trivy镜像扫描

# Trivy 架构理解

Trivy 工作原理：

Docker Image
     ↓
Trivy 扫描镜像层
     ↓
下载漏洞数据库
     ↓
匹配 CVE
     ↓
输出漏洞报告

1
2
3
4
5
6
7
8
9

# Docker Compose 部署

docker-compose.yaml

version: '3.9'

services:
  trivy:
    image: docker.cnb.cool/zzppjj/docker-images/trivy:latest
    container_name: trivy
    restart: always

    command: server --listen 0.0.0.0:4954

    ports:
      - "4954:4954"

    volumes:
      - ./cache:/root/.cache/

    environment:
      - TZ=Asia/Shanghai
            # 国内必须配置
      - TRIVY_DB_REPOSITORY=ghcr.io/aquasecurity/trivy-db

    healthcheck:
      test: ["CMD", "wget", "-qO-", "http://127.0.0.1:4954/healthz"]
      interval: 30s
      timeout: 10s
      retries: 3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

查看日志:

docker logs -f trivy

# 客户端命令安装

下载安装包

https://github.com/aquasecurity/trivy/releases/download/v0.70.0/trivy_0.70.0_Linux-64bit.rpm

执行安装

yum install -y trivy_0.70.0_Linux-64bit.rpm

# 执行扫描

方式1

trivy image \
--server http://127.0.0.1:4954 \
nginx:latest

1
2
3

方式2，只查看高危漏洞

trivy image --server http://192.168.51.50:4954 --severity HIGH,CRITICAL docker.cnb.cool/zzppjj/docker-images/alpine

上次更新: 2026/05/16, 12:38:07

← 等保三级 fastdfs→