Table of Contents
In this article, we will see how to install trivy vulnerability scanner on Ubuntu 22.04. Trivy is a comprehensive and easy-to-use open-source vulnerability scanner for containers and other artifacts. Developed by Aqua Security, Trivy is designed to detect security vulnerabilities within your container images, file systems, and even Infrastructure as Code (IaC) configurations. It's well-suited for integration into CI/CD pipelines for automated security scanning and is known for its simple installation and fast scanning capabilities. It is also quite easy to install in almost all the famous platforms including Ubuntu 22.04 based systems.
Key Features
- Comprehensive Vulnerability Scanning: Trivy scans for vulnerabilities in OS packages (Alpine, Red Hat, Debian, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.) within container images or file systems.
- Infrastructure as Code (IaC) Scanning: Trivy can scan IaC files (such as Terraform, CloudFormation, Kubernetes manifests, etc.) to detect misconfigurations that could lead to security issues.
- Simple Installation: Trivy is easy to install, with no prerequisites. It can be run as a standalone binary or as a Docker container.
- High Accuracy: Trivy maintains a comprehensive vulnerability database that is regularly updated, ensuring high accuracy in vulnerability detection. It avoids false positives and negatives by using the vulnerability database directly from the distributions and NVD.
- Fast Scanning: Trivy is known for its fast scanning capabilities, making it efficient for use in CI/CD pipelines where speed is critical.
- Easy Integration: Its straightforward command-line interface makes Trivy easy to integrate into automated workflows, CI/CD systems, and third-party security tools.
- Rich Output Formats: Trivy supports multiple output formats, including table, JSON, and SARIF, making it easy to integrate with other tools and services.
How to Install Trivy Vulnerability Scanner on Ubuntu 22.04
Also Read: How to Install gettext-base package on Ubuntu 22.04
Step 1: Prerequisites
a) You should have a running Ubuntu 22.04 Server.
b) You should have sudo or root access to run privileged commands.
c) You should have apt or apt-get utility available in your Server.
d) You should also have snap utility available in your system in case you would like to install trivy from Snap store.
Step 2: Update Your Server
To keep your system stable and secure all the time, it is always required to check for latest available updates and install them by using sudo apt update && sudo apt upgrade command as shown below.
cyberithub@ubuntu:~$ sudo apt update && sudo apt upgrade
[sudo] password for cyberithub:
Hit:1 http://in.archive.ubuntu.com/ubuntu jammy InRelease
Get:2 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]
Get:3 http://in.archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB]
Hit:4 http://in.archive.ubuntu.com/ubuntu jammy-backports InRelease
Get:5 http://in.archive.ubuntu.com/ubuntu jammy-updates/main i386 Packages [560 kB]
Get:6 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [1,103 kB]
Get:7 http://in.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [1,325 kB]
Get:8 http://in.archive.ubuntu.com/ubuntu jammy-updates/main Translation-en [267 kB]
Get:9 http://in.archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages [1,342 kB]
Get:10 http://security.ubuntu.com/ubuntu jammy-security/main i386 Packages [393 kB]
Get:11 http://in.archive.ubuntu.com/ubuntu jammy-updates/restricted Translation-en [220 kB]
Get:12 http://in.archive.ubuntu.com/ubuntu jammy-updates/universe i386 Packages [683 kB]
Get:13 http://security.ubuntu.com/ubuntu jammy-security/main Translation-en [207 kB]
Get:14 http://in.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [1,036 kB]
Get:15 http://security.ubuntu.com/ubuntu jammy-security/universe i386 Packages [586 kB]
Get:16 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages [835 kB]
Fetched 8,786 kB in 4s (2,041 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
gjs libgjs0g
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
Step 3: Install trivy
In the next step, you can choose to install trivy by using any of the below methods depending on your needs and requirements.
a) Using Repo
First you have to download and install all the packages required for trivy installation using sudo apt-get install wget apt-transport-https gnupg lsb-release command as shown below.
cyberithub@ubuntu:~$ sudo apt-get install wget apt-transport-https gnupg lsb-release [sudo] password for cyberithub: Reading package lists... Done Building dependency tree... Done Reading state information... Done lsb-release is already the newest version (11.1.0ubuntu4). lsb-release set to manually installed. wget is already the newest version (1.21.2-2ubuntu1). wget set to manually installed. gnupg is already the newest version (2.2.27-3ubuntu2.1). gnupg set to manually installed. The following NEW packages will be installed: apt-transport-https 0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded. Need to get 1,510 B of archives. After this operation, 170 kB of additional disk space will be used. Do you want to continue? [Y/n] Y Get:1 http://in.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 apt-transport-https all 2.4.11 [1,510 B] Fetched 1,510 B in 0s (3,162 B/s) Selecting previously unselected package apt-transport-https. (Reading database ... 241948 files and directories currently installed.) Preparing to unpack .../apt-transport-https_2.4.11_all.deb ... Unpacking apt-transport-https (2.4.11) ... Setting up apt-transport-https (2.4.11) ...
Then install GPG key using below wget command to check the integrity of the downloaded package.
cyberithub@ubuntu:~$ wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). OK
You can now add the trivy repo by using echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list command as shown below.
cyberithub@ubuntu:~$ echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list deb https://aquasecurity.github.io/trivy-repo/deb jammy main
To update package cache about newly added repo run sudo apt-get update command as shown below.
cyberithub@ubuntu:~$ sudo apt-get update Hit:1 http://in.archive.ubuntu.com/ubuntu jammy InRelease Get:2 https://aquasecurity.github.io/trivy-repo/deb jammy InRelease [3,061 B] Hit:3 http://security.ubuntu.com/ubuntu jammy-security InRelease Hit:4 http://in.archive.ubuntu.com/ubuntu jammy-updates InRelease Hit:5 http://in.archive.ubuntu.com/ubuntu jammy-backports InRelease Get:6 https://aquasecurity.github.io/trivy-repo/deb jammy/main i386 Packages [369 B] Get:7 https://aquasecurity.github.io/trivy-repo/deb jammy/main amd64 Packages [368 B] Fetched 3,798 B in 2s (2,408 B/s) Reading package lists... Done W: https://aquasecurity.github.io/trivy-repo/deb/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
Finally install the package from repo by using sudo apt-get install trivy command as shown below. This will download and install the package along with all its required dependencies.
cyberithub@ubuntu:~$ sudo apt-get install trivy [sudo] password for cyberithub: Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: trivy 0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded. Need to get 55.4 MB of archives. After this operation, 214 MB of additional disk space will be used. Get:1 https://aquasecurity.github.io/trivy-repo/deb jammy/main amd64 trivy amd64 0.48.3 [55.4 MB] Fetched 55.4 MB in 11s (5,269 kB/s) Selecting previously unselected package trivy. (Reading database ... 241952 files and directories currently installed.) Preparing to unpack .../trivy_0.48.3_amd64.deb ... Unpacking trivy (0.48.3) ... Setting up trivy (0.48.3) ...
b) Using Debian Package
First you have to download the debian package from GitHub using wget utility as shown below. This will download the package in current working directory.
cyberithub@ubuntu:~$ wget https://github.com/aquasecurity/trivy/releases/download/v0.18.3/trivy_0.18.3_Linux-64bit.deb --2024-01-29 22:57:35-- https://github.com/aquasecurity/trivy/releases/download/v0.18.3/trivy_0.18.3_Linux-64bit.deb Resolving github.com (github.com)... 20.207.73.82 Connecting to github.com (github.com)|20.207.73.82|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/180687624/7331cc80-bc6e-11eb-83b5-eba8e22eb1be?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240129%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240129T172735Z&X-Amz-Expires=300&X-Amz-Signature=20aedf48fe1ebb3bd5fb664d45d6444a22d8de37d2ea1310ebad1ecdceb3c98e&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=180687624&response-content-disposition=attachment%3B%20filename%3Dtrivy_0.18.3_Linux-64bit.deb&response-content-type=application%2Foctet-stream [following] --2024-01-29 22:57:35-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/180687624/7331cc80-bc6e-11eb-83b5-eba8e22eb1be?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240129%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240129T172735Z&X-Amz-Expires=300&X-Amz-Signature=20aedf48fe1ebb3bd5fb664d45d6444a22d8de37d2ea1310ebad1ecdceb3c98e&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=180687624&response-content-disposition=attachment%3B%20filename%3Dtrivy_0.18.3_Linux-64bit.deb&response-content-type=application%2Foctet-stream Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.109.133, ... Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.111.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 11562042 (11M) [application/octet-stream] Saving to: ‘trivy_0.18.3_Linux-64bit.deb’ trivy_0.18.3_Linux-64bit.deb 100%[============================================================================>] 11.03M 6.00MB/s in 1.8s 2024-01-29 22:57:40 (6.00 MB/s) - ‘trivy_0.18.3_Linux-64bit.deb’ saved [11562042/11562042
Then install the package by using sudo dpkg -i trivy_0.18.3_Linux-64bit.deb command as shown below.
cyberithub@ubuntu:~$ sudo dpkg -i trivy_0.18.3_Linux-64bit.deb
[sudo] password for cyberithub:
Selecting previously unselected package trivy.
(Reading database ... 241952 files and directories currently installed.)
Preparing to unpack trivy_0.18.3_Linux-64bit.deb ...
Unpacking trivy (0.18.3) ...
Setting up trivy (0.18.3) ...
c) Using Snap
You also have the option to install trivy as snap package. You can install it by using sudo snap install trivy command as shown below. It will download and install the latest version of trivy from the Snap store, making it available for use on your system.
cyberithub@ubuntu:~$ sudo snap install trivy [sudo] password for cyberithub: trivy 0.48.0 from James Luther (b34rd) installed
Step 4: Check Version
You can verify the current installed version by using trivy --version command as shown below.
cyberithub@ubuntu:~$ trivy --version Version: 0.48.3
Step 5: Verify Installation
You can also verify the installation status by using dpkg -s trivy command as shown below. To know more about dpkg command usage, check 21+ Practical dpkg Command Examples for Linux Beginners.
cyberithub@ubuntu:~$ dpkg -s trivy Package: trivy Status: install ok installed Priority: optional Installed-Size: 208903 Maintainer: Teppei Fukuda <knqyf263@gmail.com> Architecture: amd64 Version: 0.48.3 Description: A Fast Vulnerability Scanner for Containers Homepage: https://github.com/aquasecurity
Step 6: Using Trivy
Now that trivy is installed, let's use it to scan a filesystem. Here we are scanning filesystem /home/cyberithub using trivy fs /home/cyberithub command as shown below.
cyberithub@ubuntu:~$ trivy fs /home/cyberithub
2024-01-29T22:00:04.785+0530 INFO Need to update DB
2024-01-29T22:00:04.789+0530 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2024-01-29T22:00:04.789+0530 INFO Downloading DB...
42.60 MiB / 42.60 MiB [------------------------------------------------------------------------------------------------------------] 100.00% 3.55 MiB p/s 12s
2024-01-29T22:00:18.773+0530 INFO Vulnerability scanning is enabled
2024-01-29T22:00:18.777+0530 INFO Secret scanning is enabled
2024-01-29T22:00:18.777+0530 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-29T22:00:18.777+0530 INFO Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-01-29T22:00:20.488+0530 INFO Number of language-specific files: 0
Similarly, if you have a container image to scan then you can use trivy image <image_name> command. For example, here we are scanning ubuntu image by using trivy image ubuntu command as shown below.
cyberithub@ubuntu:~$ trivy image ubuntu
2024-01-31T23:23:39.902+0530 INFO Need to update DB
2024-01-31T23:23:39.906+0530 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2024-01-31T23:23:39.906+0530 INFO Downloading DB...
42.62 MiB / 42.62 MiB [------------------------------------------------------------------------------------------------------------] 100.00% 3.00 MiB p/s 14s
2024-01-31T23:23:55.774+0530 INFO Vulnerability scanning is enabled
2024-01-31T23:23:55.853+0530 INFO Secret scanning is enabled
2024-01-31T23:23:55.857+0530 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-31T23:23:55.857+0530 INFO Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-01-31T23:24:08.418+0530 INFO Detected OS: ubuntu
2024-01-31T23:24:08.423+0530 INFO Detecting Ubuntu vulnerabilities...
2024-01-31T23:24:08.425+0530 INFO Number of language-specific files: 0
................................................
Step 7: Check all available options
You can check all the options available with trivy utility using trivy --help command as shown below.
cyberithub@ubuntu:~$ trivy --help
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
Usage:
trivy [global flags] command [flags] target
trivy [command]
Examples:
# Scan a container image
$ trivy image python:3.4-alpine
# Scan a container image from a tar archive
$ trivy image --input ruby-3.1.tar
# Scan local filesystem
$ trivy fs .
# Run in server mode
$ trivy server
.........................................
Step 8: Uninstall Trivy
If you are not looking to use trivy anymore then you can choose to remove it from your system by using any of the below methods depending on how you installed it.
a) Using apt or apt-get
If you installed trivy from repo or from debian package then for removal you have to run sudo apt-get remove trivy command as shown below.
cyberithub@ubuntu:~$ sudo apt-get remove trivy [sudo] password for cyberithub: Reading package lists... Done Building dependency tree... Done Reading state information... Done The following packages will be REMOVED: trivy 0 upgraded, 0 newly installed, 1 to remove and 2 not upgraded. After this operation, 214 MB disk space will be freed. Do you want to continue? [Y/n] Y (Reading database ... 241961 files and directories currently installed.) Removing trivy (0.48.3) ...
b) Using snap
If you installed trivy as snap package then for removal you have to run sudo snap remove trivy command as shown below.
cyberithub@ubuntu:~$ sudo snap remove trivy trivy removed