{"id":15659717,"url":"https://github.com/developer-guy/image-scanning-using-trivy-as-go-library","last_synced_at":"2025-05-05T19:42:19.638Z","repository":{"id":51339791,"uuid":"336764879","full_name":"developer-guy/image-scanning-using-trivy-as-go-library","owner":"developer-guy","description":"Demonstrate how you can use image scanner called Trivy as a golang library","archived":false,"fork":false,"pushed_at":"2021-05-14T12:52:06.000Z","size":103,"stargazers_count":24,"open_issues_count":0,"forks_count":4,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-30T23:11:06.436Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/developer-guy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-02-07T11:02:19.000Z","updated_at":"2024-10-30T12:09:09.000Z","dependencies_parsed_at":"2022-09-24T20:10:35.231Z","dependency_job_id":null,"html_url":"https://github.com/developer-guy/image-scanning-using-trivy-as-go-library","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-guy%2Fimage-scanning-using-trivy-as-go-library","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-guy%2Fimage-scanning-using-trivy-as-go-library/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-guy%2Fimage-scanning-using-trivy-as-go-library/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-guy%2Fimage-scanning-using-trivy-as-go-library/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/developer-guy","download_url":"https://codeload.github.com/developer-guy/image-scanning-using-trivy-as-go-library/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252563873,"owners_count":21768536,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-03T13:18:20.785Z","updated_at":"2025-05-05T19:42:19.614Z","avatar_url":"https://github.com/developer-guy.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"![trivy_logo](./trivy_logo.png)\n\n# Description\n\nTrivy (tri pronounced like trigger, vy pronounced like envy) is a simple and comprehensive vulnerability scanner for containers and other artifacts. A software vulnerability is a glitch, flaw, or weakness present in the software or in an Operating System. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Trivy is easy to use. Just install the binary and you're ready to scan. All you need to do for scanning is to specify a target such as an image name of the container.\n\u003e Credit: https://github.com/aquasecurity/trivy\n\n# Prerequisites\n\n* Go 1.15.7\n* Trivy 0.17.2\n\n# Getting Started\n\nIn this hands-on guide, we are going to develop a Trivy client with the Go code. Trivy has client/server mode. Trivy server has vulnerability database and Trivy client doesn't have to download vulnerability database. It is useful if you want to scan images at multiple locations and do not want to download the database at every location.\n\nIn order to do that, we need to start Trivy server first using the following command:\n```bash\n$ trivy --cache-dir ./trivycache server\n2021-02-07T14:13:52.210+0300 INFO Need to update DB\n2021-02-07T14:13:52.211+0300 INFO Downloading DB...\n2021-02-07T14:13:59.275+0300 INFO Listening localhost:4954...\n```\n\nLets move on with client code.\n```golang\npackage main\n\nimport (\n\t\"context\"\n\t\"flag\"\n\t\"os\"\n\t\"time\"\n\n\timage2 \"github.com/aquasecurity/fanal/artifact/image\"\n\t\"github.com/aquasecurity/fanal/cache\"\n\t\"github.com/aquasecurity/fanal/image\"\n\tdbTypes \"github.com/aquasecurity/trivy-db/pkg/types\"\n\t\"github.com/aquasecurity/trivy/pkg/log\"\n\t\"github.com/aquasecurity/trivy/pkg/report\"\n\t\"github.com/aquasecurity/trivy/pkg/rpc/client\"\n\t\"github.com/aquasecurity/trivy/pkg/scanner\"\n\t\"github.com/aquasecurity/trivy/pkg/types\"\n\t\"golang.org/x/xerrors\"\n)\n\nfunc main() {\n\timageFlag := flag.String(\"image\", \"\", \"image name\")\n\tremoteFlag := flag.String(\"remote\", \"\", \"server url\")\n\toutputTypeFlag := flag.String(\"output\", \"\", \"output type such as table, json.\")\n\tflag.Parse()\n\n\tif err := log.InitLogger(true, false); err != nil {\n\t\tlog.Logger.Fatalf(\"error happened: %v\", xerrors.Errorf(\"failed to initialize a logger: %w\", err))\n\t}\n\n\tctx, cancel := context.WithTimeout(context.Background(), time.Second*1000)\n\tdefer cancel()\n\n\tlocalCache, err := cache.NewFSCache(os.Getenv(\"HOME\") + \"/Library/Caches/trivy\")\n\tif err != nil {\n\t\tlog.Logger.Fatalf(\"could not initialize f: %v\", err)\n\t}\n\n\tsc, cleanUp, err := initializeDockerScanner(ctx, *imageFlag, localCache, client.CustomHeaders{}, client.RemoteURL(*remoteFlag), time.Second*5000)\n\tif err != nil {\n\t\tlog.Logger.Fatalf(\"could not initialize scanner: %v\", err)\n\t}\n\n\tdefer cleanUp()\n\n\tresults, err := sc.ScanArtifact(ctx, types.ScanOptions{\n\t\tVulnType: []string{\"os\", \"library\"},\n\t\tScanRemovedPackages: true,\n\t\tListAllPackages: true,\n\t})\n\tif err != nil {\n\t\tlog.Logger.Fatalf(\"could not scan image: %v\", err)\n\t}\n\n\tlog.Logger.Infof(\"%d vulnerability/ies found\", len(results[0].Vulnerabilities))\n\n\tif err = report.WriteResults(*outputTypeFlag, os.Stdout, []dbTypes.Severity{dbTypes.SeverityUnknown}, results, \"\", false); err != nil {\n\t\tlog.Logger.Fatalf(\"could not write results: %v\", xerrors.Errorf(\"unable to write results: %w\", err))\n\t}\n}\n\nfunc initializeDockerScanner(ctx context.Context, imageName string, artifactCache cache.ArtifactCache, customHeaders client.CustomHeaders, url client.RemoteURL, timeout time.Duration) (scanner.Scanner, func(), error) {\n\tscannerScanner := client.NewProtobufClient(url)\n\tclientScanner := client.NewScanner(customHeaders, scannerScanner)\n\tdockerOption, err := types.GetDockerOption(timeout)\n\tif err != nil {\n\t\treturn scanner.Scanner{}, nil, err\n\t}\n\timageImage, cleanup, err := image.NewDockerImage(ctx, imageName, dockerOption)\n\tif err != nil {\n\t\treturn scanner.Scanner{}, nil, err\n\t}\n\tartifact := image2.NewArtifact(imageImage, artifactCache)\n\tscanner2 := scanner.NewScanner(clientScanner, artifact)\n\treturn scanner2, func() {\n\t\tcleanup()\n\t}, nil\n}\n```\n\nLets try it with running the code\n```bash\n$ go run ./main.go --image alpine:3.10 --remote http://localhost:4954\n2021-02-07T14:17:25.718+0300 DEBUG Artifact ID: sha256:be4e4bea2c2e15b403bb321562e78ea84b501fb41497472e91ecb41504e8a27c\n2021-02-07T14:17:25.718+0300 DEBUG Blob IDs: [sha256:1b3ee35aacca9866b01dd96e870136266bde18006ac2f0d6eb706c798d1fa3c3]\n2021-02-07T14:17:25.725+0300 INFO 4 vulnerability/ies found\n\nalpine:3.10 (alpine 3.10.5)\n===========================\nTotal: 4 (UNKNOWN: 0)\n\n+--------------+------------------+----------+-------------------+---------------+---------------------------------------+\n| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n+--------------+------------------+----------+-------------------+---------------+---------------------------------------+\n| musl | CVE-2020-28928 | MEDIUM | 1.1.22-r3 | 1.1.22-r4 | In musl libc through 1.2.1, |\n| | | | | | wcsnrtombs mishandles particular |\n| | | | | | combinations of destination buffer... |\n| | | | | | --\u003eavd.aquasec.com/nvd/cve-2020-28928 |\n+--------------+------------------+ +-------------------+---------------+---------------------------------------+\n| libcrypto1.1 | CVE-2020-1971 | | 1.1.1g-r0 | 1.1.1i-r0 | openssl: EDIPARTYNAME |\n| | | | | | NULL pointer de-reference |\n| | | | | | --\u003eavd.aquasec.com/nvd/cve-2020-1971 |\n+--------------+ + + + + +\n| libssl1.1 | | | | | |\n| | | | | | |\n| | | | | | |\n+--------------+------------------+ +-------------------+---------------+---------------------------------------+\n| musl-utils | CVE-2020-28928 | | 1.1.22-r3 | 1.1.22-r4 | In musl libc through 1.2.1, |\n| | | | | | wcsnrtombs mishandles particular |\n| | | | | | combinations of destination buffer... |\n| | | | | | --\u003eavd.aquasec.com/nvd/cve-2020-28928 |\n+--------------+------------------+----------+-------------------+---------------+---------------------------------------+\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeveloper-guy%2Fimage-scanning-using-trivy-as-go-library","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdeveloper-guy%2Fimage-scanning-using-trivy-as-go-library","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeveloper-guy%2Fimage-scanning-using-trivy-as-go-library/lists"}