-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: restructure the documentation (#1887)
Co-authored-by: knqyf263 <knqyf263@gmail.com>
- Loading branch information
1 parent
8da4548
commit 4ca35b2
Showing
80 changed files
with
463 additions
and
199 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# CKS preparation resources | ||
|
||
Community Resources | ||
|
||
- [Trivy Video overview (short)][overview] | ||
- [Example questions from the exam][exam] | ||
- [More example questions][questions] | ||
|
||
Aqua Security Blog posts | ||
|
||
- Supply chain security best [practices][supply-chain-best-practices] | ||
- Supply chain [attacks][supply-chain-attacks] | ||
- | ||
If you know of interesting resources, please start a PR to add those to the list. | ||
|
||
[overview]: https://youtu.be/2cjH6Zkieys | ||
[exam]: https://jonathan18186.medium.com/certified-kubernetes-security-specialist-cks-preparation-part-7-supply-chain-security-9cf62c34cf6a | ||
[questions]: https://github.com/kodekloudhub/certified-kubernetes-security-specialist-cks-course/blob/main/docs/06-Supply-Chain-Security/09-Scan-images-for-known-vulnerabilities-(Trivy).md | ||
|
||
[supply-chain-best-practices]: https://blog.aquasec.com/supply-chain-security-best-practices | ||
[supply-chain-attacks]: https://blog.aquasec.com/supply-chain-threats-using-container-images |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
# Additional References | ||
There are external blogs and evaluations. | ||
|
||
## Blogs | ||
- [Trivy Vulnerability Scanner Joins the Aqua Open-source Family][join] | ||
- [Trivy Image Vulnerability Scanner Now Under Apache 2.0 License][license] | ||
- [DevSecOps with Trivy and GitHub Actions][actions] | ||
- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2] | ||
- [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode] | ||
- [the vulnerability remediation lifecycle of Alpine containers][alpine] | ||
- [Continuous Container Vulnerability Testing with Trivy][semaphore] | ||
- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up] | ||
- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison] | ||
|
||
## Links | ||
- [Research Spike: evaluate Trivy for scanning running containers][gitlab] | ||
- [Istio evaluates scanners][istio] | ||
|
||
## Presentations | ||
- Aqua Security YouTube Channel | ||
- [Trivy - container image scanning][intro] | ||
- [Using Trivy in client server mode][server] | ||
- [Tweaking Trivy output to fit your workflow][tweaking] | ||
- [How does a vulnerability scanner identify packages?][identify] | ||
- CNCF Webinar 2020 | ||
- [Trivy Open Source Scanner for Container Images – Just Download and Run!][cncf] | ||
- KubeCon + CloudNativeCon Europe 2020 Virtual | ||
- [Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security][kubecon] | ||
|
||
[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/ | ||
[semaphore]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy | ||
[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/ | ||
[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/ | ||
[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888 | ||
[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417 | ||
|
||
[intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA | ||
[cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ | ||
[server]: https://www.youtube.com/watch?v=tNQ-VlahtYM | ||
[kubecon]: https://www.youtube.com/watch?v=WKE2XNZ2zr4 | ||
[identify]: https://www.youtube.com/watch?v=PaMnzeHBa8M | ||
[tweaking]: https://www.youtube.com/watch?v=wFIGUjcRLnU | ||
|
||
[join]: https://blog.aquasec.com/trivy-vulnerability-scanner-joins-aqua-family | ||
[license]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-apache2.0-license | ||
[actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions | ||
[actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy | ||
[vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
# Docs | ||
|
||
Trivy detects two types of security issues: | ||
|
||
- [Vulnerabilities][vuln] | ||
- [Misconfigurations][misconf] | ||
|
||
Trivy can scan three different artifacts: | ||
|
||
- [Container Images][container] | ||
- [Filesystem][filesystem] and [Rootfs][rootfs] | ||
- [Git Repositories][repo] | ||
|
||
Trivy can be run in two different modes: | ||
|
||
- [Standalone][standalone] | ||
- [Client/Server][client-server] | ||
|
||
It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily. | ||
See [Integrations][integrations] for details. | ||
|
||
## Features | ||
|
||
- Comprehensive vulnerability detection | ||
- [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless) | ||
- [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go) | ||
- Detect IaC misconfigurations | ||
- A wide variety of [built-in policies][builtin] are provided **out of the box**: | ||
- Kubernetes | ||
- Docker | ||
- Terraform | ||
- more coming soon | ||
- Support custom policies | ||
- Simple | ||
- Specify only an image name, a directory containing IaC configs, or an artifact name | ||
- See [Quick Start][quickstart] | ||
- Fast | ||
- The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds. | ||
- Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation. | ||
- Easy installation | ||
- `apt-get install`, `yum install` and `brew install` is possible (See [Installation][installation]) | ||
- **No pre-requisites** such as installation of DB, libraries, etc. | ||
- High accuracy | ||
- **Especially Alpine Linux and RHEL/CentOS** | ||
- Other OSes are also high | ||
- DevSecOps | ||
- **Suitable for CI** such as Travis CI, CircleCI, Jenkins, GitLab CI, etc. | ||
- See [CI Example][integrations] | ||
- Support multiple formats | ||
- container image | ||
- A local image in Docker Engine which is running as a daemon | ||
- A local image in [Podman][podman] (>=2.0) which is exposing a socket | ||
- A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR | ||
- A tar archive stored in the `docker save` / `podman save` formatted file | ||
- An image directory compliant with [OCI Image Format][oci] | ||
- local filesystem and rootfs | ||
- remote git repository | ||
- [SBOM][sbom] (Software Bill of Materials) support | ||
- CycloneDX | ||
|
||
Please see [LICENSE][license] for Trivy licensing information. | ||
|
||
[installation]: ../getting-started/installation.md | ||
[vuln]: ../docs/vulnerability/scanning/index.md | ||
[misconf]: ../docs/misconfiguration/index.md | ||
[container]: ../docs/vulnerability/scanning/image.md | ||
[rootfs]: ../docs/vulnerability/scanning/rootfs.md | ||
[filesystem]: ../docs/vulnerability/scanning/filesystem.md | ||
[repo]: ../docs/vulnerability/scanning/git-repository.md | ||
|
||
[standalone]: ../docs/references/modes/standalone.md | ||
[client-server]: ../docs/references/modes/client-server.md | ||
[integrations]: ../docs/integrations/index.md | ||
|
||
[os]: ../docs/vulnerability/detection/os.md | ||
[lang]: ../docs/vulnerability/detection/language.md | ||
|
||
[builtin]: ../docs/misconfiguration/policy/builtin.md | ||
[quickstart]: ../getting-started/quickstart.md | ||
[podman]: ../docs/advanced/container/podman.md | ||
|
||
[sbom]: ../docs/sbom/index.md | ||
|
||
[oci]: https://github.com/opencontainers/image-spec | ||
[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE |
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
Oops, something went wrong.