exact match and 0.0 indicating a complete mismatch Confidence float64 // Link is a SPDX link of the license Link string }
type DetectedMisconfiguration ¶ added in v0.19.0
type DetectedMisconfiguration struct { Type string `json:",omitempty"` ID string `json:",omitempty"` AVDID string `json:",omitempty"` Title string `json:",omitempty"` Description string `json:",omitempty"` Message string `json:",omitempty"` Namespace string `json:",omitempty"` Query string `json:",omitempty"` Resolution string `json:",omitempty"` Severity string `json:",omitempty"` PrimaryURL string `json:",omitempty"` References []string `json:",omitempty"` Status MisconfStatus `json:",omitempty"` Layer ftypes.Layer `json:",omitempty"` CauseMetadata ftypes.CauseMetadata `json:",omitempty"` // For debugging Traces []string `json:",omitempty"` }
DetectedMisconfiguration holds detected misconfigurations
type DetectedSecret ¶ added in v0.50.0
type DetectedSecret ftypes.SecretFinding
type DetectedVulnerability ¶ added in v0.2.0
type DetectedVulnerability struct { VulnerabilityID string `json:",omitempty"` VendorIDs []string `json:",omitempty"` PkgID string `json:",omitempty"` // It is used to construct dependency graph. PkgName string `json:",omitempty"` PkgPath string `json:",omitempty"` // This field is populated in the case of language-specific packages such as egg/wheel and gemspec PkgIdentifier ftypes.PkgIdentifier `json:",omitempty"` InstalledVersion string `json:",omitempty"` FixedVersion string `json:",omitempty"` Status types.Status `json:",omitempty"` Layer ftypes.Layer `json:",omitempty"` SeveritySource types.SourceID `json:",omitempty"` PrimaryURL string `json:",omitempty"` // DataSource holds where the advisory comes from DataSource *types.DataSource `json:",omitempty"` // Custom is for extensibility and not supposed to be used in OSS Custom any `json:",omitempty"` // Embed vulnerability details types.Vulnerability }
DetectedVulnerability holds the information of detected vulnerabilities
type FindingStatus ¶ added in v0.50.0
type FindingStatus string
type FindingType ¶ added in v0.50.0
type FindingType string
type Metadata ¶ added in v0.24.0
type Metadata struct { Size int64 `json:",omitempty"` OS *ftypes.OS `json:",omitempty"` // Container image ImageID string `json:",omitempty"` DiffIDs []string `json:",omitempty"` RepoTags []string `json:",omitempty"` RepoDigests []string `json:",omitempty"` ImageConfig v1.ConfigFile `json:",omitempty"` }
Metadata represents a metadata of artifact
type MisconfStatus ¶ added in v0.19.0
type MisconfStatus string
MisconfStatus represents a status of misconfiguration
const ( // MisconfStatusPassed represents successful status MisconfStatusPassed MisconfStatus = "PASS" // MisconfStatusFailure represents failure status MisconfStatusFailure MisconfStatus = "FAIL" // MisconfStatusException Passed represents the status of exception MisconfStatusException MisconfStatus = "EXCEPTION" )
type MisconfSummary ¶ added in v0.24.0
func (MisconfSummary) Empty ¶ added in v0.24.0
func (s MisconfSummary) Empty() bool
type ModifiedFinding ¶ added in v0.50.0
type ModifiedFinding struct { Type FindingType Status FindingStatus Statement string Source string Finding finding // one of findings }
ModifiedFinding represents a security finding that has been modified by an external source, such as .trivyignore and VEX. Currently, it is primarily used to account for vulnerabilities that are ignored via .trivyignore or identified as not impactful through VEX. However, it is planned to also store vulnerabilities whose severity has been adjusted by VEX, or that have been detected through Wasm modules in the future.
func NewModifiedFinding ¶ added in v0.50.0
func NewModifiedFinding(f finding, status FindingStatus, statement, source string) ModifiedFinding
type Report ¶ added in v0.24.0
type Report struct { SchemaVersion int `json:",omitempty"` CreatedAt time.Time `json:",omitempty"` ArtifactName string `json:",omitempty"` ArtifactType artifact.Type `json:",omitempty"` Metadata Metadata `json:",omitempty"` Results Results `json:",omitempty"` // parsed SBOM BOM *core.BOM `json:"-"` // Just for internal usage, not exported in JSON }
Report represents a scan result
type Result ¶ added in v0.24.0
type Result struct { Target string `json:"Target"` Class ResultClass `json:"Class,omitempty"` Type ftypes.TargetType `json:"Type,omitempty"` Packages []ftypes.Package `json:"Packages,omitempty"` Vulnerabilities []DetectedVulnerability `json:"Vulnerabilities,omitempty"` MisconfSummary *MisconfSummary `json:"MisconfSummary,omitempty"` Misconfigurations []DetectedMisconfiguration `json:"Misconfigurations,omitempty"` Secrets []DetectedSecret `json:"Secrets,omitempty"` Licenses []DetectedLicense `json:"Licenses,omitempty"` CustomResources []ftypes.CustomResource `json:"CustomResources,omitempty"` // ModifiedFindings holds a list of findings that have been modified from their original state. // This can include vulnerabilities that have been marked as ignored, not affected, or have had // their severity adjusted. It is currently available only in the table format. ModifiedFindings []ModifiedFinding `json:"-"` }
Result holds a target and detected vulnerabilities
type ResultClass ¶ added in v0.24.0
type ResultClass string
type SBOM ¶ added in v0.33.0
type SBOM struct { Metadata Metadata Packages []ftypes.PackageInfo Applications []ftypes.Application BOM *core.BOM }
type SBOMSource ¶ added in v0.32.0
type SBOMSource = string
type ScanOptions ¶
type ScanOptions struct { VulnType []string Scanners Scanners ImageConfigScanners Scanners // Scanners for container image configuration ScanRemovedPackages bool LicenseCategories map[types.LicenseCategory][]string FilePatterns []string IncludeDevDeps bool }
ScanOptions holds the attributes for scanning vulnerabilities
type ScanTarget ¶ added in v0.47.0
type ScanTarget struct { Name string // container image name, file path, etc OS types.OS Repository *types.Repository Packages types.Packages Applications []types.Application Misconfigurations []types.Misconfiguration Secrets []types.Secret Licenses []types.LicenseFile // CustomResources hold analysis results from custom analyzers. // It is for extensibility and not used in OSS. CustomResources []types.CustomResource }
ScanTarget holds the attributes for scanning.
type Scanner ¶ added in v0.37.0
type Scanner string
Scanner represents the type of security scanning
type Scanners ¶ added in v0.37.0
type Scanners []Scanner
Scanners is a slice of scanners
func (*Scanners) AnyEnabled ¶ added in v0.37.0
AnyEnabled returns true if any of the passed scanners is included.