Documentation
¶
Index ¶
- Constants
- Variables
- type BySeverity
- type Compliance
- type DetectedLicense
- type DetectedMisconfiguration
- type DetectedSecret
- type DetectedVulnerability
- type ExitError
- type FindingStatus
- type FindingType
- type Format
- type Library
- type Metadata
- type MisconfStatus
- type MisconfSummary
- type ModifiedFinding
- type PkgType
- type Report
- type Result
- type ResultClass
- type Results
- type SBOM
- type SBOMSource
- type ScanOptions
- type ScanTarget
- type Scanner
- type Scanners
Constants ¶
View Source
const ( FindingTypeVulnerability FindingType = "vulnerability" FindingTypeMisconfiguration FindingType = "misconfiguration" FindingTypeSecret FindingType = "secret" FindingTypeLicense FindingType = "license" FindingStatusIgnored FindingStatus = "ignored" // Trivy FindingStatusUnknown FindingStatus = "unknown" // Trivy FindingStatusNotAffected FindingStatus = "not_affected" // VEX FindingStatusAffected FindingStatus = "affected" // VEX FindingStatusFixed FindingStatus = "fixed" // VEX FindingStatusUnderInvestigation FindingStatus = "under_investigation" // VEX )
View Source
const ( ClassUnknown ResultClass = "unknown" ClassOSPkg ResultClass = "os-pkgs" // For detected packages and vulnerabilities in OS packages ClassLangPkg ResultClass = "lang-pkgs" // For detected packages and vulnerabilities in language-specific packages ClassConfig ResultClass = "config" // For detected misconfigurations ClassSecret ResultClass = "secret" // For detected secrets ClassLicense ResultClass = "license" // For detected package licenses ClassLicenseFile ResultClass = "license-file" // For detected licenses in files ClassCustom ResultClass = "custom" ComplianceK8sNsa10 = Compliance("k8s-nsa-1.0") ComplianceK8sCIS123 = Compliance("k8s-cis-1.23") ComplianceK8sPSSBaseline01 = Compliance("k8s-pss-baseline-0.1") ComplianceK8sPSSRestricted01 = Compliance("k8s-pss-restricted-0.1") ComplianceAWSCIS12 = Compliance("aws-cis-1.2") ComplianceAWSCIS14 = Compliance("aws-cis-1.4") ComplianceDockerCIS160 = Compliance("docker-cis-1.6.0") ComplianceEksCIS14 = Compliance("eks-cis-1.4") ComplianceRke2CIS124 = Compliance("rke2-cis-1.24") FormatTable Format = "table" FormatJSON Format = "json" FormatTemplate Format = "template" FormatSarif Format = "sarif" FormatCycloneDX Format = "cyclonedx" FormatSPDX Format = "spdx" FormatSPDXJSON Format = "spdx-json" FormatGitHub Format = "github" FormatCosignVuln Format = "cosign-vuln" )
View Source
const ( SBOMSourceOCI = SBOMSource("oci") SBOMSourceRekor = SBOMSource("rekor") )
View Source
const ( // PkgTypeUnknown is a package type of unknown PkgTypeUnknown = PkgType("unknown") // PkgTypeOS is a package type of OS packages PkgTypeOS = PkgType("os") // PkgTypeLibrary is a package type of programming language dependencies PkgTypeLibrary = PkgType("library") // UnknownScanner is the scanner of unknown UnknownScanner = Scanner("unknown") // NoneScanner is the scanner of none NoneScanner = Scanner("none") // SBOMScanner is the virtual scanner of SBOM, which cannot be enabled by the user SBOMScanner = Scanner("sbom") // VulnerabilityScanner is the scanner of vulnerabilities VulnerabilityScanner = Scanner("vuln") // MisconfigScanner is the scanner of misconfigurations MisconfigScanner = Scanner("misconfig") // SecretScanner is the scanner of secrets SecretScanner = Scanner("secret") // RBACScanner is the scanner of rbac assessment RBACScanner = Scanner("rbac") // LicenseScanner is the scanner of licenses LicenseScanner = Scanner("license") )
Variables ¶
View Source
var ( SupportedFormats = []Format{ FormatTable, FormatJSON, FormatTemplate, FormatSarif, FormatCycloneDX, FormatSPDX, FormatSPDXJSON, FormatGitHub, FormatCosignVuln, } SupportedSBOMFormats = []Format{ FormatCycloneDX, FormatSPDX, FormatSPDXJSON, FormatGitHub, } SupportedCompliances = []string{ ComplianceK8sNsa10, ComplianceK8sCIS123, ComplianceK8sPSSBaseline01, ComplianceK8sPSSRestricted01, ComplianceAWSCIS12, ComplianceAWSCIS14, ComplianceDockerCIS160, ComplianceEksCIS14, ComplianceRke2CIS124, } )
View Source
var ( PkgTypes = []string{ PkgTypeOS, PkgTypeLibrary, } AllScanners = Scanners{ VulnerabilityScanner, MisconfigScanner, RBACScanner, SecretScanner, LicenseScanner, NoneScanner, } // AllImageConfigScanners has a list of available scanners on container image config. // The container image in container registries consists of manifest, config and layers. // Trivy is also able to detect security issues on the image config. AllImageConfigScanners = Scanners{ MisconfigScanner, SecretScanner, NoneScanner, } )
View Source
var ( SBOMSources = []string{ SBOMSourceOCI, SBOMSourceRekor, } )
Functions ¶
This section is empty.
Types ¶
type BySeverity ¶ added in v0.13.0
type BySeverity []DetectedVulnerability
BySeverity implements sort.Interface based on the Severity field.
func (BySeverity) Len ¶ added in v0.13.0
func (v BySeverity) Len() int
Len returns the length of DetectedVulnerabilities
func (BySeverity) Less ¶ added in v0.13.0
func (v BySeverity) Less(i, j int) bool
Less compares 2 DetectedVulnerabilities based on package name, severity, vulnerabilityID and package path
func (BySeverity) Swap ¶ added in v0.13.0
func (v BySeverity) Swap(i, j int)
Swap swaps 2 vulnerability
type Compliance ¶ added in v0.33.0
type Compliance = string
type DetectedLicense ¶ added in v0.30.0
type DetectedLicense struct {
// Severity is the consistent parameter indicating how severe the issue is
Severity string
// Category holds the license category such as "forbidden"
Category types.LicenseCategory
// PkgName holds a package name of the license.
// It will be empty if FilePath is filled.
PkgName string
// PkgName holds a file path of the license.
// It will be empty if PkgName is filled.
FilePath string // for file license
// Name holds a detected license name
Name string
// Confidence is level of the match. The confidence level is between 0.0 and 1.0, with 1.0 indicating an
// exact match and 0.0 indicating a complete mismatch
Confidence float64
// Link is a SPDX link of the license
Link string
}
type DetectedMisconfiguration ¶ added in v0.19.0
type DetectedMisconfiguration struct {
Type string `json:",omitempty"`
ID string `json:",omitempty"`
AVDID string `json:",omitempty"`
Title string `json:",omitempty"`
Description string `json:",omitempty"`
Message string `json:",omitempty"`
Namespace string `json:",omitempty"`
Query string `json:",omitempty"`
Resolution string `json:",omitempty"`
Severity string `json:",omitempty"`
PrimaryURL string `json:",omitempty"`
References []string `json:",omitempty"`
Status MisconfStatus `json:",omitempty"`
Layer ftypes.Layer `json:",omitempty"`
CauseMetadata ftypes.CauseMetadata `json:",omitempty"`
// For debugging
Traces []string `json:",omitempty"`
}
DetectedMisconfiguration holds detected misconfigurations
type DetectedSecret ¶ added in v0.50.0
type DetectedSecret ftypes.SecretFinding
type DetectedVulnerability ¶ added in v0.2.0
type DetectedVulnerability struct {
VulnerabilityID string `json:",omitempty"`
VendorIDs []string `json:",omitempty"`
PkgID string `json:",omitempty"` // It is used to construct dependency graph.
PkgName string `json:",omitempty"`
PkgPath string `json:",omitempty"` // This field is populated in the case of language-specific packages such as egg/wheel and gemspec
PkgIdentifier ftypes.PkgIdentifier `json:",omitempty"`
InstalledVersion string `json:",omitempty"`
FixedVersion string `json:",omitempty"`
Status types.Status `json:",omitempty"`
Layer ftypes.Layer `json:",omitempty"`
SeveritySource types.SourceID `json:",omitempty"`
PrimaryURL string `json:",omitempty"`
// DataSource holds where the advisory comes from
DataSource *types.DataSource `json:",omitempty"`
// Custom is for extensibility and not supposed to be used in OSS
Custom any `json:",omitempty"`
// Embed vulnerability details
types.Vulnerability
}
DetectedVulnerability holds the information of detected vulnerabilities
type FindingStatus ¶ added in v0.50.0
type FindingStatus string
type FindingType ¶ added in v0.50.0
type FindingType string
type Metadata ¶ added in v0.24.0
type Metadata struct {
Size int64 `json:",omitempty"`
OS *ftypes.OS `json:",omitempty"`
// Container image
ImageID string `json:",omitempty"`
DiffIDs []string `json:",omitempty"`
RepoTags []string `json:",omitempty"`
RepoDigests []string `json:",omitempty"`
ImageConfig v1.ConfigFile `json:",omitempty"`
}
Metadata represents a metadata of artifact
type MisconfStatus ¶ added in v0.19.0
type MisconfStatus string
MisconfStatus represents a status of misconfiguration
const ( // MisconfStatusPassed represents successful status MisconfStatusPassed MisconfStatus = "PASS" // MisconfStatusFailure represents failure status MisconfStatusFailure MisconfStatus = "FAIL" // MisconfStatusException Passed represents the status of exception MisconfStatusException MisconfStatus = "EXCEPTION" )
type MisconfSummary ¶ added in v0.24.0
func (MisconfSummary) Empty ¶ added in v0.24.0
func (s MisconfSummary) Empty() bool
type ModifiedFinding ¶ added in v0.50.0
type ModifiedFinding struct {
Type FindingType
Status FindingStatus
Statement string
Source string
Finding finding // one of findings
}
ModifiedFinding represents a security finding that has been modified by an external source, such as .trivyignore and VEX. Currently, it is primarily used to account for vulnerabilities that are ignored via .trivyignore or identified as not impactful through VEX. However, it is planned to also store vulnerabilities whose severity has been adjusted by VEX, or that have been detected through Wasm modules in the future.
func NewModifiedFinding ¶ added in v0.50.0
func NewModifiedFinding(f finding, status FindingStatus, statement, source string) ModifiedFinding
type Report ¶ added in v0.24.0
type Report struct {
SchemaVersion int `json:",omitempty"`
CreatedAt time.Time `json:",omitempty"`
ArtifactName string `json:",omitempty"`
ArtifactType artifact.Type `json:",omitempty"`
Metadata Metadata `json:",omitempty"`
Results Results `json:",omitempty"`
// parsed SBOM
BOM *core.BOM `json:"-"` // Just for internal usage, not exported in JSON
}
Report represents a scan result
type Result ¶ added in v0.24.0
type Result struct {
Target string `json:"Target"`
Class ResultClass `json:"Class,omitempty"`
Type ftypes.TargetType `json:"Type,omitempty"`
Packages []ftypes.Package `json:"Packages,omitempty"`
Vulnerabilities []DetectedVulnerability `json:"Vulnerabilities,omitempty"`
MisconfSummary *MisconfSummary `json:"MisconfSummary,omitempty"`
Misconfigurations []DetectedMisconfiguration `json:"Misconfigurations,omitempty"`
Secrets []DetectedSecret `json:"Secrets,omitempty"`
Licenses []DetectedLicense `json:"Licenses,omitempty"`
CustomResources []ftypes.CustomResource `json:"CustomResources,omitempty"`
// ModifiedFindings holds a list of findings that have been modified from their original state.
// This can include vulnerabilities that have been marked as ignored, not affected, or have had
// their severity adjusted. It is currently available only in the table format.
ModifiedFindings []ModifiedFinding `json:"-"`
}
Result holds a target and detected vulnerabilities
type ResultClass ¶ added in v0.24.0
type ResultClass string
type SBOM ¶ added in v0.33.0
type SBOM struct {
Metadata Metadata
Packages []ftypes.PackageInfo
Applications []ftypes.Application
BOM *core.BOM
}
type SBOMSource ¶ added in v0.32.0
type SBOMSource = string
type ScanOptions ¶
type ScanOptions struct {
PkgTypes []string
PkgRelationships []types.Relationship
Scanners Scanners
ImageConfigScanners Scanners // Scanners for container image configuration
ScanRemovedPackages bool
LicenseCategories map[types.LicenseCategory][]string
FilePatterns []string
IncludeDevDeps bool
}
ScanOptions holds the attributes for scanning vulnerabilities
type ScanTarget ¶ added in v0.47.0
type ScanTarget struct {
Name string // container image name, file path, etc
OS types.OS
Repository *types.Repository
Packages types.Packages
Applications []types.Application
Misconfigurations []types.Misconfiguration
Secrets []types.Secret
Licenses []types.LicenseFile
// CustomResources hold analysis results from custom analyzers.
// It is for extensibility and not used in OSS.
CustomResources []types.CustomResource
}
ScanTarget holds the attributes for scanning.
type Scanner ¶ added in v0.37.0
type Scanner string
Scanner represents the type of security scanning
type Scanners ¶ added in v0.37.0
type Scanners []Scanner
Scanners is a slice of scanners
func (*Scanners) AnyEnabled ¶ added in v0.37.0
AnyEnabled returns true if any of the passed scanners is included.
Source Files
Click to show internal directories.
Click to hide internal directories.