steampipe plugin install trivy

Table: trivy_scan_package - Query Trivy Scan Packages using SQL

Trivy is a simple and comprehensive vulnerability scanner for containers. It detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Trivy is particularly useful for comprehensively addressing vulnerability management in containerized environments.

Table Usage Guide

The trivy_scan_package table provides insights into the vulnerabilities of packages within Trivy. As a security analyst, explore package-specific details through this table, including the package name, version, and associated vulnerabilities. Utilize it to uncover information about packages, such as those with high vulnerability scores, the source of the vulnerability, and the recommended fix.

Examples

Scan all targets defined in trivy.spc for packages

Explore the types of artifacts, their names, and targets in your system to gain insights into their classes, types, and versions. This can help in understanding the overall structure and organization of your system's packages.

select
artifact_type,
artifact_name,
target,
class,
type,
name,
version
from
trivy_scan_package;
select
artifact_type,
artifact_name,
target,
class,
type,
name,
version
from
trivy_scan_package;

Scan a specific directory for packages

Explore specific directories to identify the packages present within them. This is useful for understanding the composition and versioning of your software assets.

select
target,
class,
type,
name,
version
from
trivy_scan_package
where
artifact_type = 'filesystem'
and artifact_name = '/Users/jane/src/steampipe';
select
target,
class,
type,
name,
version
from
trivy_scan_package
where
artifact_type = 'filesystem'
and artifact_name = '/Users/jane/src/steampipe';

Scan a specific container image for packages

Explore the contents of a specific container image to identify the packages it contains. This is useful for understanding the components of your container image, aiding in maintenance and potential vulnerability management.

select
target,
class,
type,
name,
version
from
trivy_scan_package
where
artifact_type = 'container_image'
and artifact_name = 'turbot/steampipe';
select
target,
class,
type,
name,
version
from
trivy_scan_package
where
artifact_type = 'container_image'
and artifact_name = 'turbot/steampipe';

Find all installations of the lodash package

Explore which installations have the lodash package. This can be useful to identify instances where this package is used, helping maintain software consistency and version control across installations.

select
artifact_name,
artifact_type,
target,
class,
name,
version
from
trivy_scan_package
where
name = 'lodash';
select
artifact_name,
artifact_type,
target,
class,
name,
version
from
trivy_scan_package
where
name = 'lodash';

Find packages with multiple versions installed inside a single target

Explore instances where multiple versions of the same package are installed within a single target. This is useful to identify potential software conflicts or vulnerabilities due to outdated versions. For example, Javascript packages may have multiple versions installed through dependencies. This query will find all of those cases and the versions.

select
*
from
(
select
artifact_name,
artifact_type,
target,
name,
count(*),
array_agg(version)
from
trivy_scan_package
group by
artifact_type,
artifact_name,
target,
name
) as multiversion
where
count > 1
order by
count desc;
select
*
from
(
select
artifact_name,
artifact_type,
target,
name,
count(*),
group_concat(version)
from
trivy_scan_package
group by
artifact_type,
artifact_name,
target,
name
) as multiversion
where
"count(*)" > 1
order by
"count(*)" desc;

Find packages installed / contained within a single source package

This query helps in identifying the various packages that are installed or contained within a single source package. It's useful for understanding the relationship between different packages and their source, which can be crucial for managing dependencies and ensuring system stability. For example, an OS package for pam will include and install multiple pam library packages. This query will find all those cases and list the sub-packages.

select
*
from
(
select
artifact_name,
artifact_type,
target,
src_name,
count(*),
array_agg(name)
from
trivy_scan_package
where
src_name is not null
group by
artifact_type,
artifact_name,
target,
src_name
) as multipackage
where
count > 1
order by
count desc;
select
*
from
(
select
artifact_name,
artifact_type,
target,
src_name,
count(*) as count,
group_concat(name)
from
trivy_scan_package
where
src_name is not null
group by
artifact_type,
artifact_name,
target,
src_name
)
where
count > 1
order by
count desc;

Number of packages installed by type

Explore which types of packages are most commonly installed. This can help you identify the most prevalent package types, allowing you to better understand and manage your system's dependencies.

select
artifact_name,
artifact_type,
class,
type,
count(*)
from
trivy_scan_package
group by
artifact_type,
artifact_name,
target,
class,
type
order by
count desc;
select
artifact_name,
artifact_type,
class,
type,
count(*)
from
trivy_scan_package
group by
artifact_type,
artifact_name,
target,
class,
type
order by
count(*) desc;

Advisories not fixed as the package was "end-of-life"

Discover the segments that consist of advisories not fixed due to their 'end-of-life' status. This is particularly useful in identifying potential vulnerabilities in your system that may arise from outdated packages.

select
source,
name,
key,
fixed_version
from
trivy_scan_package
where
state = 'end-of-life';
select
source,
name,
key,
fixed_version
from
trivy_scan_package
where
state = 'end-of-life';

Scanned artifacts and the unique targets that contain packages

Explore which unique targets contain packages by analyzing the scanned artifacts. This can be useful for understanding the distribution of packages across different targets.

select
distinct artifact_name,
artifact_type,
target
from
trivy_scan_package;
select
distinct artifact_name,
artifact_type,
target
from
trivy_scan_package;

Schema for trivy_scan_package

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
archtextArchitecture for the package.
artifact_nametext=Name of the artifact containing the package.
artifact_typetext=Type of artifact containing the package, e.g. container_image.
build_infojsonbBuild info for the package. Only available for Red Hat.
classtextClass of the package, e.g. lang-pkgs, os-pkgs.
epochbigintEpoch of the package.
file_pathtextFile path to the package, if available.
idtextIdentifier which can be used to reference the component elsewhere, e.g. lodash@4.13.4.
indirectbooleanTrue if this package is an indirect dependency of the project.
layerjsonbContainer image layer information, if available.
licensesjsonbLicense information, if available.
modularity_labeltextModularity label. Only available for Red Hat.
nametextName of the package, e.g. lodash.
reftextIdentifier which can be used to reference the component elsewhere.
releasetextRelease of the package.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
src_epochbigintEpoch of the source package.
src_nametextSource package that installed this package, e.g. the 'shadow' source package installs 'passwd' and 'login' packages.
src_releasetextRelease of the source package that installed this package.
src_versiontextVersion of the source package that installed this package.
targettextTarget within the artifact, e.g. library file or container image.
typetextType of the package, e.g. debian, ubuntu, yarn, npm, gomod.
versiontextVersion of the package, e.g. 4.13.4.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- trivy

You can pass the configuration to the command with the --config argument:

steampipe_export_trivy --config '<your_config>' trivy_scan_package