trivy-db
is a CLI tool and a library to manipulate Trivy DB.
Trivy uses trivy-db
internally to manipulate vulnerability DB. This DB has vulnerability information from NVD, Red Hat, Debian, etc.
The trivy-db
CLI tool builds vulnerability DBs. A GitHub Actions workflow
periodically builds a fresh version of the vulnerability DB using trivy-db
and uploads it to the GitHub
Container Registry (see Download the vulnerability database below).
NAME:
trivy-db - Trivy DB builder
USAGE:
main [global options] command [command options] image_name
VERSION:
0.0.1
COMMANDS:
build build a database file
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--help, -h show help
--version, -v print the version
You can utilize make db-all
to build the database, the DB artifact is outputted to the assets folder.
Alternatively Docker is supported, you can run docker build . -t trivy-db
.
If you want to build a trivy integration test DB, please run make create-test-db
Trivy DB is built every 6 hours. By default, the update interval specified in the metadata file is 24 hours. If you need to update Trivy DB more frequently, you can upload a new Trivy DB manually.
Trivy DB v1 reached the end of support on February 2023. Please upgrade Trivy to v0.23.0 or later.
Read more about the Trivy DB v1 deprecation in the discussion.
Trivy DB v2 is hosted on GHCR.
Although GitHub displays the docker pull
command by default, please note that it cannot be downloaded using docker pull
as it is not a container image.
You can download the actual compiled database via Trivy or Oras CLI.
Trivy:
TRIVY_TEMP_DIR=$(mktemp -d)
trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
rm -rf $TRIVY_TEMP_DIR
oras >= v0.13.0:
$ oras pull ghcr.io/aquasecurity/trivy-db:2
oras < v0.13.0:
$ oras pull -a ghcr.io/aquasecurity/trivy-db:2
The database can be used for Air-Gapped Environment.